S3 Object Lock for compliance retention
Description
Enable S3 Object Lock for buckets requiring retention (CloudTrail, backups, audit logs).
⚠️ Risk Impact
Without Object Lock, ransomware can encrypt or delete backup buckets. Compliance retention requirements (PCI 10.5, HIPAA 164.316) require immutable storage.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
aws s3api put-object-lock-configuration with governance or compliance mode. Configure retention period per bucket purpose.
💀 Real-World Attack Scenario
A SaaS company hit by LockBit 3.0 had backups in S3. Attackers (with admin) deleted backup objects via S3 API. Object Lock would have prevented deletion regardless of admin permissions. Forced $3.4M ransom negotiation.
💰 Cost of Non-Compliance
Ransomware + destroyed backups: avg $5.13M (Coveware 2024).
📋 Audit Questions
- 1.Object Lock on critical buckets?
- 2.Retention mode (governance/compliance)?
- 3.Retention period?
- 4.Test restore evidence?
🎯 MITRE ATT&CK Mapping
🏗️ Infrastructure as Code Fix
resource "aws_s3_bucket_object_lock_configuration" "audit_logs" {
bucket = aws_s3_bucket.audit_logs.id
rule {
default_retention { mode = "COMPLIANCE"; days = 90 }
}
}⚡ Common Pitfalls
- ⛔Object Lock not enabled on backup buckets
- ⛔Governance mode used where compliance mode is required
- ⛔Retention period too short for compliance requirements
📈 Business Value
Object Lock converts ransomware from existential to operational.
⏱️ Effort Estimate
30 minutes per critical bucket
EchelonGraph monitors Object Lock posture
🔗 Cross-Framework References
Automate CIS AWS 2.1.5 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →