Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Object Lock Should Be Enabled

This rule ensures that S3 bucket object lock is enabled to enhance data confidentiality.

RuleS3 bucket object lock should be enabled
FrameworkSOC 2
Severity
Medium

Rule Description

The S3 bucket object lock must be enabled to meet the requirements of SOC 2. Object lock provides an additional layer of protection for the objects stored in an S3 bucket by preventing them from being deleted or modified for a specified retention period. This helps ensure data integrity and compliance with data governance policies.

Enabling object lock on an S3 bucket allows you to implement a WORM (Write Once Read Many) data protection strategy, where objects can be written once and then protected from any further modifications until the retention period expires.

Troubleshooting Steps

If object lock is not enabled for the S3 bucket, follow the troubleshooting steps below to enable it:

  2. 1.

    Ensure you have the necessary permissions: Make sure you have the required IAM permissions to modify the bucket settings. You should have permissions to access and modify the S3 bucket policies.

  4. 2.

    Check if object lock is already enabled: Verify if object lock is already enabled for the S3 bucket. You can do this by checking the bucket properties in the AWS Management Console or by using the AWS Command Line Interface (CLI) with the 

    get-bucket
    command.

  6. 3.

    Enable object lock: If object lock is not already enabled, enable it by modifying the bucket properties. You can do this in the AWS Management Console or by using the AWS CLI with the 

    put-bucket-versioning
    command. Specify the bucket name and set the 
    ObjectLockEnabled
    property to true.

Necessary Code

aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled --object-lock-enabled-for-bucket

Note: Replace 

your-bucket-name
with the actual name of your S3 bucket.

Step-by-Step Guide for Remediation

Follow the steps below to enable object lock for an S3 bucket:

  2. 1.

    Open the AWS Management Console and navigate to the S3 service.

  4. 2.

    Select the S3 bucket for which you want to enable object lock.

  6. 3.

    Click on the "Properties" tab.

  8. 4.

    Under the "Advanced settings" section, locate the "Object lock" option.

  10. 5.

    Click on the "Edit object lock" button.

  12. 6.

    In the object lock settings, select "Enable object lock".

  14. 7.

    Choose the desired retention mode based on your requirements: governance or compliance.

  16. 8.

    Specify the retention period for the objects in the bucket.

  18. 9.

    Click on the "Save" button to enable object lock for the S3 bucket.

  20. 10.

    Verify that object lock is enabled by checking the bucket properties or by using the AWS CLI with the 

    get-bucket
    command.

  22. 11.

    If needed, update the bucket policy to enforce further restrictions on object lock actions.

By following these steps, object lock can be successfully enabled for an S3 bucket to meet the SOC 2 requirement.

Is your System Free of Underlying Vulnerabilities?
Find Out Now