This rule ensures that S3 bucket object lock is enabled for enhanced security measures.
Rule | S3 bucket object lock should be enabled |
Framework | GxP 21 CFR Part 11 |
Severity | ✔ Medium |
Rule Description: S3 Bucket Object Lock for GxP 21 CFR Part 11
To ensure compliance with GxP (Good Practice) regulations, specifically 21 CFR Part 11, it is necessary to enable object lock for your S3 bucket. This rule ensures that objects stored in the bucket cannot be modified or deleted during a specific retention period, rendering them immutable. By enabling object lock, you can meet the regulatory requirements for data integrity and secure data storage.
Troubleshooting Steps:
If you encounter any issues while enabling object lock, follow these troubleshooting steps:
Permission Issues: Check if you have the necessary permissions to enable object lock within the S3 bucket. Ensure that you have the required IAM permissions to modify the bucket's configuration and enable object lock.
Versioning Disabled: Object lock requires versioning to be enabled for the bucket. Ensure that versioning is enabled for the bucket where you are trying to enable object lock. If it is not enabled, enable versioning first before attempting to enable object lock.
S3 Glacier or Glacier Deep Archive Storage Class: Object lock cannot be enabled for S3 objects stored in the Glacier or Glacier Deep Archive storage classes. Check your storage class and consider moving the objects to a compatible storage class, such as S3 Standard or S3 Intelligent-Tiering, if you need to enable object lock.
Incompatible Bucket Configuration: Certain bucket configurations, such as having a requester pays bucket or cross-region replication, can prevent object lock from being enabled. Review your bucket configuration and remove any conflicting settings before attempting to enable object lock.
Necessary Codes:
In most cases, enabling S3 bucket object lock can be done through the AWS Management Console. However, if you prefer to use the AWS Command Line Interface (CLI), you can execute the following code:
aws s3api put-object-lock-configuration --bucket <bucket-name> --object-lock-configuration '{"ObjectLockEnabled": "Enabled"}'
Replace
<bucket-name>
with the actual name of your S3 bucket.Step-by-Step Guide for Enablement (Console):
Log in to the AWS Management Console.
Navigate to the S3 service.
Select the desired bucket to enable object lock.
Click on the "Properties" tab.
Under the "Object lock" section, click on the "Edit" button.
In the "Object lock configuration" dialogue, choose "Enable" for Object lock.
Set any retention period as per your regulatory requirements. Specify either "Governance" or "Compliance" mode based on your needs.
Click on "Save changes" to enable object lock.
After following these steps, your S3 bucket will have object lock enabled, ensuring compliance with GxP 21 CFR Part 11 regulations.