Ensure that the Object Lock feature is enabled for your Amazon S3 buckets in order to prevent the objects they store from being deleted. Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period, to enforce retention policies as an additional layer of data protection and/or for strict regulatory compliance. The feature provides two ways to manage object retention: retention periods and legal holds. A retention period specifies a fixed time frame during which an S3 object remains locked, meaning that it can't be overwritten or deleted. You can configure the retention period for the available retention modes in the rule settings, in your Trend Micro Cloud One™ – Conformity account. A legal hold implements the same protection as a retention period, but without an expiration date. Instead, a legal hold remains active until you explicitly remove it.
This rule can help you with the following compliance standards:
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Used in combination with object versioning, which protects S3 objects from being overwritten, Amazon S3 Object Lock enables you to store your S3 objects in an immutable form, providing an additional layer of protection against object changes and deletion. S3 Object Lock feature can also help you meet regulatory requirements for data protection within your organization.
Audit
To determine if your Amazon S3 buckets are configured to use the Object Lock feature, perform the following operations:
Remediation / Resolution
Amazon S3 does not currently support enabling Object Lock after a bucket has been created, therefore to enable the feature you have to re-create the bucket, place the S3 objects that you want to lock inside the bucket, then apply a retention period, a legal hold, or both, to the S3 objects that you want to protect. To re-create the S3 bucket and enable the Object Lock feature in order to prevent objects from being deleted and help ensure data integrity, perform the following operations:
References
- AWS Documentation
- Amazon S3 Frequently Asked Questions
- Protecting Data in Amazon S3
- Introduction to Amazon S3 Object Lock
- Amazon S3 Object Lock Overview
- Managing Object Locks
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-object-lock-configuration
- put-object-lock-configuration
- create-bucket
- create-bucket
- create-bucket
- CloudFormation Documentation
- AWS::S3::Bucket
- Terraform Documentation
- AWS Provider