π AWS S3 Bucket Object Lock is not enabled π π’
- Contextual name: π Bucket Object Lock is not enabled π π’
- ID:
/ce/ca/aws/s3/bucket-object-lock - Located in: π AWS S3
Flagsβ
- π’ Policy with categories
- π Policy with internal.md
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
SECURITYRELIABILITY
Similar Policiesβ
- Cloud Conformity
- Internal
dec-x-b443805a
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-b443805a | 3 |
Logicβ
- π§ prod.logic.yaml π’
- π AWS S3 Bucket
- π AWS S3 Bucket - object.extracts.yaml
- π§ͺ test-data.json
Internal Notes π β
Internal notesβ
This is a best practice since there are cases when object lock shouldn't be enabled.
When Not to Use S3 Object Lockβ
- Dynamic Data: When your data requires frequent updates, modifications, or deletions, implementing S3 Object Lock may hinder operational agility and flexibility.
- Temporary Data: When dealing with transient or temporary data that doesn't require long-term retention or immutability, using S3 Object Lock may add unnecessary complexity and overhead.
- High Frequency Write Workloads: When your application necessitates high throughput or frequent write operations to S3 objects, S3 Object Lock may introduce performance limitations due to its immutable nature.
- Cost Considerations: When evaluating the cost implications, as enabling S3 Object Lock may incur additional charges for compliance features that might not be necessary for all types of data.
In summary, S3 Object Lock is best suited for scenarios where data integrity, immutability, and compliance are important. However, for dynamic or temporary data that requires frequent updates or doesn't have strict retention requirements, implementing S3 Object Lock may not be necessary and could potentially introduce operational complexities and additional costs.
Descriptionβ
Descriptionβ
Object Lock feature helps you ensure that your data remains unaltered and immutable for a specified retention period or indefinitely. It uses a write-once-read-many (WORM) model to store objects. You can use Object Lock to help meet regulatory requirements that require WORM storage, or to add another layer of protection against object changes or deletion.
Rationalβ
Best practices for using S3 Object Lockβ
- Consider using Governance mode if you want to protect objects from being deleted by most users during a pre-defined retention period, but at the same time want some users with special permissions to have the flexibility to alter the retention settings or delete the objects.
- Consider using Compliance mode if you never want any user, including the root user in your AWS account, to be able to delete the objects during a pre-defined retention period.
- You can use Legal Hold when you are not sure for how long you want your objects to stay immutable. This could be because you have an upcoming external audit of your data and want to keep objects immutable till the audit is complete. Alternatively, you may have an ongoing project utilizing a dataset that you want to keep immutable until the project is complete.
... see more
Remediationβ
Enable S3 Object Lock via AWS CLIβ
Before you lock any objects, you must enable S3 Versioning and Object Lock on a bucket. Afterward, you can set a retention period, a legal hold, or both.
Important Notesβ
- After you enable Object Lock on a bucket, you can't disable Object Lock or suspend versioning for that bucket.
- S3 buckets with Object Lock can't be used as destination buckets for server access logs.
Topicsβ
Enable Object Lock when creating a new S3 bucketβ
From Command Lineβ
aws s3api create-bucket --bucket {{your-bucket-name}} --object-lock-enabled-for-bucketReplace
{{your-bucket-name}}with a desired bucket name. The command activates versioning automatically.... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Data Protection and Recovery | 10 | |||
| πΌ Cloudaware Framework β πΌ System Configuration | 24 | |||
| πΌ FedRAMP High Security Controls β πΌ AC-3 Access Enforcement (L)(M)(H) | 37 | 47 | ||
| πΌ FedRAMP Low Security Controls β πΌ AC-3 Access Enforcement (L)(M)(H) | 47 | |||
| πΌ FedRAMP Moderate Security Controls β πΌ AC-3 Access Enforcement (L)(M)(H) | 47 | |||
| πΌ NIST CSF v2.0 β πΌ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties | 58 | |||
| πΌ NIST CSF v2.0 β πΌ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected | 67 | |||
| πΌ NIST CSF v2.0 β πΌ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage | 40 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ AC-3 Access Enforcement | 15 | 4 | 17 |