Data protection from ransomware events with object-level immutability to protect objects from accidental or malicious deletions and overwrites
Amazon S3 is the trusted primary storage for millions of customers from all around the world. With 99.999999999% (11 9s) of data durability, customers can store and protect business-critical data for virtually any use case, including cloud-native applications, data lake analytics output, and media files. As with any data, it is best practice to have a backup and to put safeguards in place against malicious or accidental deletion.
S3 Object Lock blocks permanent object deletion during a customer-defined retention period so that you can enforce retention policies as an added layer of data protection or for regulatory compliance. With S3 Object Lock, S3 Versioning is automatically enabled, and these features work together to prevent locked object versions from being permanently deleted (accidental or intentional) or overwritten using a write-once-read-many (WORM) model. S3 Object Lock is the industry standard for object storage immutability for ransomware protection and is used in cloud storage, backup and data protection solutions by AWS Storage partners such as Veeam, Veritas, Rubrik, Cohesity, Commvault Clumio, and Druva.
Data protection from ransomware events and accidental changes
Data immutability is a core aspect of data protection planning because it prevents unintended changes or deletions by authorized users, changes by unauthorized users. This helps prevent ransomware events from deleting or altering your data. S3 Object Lock prevents data from being altered or deleted by any person or process, whether unintended or because of malicious activity.
Meet compliance and regulatory requirements
You can use S3 Object Lock to help meet regulatory requirements that require WORM storage, or to add another layer of protection against object changes and deletion. Cohasset Associates have assessed S3 Object Lock for environments that are subject to SEC 17a-4, CFTC, and FINRA regulations. You can use compliance mode, which cannot be overridden, to help your data meet regulated compliance monitoring. For more information about how Object Lock relates to these regulations, see the Cohasset Associates Compliance Assessment.
Restore versions of objects
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover more easily from both unintended user actions and application failures. S3 Versioning, which is automatically enabled with S3 Object Lock, provides data resiliency with the ability to fall back to a previous version. Learn more here.
How does S3 Object Lock work?
You can use S3 Object Lock on the bucket or object-level, and it can be enabled when creating a new bucket or on existing buckets. To use S3 Object Lock with a bucket (or objects within a bucket), you must first enable versioning for the bucket, as you won’t be able to turn versioning on later. Retention periods and legal holds apply to individual object versions. When you lock an object version, Amazon S3 stores the lock information in the metadata for that object version. Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn't prevent new versions of the object from being created.
S3 Object Lock protection is maintained regardless of which storage class the object resides in and throughout S3 Lifecycle transitions between storage classes. Used with S3 Versioning, which protects objects from being overwritten, you’re able to ensure that objects remain immutable for as long as S3 Object Lock protection is applied. You can migrate workloads from existing WORM storage systems into Amazon S3, and configure S3 Object Lock at the object- and bucket-levels to prevent object version deletions prior to pre-defined dates or legal hold dates.
You can also enable S3 Replication on a bucket that has S3 Object Lock enabled to replicate objects along with their retention settings. While replicating objects, if the source bucket has S3 Object Lock enabled, the destination bucket must also have S3 Object Lock enabled.
Managing object retention with S3 Object Lock
S3 Object Lock provides two ways to manage object retention: retention periods and legal holds. With S3 Object Lock enabled on a bucket, an object version can have both a retention period and a legal hold, one but not the other, or neither.
- Retention period — Specifies a fixed period of time during which an object remains locked. During this period, your object is WORM-protected and can't be overwritten or deleted. When you place a retention period on an object version, Amazon S3 stores a timestamp in the object version's metadata to show when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version. For more information, see Retention periods
- Legal hold — Provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods. For more information, see Legal holds.
Retention periods and retention modes are always configured in tandem, unlike legal holds, which are configured independently. S3 Object Lock provides two retention modes that apply different levels of protection to your objects. You can apply either retention mode to any object version that is protected by Object Lock.
- Governance mode — In governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.
- Compliance mode — In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, you cannot change the retention mode, and you cannot shorten the retention period. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period. S3 Object Lock has been assessed for SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31 by Cohasset Associates.
Using S3 Object Lock at scale with S3 Batch Operations
S3 Object Lock can be enabled easily on the bucket for all new objects with a default lock. For existing objects, you can use S3 Batch Operations with S3 Object Lock to place a lock or extend any existing retention, or enable or remove a legal hold for up to billions of objects at once. You specify the list of target objects in your manifest and submit it to Batch Operations for completion.
Like all other S3 Object Lock settings, retention periods apply to individual object versions. Different versions of a single object can have different retention modes and periods.
For example, suppose that you have an object that is 15 days into a 30-day retention period, and you upload a new object into Amazon S3 with the same name and a 60-day retention period. In this case, your upload succeeds, and Amazon S3 creates a new version of the object with a 60-day retention period. The older version maintains its original retention period and becomes deletable in 15 days.
You can extend a retention period after you've applied a retention setting to an object version. To do this, submit a new lock request using S3 Batch Operations for the object version with a Retain Until Date that is later than the one currently configured for the object version. Amazon S3 replaces the existing retention period with the new, longer period. Learn more.
Get started with S3 for data protection
For data stored in Amazon S3, best practices start with Amazon S3 Versioning, which allows you to preserve, retrieve, and restore every version of every object stored in an Amazon S3 bucket. You can then add Amazon S3 Object Lock to prevent data from being deleted or overwritten for a fixed amount of time, or indefinitely. For creating additional copies of your data in another AWS Region for multi-Region protection, you can enable Amazon S3 Replication to a bucket with S3 Object Lock turned on. Then you can use S3 Replication with both S3 Versioning and S3 Object Lock to automatically copy objects across AWS Regions and separate AWS accounts. In order to use S3 Object Lock with existing objects or to extend the lock period on existing objects that are nearing the lock expiration, you can use S3 Batch Operations and S3 Inventory Reports. Finally, you can bring visibility of your current data protection levels and the usage of these features all together into a single dashboard with Amazon S3 Storage Lens.
To learn more about how you can protect your data on Amazon S3, visit the Getting Started tutorial on S3 data protection.