7.15 Object Lock and Versioning in AWS S3 Buckets

aws s3 object lock

Introduction to Object Lock and Versioning

Object Lock and Versioning are critical features in AWS S3 that provide enhanced data protection. Object Lock helps in preventing accidental or intentional deletion of objects, while Versioning maintains multiple versions of an object for easy recovery and rollback.

AWS S3 Object Lock is a feature within Amazon Simple Storage Service (S3) that enables you to store objects using a write-once-read-many (WORM) model. It helps to prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely, providing an additional layer of data protection and helping to meet regulatory requirements that demand data immutability. This feature is particularly valuable for enterprises and organizations that handle sensitive or regulated data, such as financial records, medical records, and legal documents.

Here are the key components and capabilities of S3 Object Lock:

1. Modes of Operation

S3 Object Lock operates in two main modes:

  • Governance Mode: Allows users to protect objects against deletion by most users while still permitting privileged users to override the lock settings if necessary. This mode is suitable for protecting against accidental deletions or modifications.
  • Compliance Mode: Provides a stricter level of protection. Once an object is locked in compliance mode, no one can delete or overwrite it until the retention period expires. This includes AWS account root users, ensuring the highest level of data immutability for regulatory compliance.

2. Retention Period

You can specify a retention period for an object locked in either governance or compliance mode. The retention period determines how long the object remains protected. During this period, the object cannot be overwritten or deleted, ensuring its immutability.

3. Legal Hold

In addition to the retention settings, you can place a legal hold on an object. A legal hold provides the same protection as a retention period but does not have a predefined expiration date. This means that an object under a legal hold remains immutable until the hold is explicitly removed. Legal holds can be used in conjunction with both governance and compliance modes for added flexibility in data protection.

4. Implementation

To use S3 Object Lock, you first need to enable it on a new S3 bucket. Object Lock cannot be added to existing buckets. Once enabled, Object Lock cannot be disabled for the bucket, ensuring a permanent protection layer. You can then apply Object Lock settings to individual objects or use bucket-level settings to apply default retention periods to all objects within the bucket.

5. Use Cases

S3 Object Lock is ideal for various use cases, including:

  • Regulatory Compliance: Ensuring data compliance with regulations that require data retention and immutability, such as SEC, CFTC, FINRA, and GDPR.
  • Data Protection: Protecting data from being accidentally or maliciously deleted or modified.
  • Record Keeping: Preserving financial records, legal documents, and healthcare records in an immutable form for a specified period.

Governance Mode

  • Purpose: Governance mode allows you to protect objects against deletion by most users while still permitting privileged users to override the lock. This mode is designed for scenarios where you want to prevent accidental deletion or overwriting of objects by most users but still need the flexibility to remove the lock if necessary.
  • How it Works: When an object is locked in governance mode, only users with the specific s3:BypassGovernanceRetention permission can overwrite or delete the locked object. This allows administrators or designated users to manage the lock status without completely preventing necessary operations.
  • Use Cases: Governance mode is ideal for data that needs to be protected against change or deletion by standard users but might need to be edited or removed by administrators or under specific circumstances.

Compliance Mode

  • Purpose: Compliance mode is stricter than governance mode. Once an object is locked in compliance mode, it cannot be overwritten or deleted by any user, including the root account, until the lock expires. This mode is designed to ensure that objects remain immutable for compliance with regulatory standards that require data immutability.
  • How it Works: In compliance mode, not even AWS account root users can delete or alter the object until the retention period expires. This provides a stronger level of protection, ensuring that data remains unchanged and undeletable, fulfilling the requirements of regulatory mandates that demand immutability.
  • Use Cases: Compliance mode is suited for data that requires a high degree of protection and immutability for compliance reasons. This includes records that must be retained for a certain period according to laws or regulations, ensuring that the data cannot be altered or deleted during that time.

Setting Up S3 Object Lock

  1. Enable Object Lock on a Bucket: Object Lock must be enabled at the bucket level. This is a one-time, irreversible action that makes it possible to apply locks to the objects stored in the bucket.
  2. Apply Object Lock: After enabling Object Lock on a bucket, you can apply lock settings to individual objects or use default retention settings for the bucket to automatically apply lock parameters to new objects.

Considerations

  • Immutable State: In compliance mode, the lock is absolute; no one can delete or modify the locked objects, ensuring data remains unchanged.
  • Legal Holds: Independently of the retention mode, you can also apply legal holds to objects, providing an additional layer of protection. A legal hold maintains the immutability of an object until the hold is removed, regardless of the retention period.

AWS S3 Object Lock’s governance and compliance modes offer flexible yet powerful tools to ensure data protection and regulatory compliance by preventing unauthorized deletion or modification of objects.

Enabling Object Lock and Versioning

Using AWS Management Console

Enabling Versioning

  1. Access AWS Management Console: Log into your AWS account.
  2. Navigate to S3 Service: Go to the S3 dashboard.
  3. Select Your Bucket: Choose the bucket for which you want to enable versioning.
  4. Access Properties Tab: Click on the ‘Properties’ tab.
  5. Enable Versioning: In the ‘Bucket Versioning’ section, click ‘Edit’ and then select ‘Enable’. Save the changes.

Enabling Object Lock

  1. Create a New Bucket with Object Lock: While creating a new bucket, enable ‘Object Lock’ in the set-up options.
  2. Configure Object Lock: In the bucket properties, click on ‘Object Lock’. Choose the default retention mode and period, and then save.

Note: Object Lock needs to be enabled at bucket creation and cannot be applied to existing buckets.

Using AWS CLI

Enabling Versioning

  1. Use AWS CLI Command: Execute the following command to enable versioning:
aws s3api put-bucket-versioning --bucket YOUR-BUCKET-NAME --versioning-configuration Status=Enabled
  1. Replace YOUR-BUCKET-NAME with your bucket name.

Enabling Object Lock

Object Lock must be enabled at the time of bucket creation and cannot be configured via AWS CLI after the bucket has been created.

For Example – Object Lock at Compliance Level


aws s3api put-object --bucket devteampocoperation --key sampledata.txt --body sampledata.txt --object-lock-mode COMPLIANCE --object-lock-retain-until-date 02/02/2024

For Example – Object Lock at Goverance Level

aws s3api put-object --bucket devteampocoperation --key sampledata.txt --body sampledata.txt --object-lock-mode GOVERNANCE  --object-lock-retain-until-date 02/03/2024

Object Lock Holdon Status

aws s3api put-object --bucket devteampocoperation --key legalholddemo.txt --body legalholddemo.txt --object-lock-legal-hold-status ON 

Compliance Object Retention on Specific Date


aws s3api put-object-retention --bucket devteampocoperation --key sampledata.txt --retention "Mode=COMPLIANCE,RetainUntilDate="2024-02-15T00:00:00""

Best Practices for Object Lock and Versioning

  1. Retention Policies: Set appropriate retention policies based on compliance needs.
  2. Regular Audits: Perform regular audits of versioned objects to manage storage costs.
  3. Lifecycle Policies: Implement lifecycle policies to automatically manage old versions.
  4. Access Control: Use IAM policies to control who can modify or delete versioned objects.

Conclusion

Object Lock and Versioning in AWS S3 provide robust mechanisms for safeguarding your data against deletion and overwriting. While Object Lock must be enabled at the bucket creation stage, Versioning can be easily turned on for existing buckets. Both features can be managed through the AWS Management Console and AWS CLI, offering flexibility in maintaining data integrity and compliance with data retention policies.

For detailed guidance and updates, refer to the AWS S3 Documentation on Object Lock and Versioning.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *