Profile Applicability:

  • Level 2

Description:
Amazon S3 Object Lock is a feature that prevents objects in an S3 bucket from being deleted or modified for a specified retention period. This feature is typically used for data retention and compliance purposes, such as preventing the deletion of financial or legal records. Enabling Object Lock on an S3 bucket ensures that data cannot be tampered with, offering protection against accidental or malicious deletions. This setting can be configured with either governance mode (which allows certain users to remove the lock) or compliance mode (which prevents all users from removing the lock until the retention period expires).

Rationale:
Enabling S3 Object Lock is crucial for protecting critical data against unauthorized modification or deletion, ensuring compliance with industry regulations such as SEC Rule 17a-4(f), FINRA, and HIPAA. It provides an additional layer of security by making objects immutable during the retention period, which is essential for scenarios requiring legal hold or data protection against deletion.

Impact:
 Pros:

  • Protects objects from accidental or malicious deletion or modification.

  • Helps meet regulatory and compliance requirements for data retention.

  • Provides enhanced data integrity by ensuring data immutability for a defined period.

  • Enables easy implementation of legal holds on specific objects.

Cons:

  • Once enabled, it may be difficult to delete or modify objects, even by administrators, until the retention period expires (especially in compliance mode).

  • Can increase operational complexity, particularly when managing data that needs to be updated or deleted after the retention period.

Default Value:
By default, Object Lock is not enabled for new S3 buckets. This feature must be explicitly enabled at the bucket level during creation or configuration.

Pre-requisites:

  • AWS IAM permissions to manage Object Lock settings:
         s3:PutBucketObjectLockConfiguration
     s3:GetBucketObjectLockConfiguration

  • S3 Versioning must be enabled on the bucket to use Object Lock.

  • Access to the S3 bucket configuration to review or enable Object Lock.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. Select the S3 bucket you want to check for Object Lock.

  4. Under the Properties tab, scroll down to the Object Lock section.

  5. Check if Object Lock is enabled. The status should indicate whether it's in Governance Mode or Compliance Mode.

  6. If Object Lock is not enabled, click Edit, enable Object Lock, and choose the appropriate retention settings (Governance or Compliance mode).

  7. Save the changes and verify that the Object Lock settings are applied.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check if Object Lock is enabled:

    aws s3api get-bucket-object-lock --bucket <BUCKET_NAME>

  3.  The output should show whether Object Lock is enabled and which mode is used (Governance or Compliance).

  4. If Object Lock is not enabled, enable it by running:

    aws s3api put-bucket-object-lock --bucket <BUCKET_NAME> --object-lock-configuration \
"LockConfiguration={ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=30}}}"

  1. This command enables Object Lock with a 30-day default retention in Governance Mode. Adjust the parameters as needed for Compliance Mode or a different retention period.

  2. Verify the updated Object Lock configuration:

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and select the desired bucket.

  2. Under the Properties tab, find the Object Lock section.

  3. Enable Object Lock and choose the desired Retention Mode (Governance or Compliance).

  4. Define the Default Retention Period (in days or years) according to your data retention policies.

  5. Save the configuration to apply Object Lock settings.

Using AWS CLI:

  1. To enable Object Lock with a 30-day retention period in Governance Mode, use:

    aws s3api put-bucket-object-lock --bucket <BUCKET_NAME> --object-lock-configuration \
"LockConfiguration={ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=30}}}"

  1. If you need Compliance Mode, replace GOVERNANCE with COMPLIANCE in the above command.

    aws s3api get-bucket-object-lock --bucket <BUCKET_NAME>

  2. Verify the Object Lock settings:

Backout Plan:

Using AWS Console:

  1. If enabling Object Lock causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Properties tab.

  3. In the Object Lock section, disable Object Lock if needed, or adjust the Retention Mode and Retention Period.

  4. Save the changes and monitor the bucket to ensure the correct settings are applied.

Using AWS CLI:

  1. To disable Object Lock or adjust the settings, run:

    aws s3api put-bucket-object-lock-configuration --bucket <BUCKET_NAME> --object-lock-configuration '{
  "ObjectLockEnabled": "Disabled"

}'

  1. Verify the changes:

    aws s3api get-bucket-object-lock-configuration --bucket <BUCKET_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Enable S3 Object Lock to ensure the retention and immutability of critical data for compliance and security purposes.

7.1

8.1

Configure S3 buckets with Object Lock to prevent the deletion or modification of critical data for specified retention periods.