Rule: S3 Bucket Object Lock Should Be Enabled
This rule ensures that S3 bucket object lock is enabled for data security and compliance.
| Rule | S3 bucket object lock should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
S3 bucket object lock should be enabled for NIST 800-171 Revision 2. This rule is a security requirement that ensures the protection and immutability of objects stored in an Amazon S3 bucket. Object lock allows you to enforce a retention period for objects, preventing their deletion or modification during a specified time frame. Enabling this feature helps to maintain data integrity and compliance with NIST 800-171 Revision 2 security controls.
Troubleshooting Steps (if applicable):
- 1.
Verify AWS Identity and Access Management (IAM) permissions: Make sure that the IAM user or role attempting to enable object lock has the necessary permissions. The user should have
permission on the S3 bucket.s3:PutBucketObjectLockConfiguration - 2.
Check bucket ownership: Ensure that you have the required permissions or ownership of the bucket to enable object lock.
- 3.
Ensure the bucket is not at the bucket versioning suspended state: Object lock can only be enabled on a versioned bucket. Check if versioning is enabled and not suspended for the target bucket.
- 4.
Verify AWS region compatibility: Object lock is currently supported in specific AWS regions. Ensure that you are attempting to enable object lock in a region that supports this feature.
Required Codes:
There are no specific codes required for this rule. Enabling object lock is done through AWS Management Console or AWS CLI.
Step-by-Step Guide for Remediation:
Method 1: AWS Management Console
- 1.
Sign in to the AWS Management Console.
- 2.
Open the S3 service dashboard.
- 3.
Navigate to the target bucket by selecting its name from the bucket list.
- 4.
Click on the "Properties" tab.
- 5.
Scroll down to the "Object Lock" section and click on the "Edit" button.
- 6.
Select the "Enable Object Lock" option.
- 7.
Choose the desired retention mode: Compliance or Governance.
- 8.
Set the retention period by specifying the number of days (e.g., 30 days).
- 9.
Click "Save" to enable object lock on the bucket.
Method 2: AWS CLI
- 1.
Install and configure AWS CLI (if not already installed).
- 2.
Open the command-line interface.
- 3.
Run the following command to enable object lock on the bucket:
aws s3api put-object-lock-configuration --bucket <bucket-name> --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":30}}}'
Replace
<bucket-name>- 1.Verify that the command executed successfully and object lock is enabled:
aws s3api get-object-lock-configuration --bucket <bucket-name>
Again, replace
<bucket-name>- 1.If the returned response includes
, then object lock is successfully enabled on the bucket."ObjectLockEnabled": "Enabled"
Conclusion:
Enabling S3 bucket object lock for NIST 800-171 Revision 2 ensures data integrity and compliance with security controls. By following either the AWS Management Console or AWS CLI method, you can easily configure and enable object lock on the target Amazon S3 bucket.