Description:

Ensure that your Amazon S3 buckets have the Object Lock feature enabled to prevent the objects they store from being deleted.  AWS S3 Object Lock enables you to store your S3 objects in an immutable form, providing an additional layer of protection against object changes and deletion. S3 Object Lock feature can also help you meet regulatory requirements.


Rationale:

Amazon S3 Object Lock is an Amazon S3 feature that allows you to store objects using a write once, read many models. You can use WORM protection for scenarios where it is imperative that data is not changed or deleted after it has been written.

Impact:

Object lock enables adding an extra layer of protection against object changes and deletion.


Default Value:

S3 bucket Object Lock default value is disabled.

Pre-Requisites:

  1. Object Versioning should be enabled.

  2. (Optional) Configure a default retention period for objects placed in the bucket.

  3. Place the objects that you want to lock in the bucket.

  4. Apply a retention period, a legal hold, or both, to the objects that you want to protect.


Note:

Object Lock cannot be enabled after the creation of an S3 Bucket.

Test Plan:

  •  Sign in to the AWS Management Console.

  •  Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  •  In the Buckets list, choose the name of the bucket that you want.

  • Select the Properties tab from the S3 dashboard top menu to view bucket properties.



  • In the Advanced settings section, check the Object Lock feature status. If the configuration status is set to Disabled, Object Lock is not enabled for the selected Amazon S3 bucket.




Using AWS CLI:

It will give us what is the current object lock status 

aws s3api get-object-lock-configuration 
    --bucket <value>


Implementation Steps:

  • Sign in to the AWS Management Console.

  • Go to the S3 service dashboard at https://console.aws.amazon.com/s3/.

  • select the bucket that you want to enable the Object lock.

  • Click on the Properties tab. 

  • Go to Object lock.
  • To enable object lock we need to contact customer support
  • When we clicked on customer support it will navigate to the next page.
  • Then it navigates to compliance report support we need to fill in the necessary details on this page.



  • Check the check box and Click on interest and Submit.

  • It will navigate to the confirmation page and you will also get confirmation to mail. Then follow the process suggested by the AWS.

Using AWS CLI:

It will change the object lock Disable to Enable

aws s3api put-object-lock-configuration \
    --bucket my-bucket-with-object-lock \
    --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 50 }}}'

 

Back out a plan:

  • Once the object is enabled we can’t disable it


Using AWS CLI:

It will change the object lock Enable to Disable

aws s3api put-object-lock-configuration \
    --bucket my-bucket-with-object-lock \
    --object-lock-configuration '{ "ObjectLockDisabled": "Disabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 50 }}}'


Reference:

How S3 Object Lock works - Amazon Simple Storage Service 

Configuring S3 Object Lock using the console - Amazon Simple Storage Service 

list-buckets — AWS CLI 1.22.80 Command Reference 

https://aws.amazon.com/blogs/storage/replicating-existing-objects-between-s3-buckets/