Ensure S3 Bucket Object Lock is Enabled - Rule
This rule ensures that S3 bucket object lock is enabled to protect data from accidental or malicious deletion.
| Rule | S3 bucket object lock should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description
The rule requires enabling S3 bucket object lock for compliance with the NIST Cybersecurity Framework (CSF) v1. This ensures the secure retention and immutability of objects stored in the S3 bucket.
Enabling S3 bucket object lock ensures that objects within the bucket cannot be tampered with or deleted for a designated period of time, even by the bucket owner. This feature helps prevent accidental or malicious modification or deletion of critical data, providing an added layer of protection for your organization's data.
Troubleshooting Steps
In case object lock is not enabled for the S3 bucket, the following troubleshooting steps can help rectify the issue:
- 1.
Step 1: Verify S3 bucket settings: Confirm whether the bucket is properly configured for AWS S3 object lock feature.
- 2.
Step 2: Check S3 bucket permissions: Ensure that the appropriate IAM policies and permissions are in place for the AWS Identity and Access Management (IAM) user or role responsible for managing S3 bucket settings.
- 3.
Step 3: Review object lock settings: Validate the current object lock configuration for the S3 bucket. Ensure that it aligns with the requirements of the NIST CSF v1.
- 4.
Step 4: Enable object lock: If object lock is not already enabled for the S3 bucket, follow the remediation steps below to enable it.
Remediation Steps
To enable S3 bucket object lock for compliance with the NIST CSF v1, follow these step-by-step instructions:
- 1.
Step 1: Open the AWS Management Console and navigate to the S3 service.
- 2.
Step 2: Select the desired bucket for which you wish to enable object lock.
- 3.
Step 3: Click on the "Properties" tab in the bucket details section.
- 4.
Step 4: Under the "Object lock" section, click on "Edit".
- 5.
Step 5: In the "Object lock settings" window, select the desired mode for object retention:
- "Governance" mode allows for object retention enforcement by AWS, but the bucket owner can modify or delete objects with appropriate permissions after a specified retention period.
- "Compliance" mode enforces a strict retention period, preventing object modification or deletion even by the bucket owner.
For compliance with the NIST CSF v1, it is recommended to utilize "Compliance" mode for stricter object immutability.
- 6.
Step 6: Choose a default retention period that aligns with your organization's retention policy. This specifies how long objects must be retained before they can be modified or deleted.
- 7.
Step 7: Optionally, you can enable legal hold. Legal hold prevents objects from being deleted or modified, even if the retention period has expired.
- 8.
Step 8: Click on "Save changes" to apply the object lock settings to the S3 bucket.
AWS CLI Commands
In case you prefer using the AWS Command Line Interface (CLI) for enabling object lock for the S3 bucket, you can utilize the following commands:
aws s3api put-object-lock-configuration --bucket <bucket-name> --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":<retention-period>}}}'
Replace
<bucket-name><retention-period>Please note that appropriate IAM permissions are required for executing these commands.
Following these steps and commands, you can enable S3 bucket object lock and ensure compliance with the NIST Cybersecurity Framework (CSF) v1 requirements.