Logo of Trend Micro

S3 Object Lock

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: S3-023

Ensure that your Amazon S3 buckets have Object Lock feature enabled in order to prevent the objects they store from being deleted. Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period, to enforce retention policies as an additional layer of data protection and/or for strict regulatory compliance. The feature provides two ways to manage object retention: retention periods and legal holds. A retention period specifies a fixed time frame during which an S3 object remains locked, meaning that it can't be overwritten or deleted. You can configure the retention period for the available retention modes in the rule settings, on your Cloud Conformity account dashboard. A legal hold implements the same protection as a retention period, but without an expiration date. Instead, a legal hold remains active until you explicitly remove it.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Used in combination with versioning, which protects objects from being overwritten, AWS S3 Object Lock enables you to store your S3 objects in an immutable form, providing an additional layer of protection against object changes and deletion. S3 Object Lock feature can also help you meet regulatory requirements within your organization when it comes to data protection.

Audit

To determine if your Amazon S3 buckets are using Object Lock feature, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the S3 dashboard top menu to view bucket properties.

05 In the Advanced settings section, check the Object Lock feature status. If the configuration status is set to Disabled, Object Lock is not enabled for the selected Amazon S3 bucket.

06 Repeat step no. 3 and 4 to verify Object Lock feature status for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS account: 

aws s3api list-buckets 
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets: 

[
    "cc-project5-logs",
    "cc-project5-media"
]

03 Run get-object-lock-configuration command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to examine as identifier and custom query filters to return the Object Lock configuration status for the selected bucket: 

aws s3api get-object-lock-configuration
	--bucket cc-project5-logs
	--query 'ObjectLockConfiguration.ObjectLockEnabled'

04 The command output should return the requested information or the "ObjectLockConfigurationNotFoundError" error message if there is no Object Lock configuration defined for the specified S3 bucket: 

An error occurred (ObjectLockConfigurationNotFoundError) when calling the GetObjectLockConfiguration operation: Object Lock configuration does not exist for this bucket

If get-object-lock-configuration command output returns the ObjectLockConfigurationNotFoundError error message, as shown in the output example above, the Object Lock feature is not enabled for the selected Amazon S3 bucket.

05 Repeat step no. 3 and 4 to determine Object Lock configuration for other S3 buckets available in your AWS account.

Remediation / Resolution

Amazon S3 does not currently support enabling Object Lock after a bucket has been created, therefore to enable the feature you have to re-create the bucket, place the S3 objects that you want to lock inside the bucket, then apply a retention period, a legal hold, or both, to the S3 objects that you want to protect. To re-create the S3 bucket and enable Object Lock feature in order to prevent objects from being deleted and help ensure data integrity, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click + Create bucket button to start the setup process.

04 Within Create bucket dialog box, perform the following:

  1. For step 1: Name and region:
    • Provide a unique name for the new bucket in the Bucket name box.
    • From Region dropdown box, select the AWS region where the new S3 bucket will be created.
    • From Copy settings from an existing bucket dropdown list, select the name of the S3 bucket that you want to re-create.
    • Click Next to continue the process.
  2. For step 2: Configure options:
    • Under Versioning, select Keep all versions of an object in the same bucket checkbox to enable S3 versioning for the bucket. S3 Object Lock requires S3 object versioning.
    • Click the Advanced settings tab to shown the advanced configuration settings.
    • Under Object lock, select Permanently allow objects in this bucket to be locked checkbox to enable S3 Object Lock feature for the new bucket.
    • Click Next.
  3. For step 3: Set permissions, set any required permissions or leave the settings unchanged to reflect the source bucket permissions configuration. Click Next to continue.
  4. For step 4: Review, verify the resource configuration details, then click Create bucket to create the new S3 bucket.

05 Click on the name of the S3 bucket created at the previous step.

06 Select the Properties tab from the S3 dashboard top menu to view bucket properties.

07 In the Advanced settings section, click on the Object Lock box to access the feature configuration panel, where you can define the automatic settings for the objects that are uploaded without object lock configuration.

08 Inside Object Lock box, select one of the following retention modes. These retention modes apply different levels of protection to the objects within the selected bucket:

  1. Select Enable governance mode so that users cannot overwrite or delete an S3 object version or alter its lock settings unless they have special permissions (e.g. root account). Governance mode enables you to protect objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if required. In the Retention period box, enter the number of days required to protect an object version. Click Save to apply the changes.
  2. Select Enable compliance mode so that a protected object version cannot be overwritten or deleted by any user, including the root account user. Once an S3 object is locked in Compliance mode, its retention mode cannot be reconfigured and its retention period cannot be shortened. This retention mode ensures that an object version can't be overwritten or deleted for the duration of the retention period, specified in the Retention period box. Click Save to apply the changes.

09 Now you can transfer the necessary S3 objects from the source bucket, the one with Object Lock feature disabled, to the destination bucket, the one that has Object Lock enabled.

10 Repeat steps no. 3 – 9 to enable and configure Amazon S3 Object Lock for other S3 buckets available within your AWS account.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to (re)create the required Amazon S3 bucket and enable S3 Object Lock feature for all the objects uploaded to this bucket, by using the --object-lock-enabled-for-bucket command parameter: 

aws s3api create-bucket
	--bucket cc-project5-protected-logs
	--region us-east-1
	--acl private
	--object-lock-enabled-for-bucket

02 The command output should return the name of the new Amazon S3 bucket: 

{
    "Location": "/cc-project5-protected-logs"
}

03 Define the Object Lock feature configuration parameters by specifying the retention mode and retention period for the new S3 bucket. The following example enables Governance retention mode for 90 days. Governance mode ensures that users cannot overwrite or delete an S3 object version or alter its lock settings unless they have special permissions (e.g. root account access). Governance mode enables you to protect objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if required. Save these configuration parameters to a JSON file named object-lock-config.json: 

{
  "ObjectLockEnabled": "Enabled",
  "Rule": {
    "DefaultRetention": {
      "Mode": "GOVERNANCE",
      "Days": 90
    }
  }
}

04 Run put-object-lock-configuration command (OSX/Linux/UNIX) using the configuration parameters defined at the previous step (i.e. object-lock-config.json) to apply your S3 Object Lock configuration to the newly created bucket (the command does not produce an output): 

aws s3api put-object-lock-configuration
	--bucket cc-project5-protected-logs
	--object-lock-configuration file://object-lock-config.json

05 Transfer the necessary S3 objects from the source bucket, the one with Object Lock feature disabled, to the destination bucket, the one with S3 Object Lock enabled, created at the previous steps.

06 Repeat steps no. 1 – 5 to enable and configure Amazon S3 Object Lock for other S3 buckets available in your AWS account.

References

Publication date Feb 13, 2019

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

S3 Object Lock

Risk level: Low