As organizations increasingly store critical data in Amazon S3, the risk of cyber threats such as ransomware attacks escalates. According to SonicWall, there were 1,748 recorded ransomware attempts per customer during the first three quarters of 2021. Furthermore, a report from Positive Technologies states that cybercriminals can penetrate 93 percent of company networks. Ransomware attacks involving S3 data often involve stealing or encrypting the victim's data, holding it hostage until a ransom is paid.
While companies traditionally employ a layered approach to protecting their S3 data, including bucket policies, IAM roles, service control policies, and permission boundaries, these measures may not be sufficient if an attacker gains access to an administrative account. This is where S3 Object Lock comes into play.
Understanding S3 Object Lock
S3 Object Lock is a mechanism that prevents an object version from being deleted or modified. It is only available for versioned objects and does not prevent the creation of new versions. However, it can guarantee that a specific version will not be altered or deleted.
It is important to note that objects in S3 are immutable. When a PUT operation is performed on a non-versioned object, a new object is created with the same key, and the previous object is deleted. With versioned objects, the previous object gets a version tag, and the newly PUT object becomes the current version.
Object Locks can exist for either a specific time period called the "retention period" or indefinitely via a "legal hold." During an object's retention period or when a legal hold is enabled, the object cannot be deleted. A retention period can be extended as needed, and a legal hold can be disabled.
Governance and Compliance Modes
Object Lock operates in two modes: governance and compliance. In governance mode, a user with the s3:BypassGovernanceRetention permission can shorten a retention period, effectively removing the lock. Similarly, a user with the s3:PutObjectLegalHold permission can remove a legal hold.
However, in compliance mode, no one, including AWS, can shorten the retention period. If an Object-Locked object is set to compliance mode with a five-year retention period, that object will remain locked for five years, regardless of any attempts to modify or delete it.
| Governance Mode | Compliance Mode | |
|---|---|---|
| Change Legal Hold | Requires special permission | Requires special permission |
| Extend Retention Period | Requires special permission | Requires special permission |
| Shorten Retention Period | Requires special permission | No one, including AWS, can shorten the retention period |
Comparison with Glacier Vault Lock
While S3 Object Lock has similarities to Glacier Vault Lock, their respective use cases differ. Vault Lock is designed to protect a Glacier vault from modification, assuming that the objects stored in the vault are unlikely to be accessed frequently due to their petabyte scale, such as genomic or machine learning workloads.
On the other hand, Object Lock is used to protect data that may be subject to active usage, such as drug trial data, which is heavily used initially and may be required for re-calculation by regulatory bodies like the FDA.
Initiating S3 Object Lock
Object Lock only works on buckets with versioning enabled, and it can only be enabled for a bucket when it is first created. However, AWS can enable Object Lock for an existing bucket upon request.
To lock a large number of objects, lifecycle rules or S3 Batch Operations can be used. Lifecycle rules allow a limited set of operations to be performed on all objects in a bucket or those matching a filter pattern. S3 Batch Operations support Object Lock operations and can perform actions on a list of objects specified in a manifest, which can be a CSV file created manually or via S3 Inventory.
Easing into Object Lock Usage
Before implementing Object Lock, it is essential to understand the usage patterns of your objects. If your objects are short-lived, undergo frequent updates, or are not mission-critical, Object Lock might not be appropriate.
One approach is to start by setting short retention periods and using governance mode on a select group of objects. If applications encounter failures under this regime, an administrator can remove the lock or shorten the retention period until the application's behavior is understood. After a trial period in governance mode, organizations can switch to compliance mode, initially with relatively short retention periods before moving to longer periods.
Conclusion
S3 Object Lock provides robust protection for critical data stored in Amazon S3, helping organizations mitigate the risks of ransomware attacks and data breaches. While not suitable for all objects, it is worth considering for sensitive data such as personal health information (PHI), personally identifiable information (PII), or other business-critical or privacy-sensitive data. By implementing Object Lock, organizations can enhance their data security posture and provide peace of mind to their CISOs and stakeholders.
Top comments (0)