S3 Object Lock offers many advantages and is particularly suitable for regulatory requirements and protection against ransomware (and malware in general).
You can use the S3 Object Lock function to store and protect objects according to the WORM (Write-Once-Read-Many) principle. S3 Object Lock can prevent users from deleting or modifying files (for a predefined period).
Two modes are available for S3 Object Locks:
In Governance Mode, users cannot modify or delete object versions unless they have special permissions. In Governance Mode, you prevent deletion and modification of objects by all regular users, but administrators can bypass the protection using special permissions. Governance Mode can be upgraded to Compliance Mode.
If you want to delete objects under Governance Mode, you need an IAM user with the s3:BypassGovernanceRetention permission. Additionally, the header x-amz-bypass-governance-retention:true must be included with each call that uses this permission.
In Compliance Mode, no user, including the root user, can modify or delete an object version. In this mode, there is no way to bypass the protection. Compliance Mode can be used to meet regulatory requirements (e.g., in finance and healthcare). Once set, the Object Lock duration in Compliance Mode cannot be shortened or removed (only extended). It is also not possible to downgrade a policy from Compliance Mode to Governance Mode.
Therefore, caution is advised when choosing the right Object Lock mode. Accidentally setting Object Lock for 99 years (the highest selectable duration) in Compliance Mode is not reversible. We're happy to advise you in detail about the advantages and disadvantages of both modes and plan the appropriate use case for you.
Retention Periods can be defined at both bucket and object level.
When the Retention Period should be applied to an object, this is done using the Retain Until Date header for the object.
When the Retention Period is defined on your bucket, the Retain Until Date doesn't need to be manually provided. Instead, the S3 server automatically calculates these metadata based on the Object Lock duration set on the bucket. In both cases, each object ends up having its own retention duration, either explicitly provided or automatically calculated based on the bucket policy.
Retention Periods always refer to an object version. Different versions of an object can have different Retention Periods.
When a deletion attempt is made, it will only be executed if the "Retain Until Date" is in the past. An exception exists where deletion will not succeed if a Legal Hold has been applied to an object or object version. In this case, an object version cannot be deleted despite an expired Retention Period.
A Legal Hold is a function independent of the Retention Period that can protect S3 objects from deletion and modification. Legal Holds can be applied to all objects in a bucket where Object Lock is enabled. A Legal Hold has no impact on the Retention Period of an object version. A Legal Hold cannot be bypassed until the authorized user removes it. A Legal Hold is always active indefinitely. If a Legal Hold is activated on an object, it cannot be deleted, regardless of the Retention Period.
Legal Holds can be applied and withdrawn from objects by all users with the s3:PutObjectLegalHold permission.
Das sind weitere Beiträge, die Sie interessieren könnten.
Zur Blogübersicht