Ensure that the S3 buckets associated with your Amazon CloudTrail trails are configured to use the Object Lock feature in order to prevent the objects they store (i.e. trail log files) from being deleted and meet regulatory compliance. Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period by enforcing retention policies as an additional layer of data protection. The feature provides two retention modes which apply different levels of protection to your S3 objects:
- * Governance mode – this mode enables you to protect your S3 objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if it's really required.
- * Compliance mode – in this mode, a protected object version can't be overwritten or deleted by any user, including the AWS root user. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be reduced. Compliance mode ensures that an object version can't be overwritten or deleted for the duration of the configured retention period.
Using target S3 buckets with Object Lock for your Amazon CloudTrail trails will help ensure log data integrity as the log files stored within these buckets can't be accidentally or intentionally deleted. S3 Object Lock feature can also help you meet regulatory requirements within your organization when it comes to data protection.
Audit
To determine if the S3 buckets associated with your CloudTrail trails are using the Object Lock feature, perform the following actions:
Remediation / Resolution
Amazon S3 does not currently support enabling Object Lock after a bucket has been created, therefore to enable the feature you have to re-create the bucket that you want to protect. To re-create the S3 bucket associated with your Amazon CloudTrail trail and enable the Object Lock feature in order to help ensure trail data integrity, perform the following actions:
References
- AWS Documentation
- Amazon S3 FAQs
- Using S3 Object Lock
- How S3 Object Lock works
- Managing Object Lock
- AWS CloudTrail FAQs
- Updating a Trail
- Creating, Updating, and Managing Trails with the AWS Command Line Interface
- AWS Command Line Interface (CLI) Documentation
- cloudtrail
- list-trails
- describe-trails
- update-trail
- s3api
- get-object-lock-configuration
- put-object-lock-configuration
- create-bucket
- put-public-access-block