Securing S3 Objects from Unintentional Deletion and Modification with S3 Object Lock
Introduction
The Amazon S3 Object Lock feature provides a valuable solution for preventing accidental deletion or modification of S3 objects. By enabling either governance mode or compliance mode, cloud security engineers can ensure the retention of S3 objects for a specified period. This not only protects against accidental deletion but also meets regulatory compliance requirements and mitigates ransomware threats. In this lab, we will explore how to enable and utilize the S3 Object Lock feature to safeguard objects from unintended deletion, demonstrating its effectiveness in maintaining data integrity and compliance.
Lab Objective
In this lab, you will learn the step-by-step process of creating an S3 bucket with object lock enabled, uploading objects, enabling object lock, and verifying S3 Object Lock.
Disclaimer
Please note that the AWS management console is subject to change over time. While the instructions provided are accurate at the time of writing, there may be updates or modifications to the console's interface or functionality. It is advisable to refer to the official AWS documentation for the most up-to-date and accurate information regarding the AWS management console.
Lab Tasks
Sign in to your AWS management console and on the search box at the top, search for S3
- On the Amazon S3 page, click on Create Bucket.
- In the Create bucket page, enter a name under Bucket name (here, we used d3m0-01b), and Under AWS Region, select an appropriate region; here, we selected us-west-2 (Oregon)
- Under Object Ownership, click on the ACLs enabled radio button.
- Scroll down to the bottom of the page and expand Advanced Settings. To enable object lock for an S3 bucket, select the radio button for Enable under Object Lock. Next, Select the checkbox for acknowledgment, then click on Create bucket.
- The d3m0-01b bucket has been successfully created.
- Now, upload an object into the S3 bucket and enable object lock. Create a text file on your desktop using Notepad and add some text to it, then save the file as d3m0-01b.txt.
- To upload an object into the S3 bucket, click on the S3 bucket name (d3m0-01b) to open the bucket info page.
Click on Upload to upload the object into the S3 bucket.
- On the Upload page, click on Add Files to upload the file you created into the S3 bucket (d3m0-01b),
- The text file has been successfully added. To upload it as an S3 object, simply scroll down and click on the "Upload" button.
- At the top of the window, a message will appear indicating the successful upload of the file. To close the window, click on the "Close" button.
- In the d3m0-01b S3 bucket page, Enable the compliance mode of object lock for the object. To enable object lock, click on the name of the object (d3m0-01b.txt) to open the object information window.
- Within the object info page (d3m0-01b.txt), navigate downwards until you reach the section labeled "Object Lock Retention." Click on Edit next to Object Lock Retention.
- Upon opening the "Edit Object Lock Retention" window, choose the option “enable” under retention by selecting the corresponding radio button. This action will unveil additional configuration choices. To activate comprehensive protection for the S3 object, preventing deletion or modification, select the radio button for "Compliance mode" within the "Retention mode" section. Specify a "Retain until" date to indicate the timeframe during which the object should be retained.
NOTE: Please keep in mind that for the purposes of this lab, it is recommended to choose the nearest date, preferably the following day, as the "Retain until" date. This is because, if compliance mode is enabled, even the root user will be unable to delete the object.
- Scroll down to the bottom. To save the retention configuration, click on Save Changes.
- At the top, a notification is shown indicating that the Object Lock retention for the object has been modified.
- Click on the name of the bucket (d3m0-01b) at the top to navigate back to the bucket information page.
- Next, check if it is possible to modify the retention mode by clicking on the S3 object's name (d3m0-01b.txt) to access the object information window.
- On the object information page, scroll down to Object Lock Retention. Click on Edit.
- The Disable option for Retention is currently inactive, and the Governance mode under Retention mode is also inactive. Please note that modifications to Object Lock retention can only be made after the retention date.
- Now, click on the name of the S3 bucket (d3m0-01b.txt) at the top to navigate back to the bucket info window.
- On the d3m0-01b bucket info page, toggle the "Show versions" button to the on position to view all versions of the S3 object.
- Now, try to delete the object to verify S3 Object Lock. Select the checkbox for the object (d3m0-01b.txt) and click on Delete.
- On the Delete Objects page, confirm the deletion by typing permanently delete. Click on Delete objects.
- The Delete objects: status window opens. It can be observed that one object could not be deleted. Under the Failed to Delete section, you will see an Error message, “Access denied,” as shown in the screenshot below because compliance mode retention for Object Lock is enabled for the S3 object.
Lesson
By leveraging the Object Lock feature and configuring retention in compliance mode, cloud security engineers can effectively protect S3 objects from accidental deletion, modifications, and ransomware attacks and meet compliance requirements.
Lab Summary
During the creation of the S3 bucket (d3m0-01b), Object Lock was enabled to ensure data integrity. A subsequent step involved uploading an object (.txt) file into the S3 bucket. To further enhance security, the Object Lock retention feature was activated on the Object (.txt) info page, with a specific retention date set, effectively preventing any unauthorized deletion or modification of the object.
Deleting Created Resources
Please make sure to delete, shut down, or terminate all the resources that have been created and utilized in this lab to avoid incurring any charges.
You won’t be able to delete the S3 Bucket immediately because of the Object Lock retention only after the retention date. (which in this lab was set to after 24 hours)
Check back After 24hrs to Delete it the Buckets.
- Navigate to Buckets under Amazon S3 and select the checkbox for the instance you want to delete (here, d3m0-01b). Click on the Empty button to empty the bucket before deleting it. In the pop-up window, enter permanently delete and click on the Empty button.
- Navigate to Buckets under Amazon S3 and select the checkbox for the instance you want to delete (here, d3m0-01b). Click on the Delete button. In the pop-up window, enter the bucket's name and click on the Delete button.