Ensure that your Amazon S3 buckets have Object Lock feature enabled in order to prevent the objects they store from being deleted. Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period, to enforce retention policies as an additional layer of data protection and/or for strict regulatory compliance. The feature provides two ways to manage object retention: retention periods and legal holds. A retention period specifies a fixed time frame during which an S3 object remains locked, meaning that it can't be overwritten or deleted. You can configure the retention period for the available retention modes in the rule settings, on your Cloud Conformity account dashboard. A legal hold implements the same protection as a retention period, but without an expiration date. Instead, a legal hold remains active until you explicitly remove it.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Used in combination with versioning, which protects objects from being overwritten, AWS S3 Object Lock enables you to store your S3 objects in an immutable form, providing an additional layer of protection against object changes and deletion. S3 Object Lock feature can also help you meet regulatory requirements within your organization when it comes to data protection.
Audit
To determine if your Amazon S3 buckets are using Object Lock feature, perform the following actions:
Remediation / Resolution
Amazon S3 does not currently support enabling Object Lock after a bucket has been created, therefore to enable the feature you have to re-create the bucket, place the S3 objects that you want to lock inside the bucket, then apply a retention period, a legal hold, or both, to the S3 objects that you want to protect. To re-create the S3 bucket and enable Object Lock feature in order to prevent objects from being deleted and help ensure data integrity, perform the following actions:
References
- AWS Documentation
- Amazon S3 Frequently Asked Questions
- Protecting Data in Amazon S3
- Introduction to Amazon S3 Object Lock
- Amazon S3 Object Lock Overview
- Managing Object Locks
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-object-lock-configuration
- create-bucket
- put-object-lock-configuration
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
S3 Object Lock
Risk level: Low