Severity : Critical
Description: This control ensures that S3 buckets associated with CloudTrail trails are configured to use the Object Lock feature in order to prevent the objects they store from being deleted and meet regulatory compliance. Object Lock is an S3 feature that blocks object version deletion during retention period by enforcing retention policies as an additional layer of data protection. In Governance mode, the lock protect S3 objects against deletion by most users while still allowing to grant some users permission to alter the retention settings or delete the object if it's really required. In Compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be reduced. Compliance mode ensures that an object version can't be overwritten or deleted for the duration of the configured retention period.
Remediation Steps:
Perform following to create a new CloudTrail S3 bucket with object lock :
Login to the AWS Management Console at https://console.aws.amazon.com
Navigate to S3 service.
Choose Create bucket.
In Bucket name, enter a DNS-compliant name for your bucket.
In Region, choose the AWS Region where bucket reside.
Under Object Ownership, to enable/disable ACLs, Choose Bucket owner enforced/Bucket owner preferred respectively.
In Bucket settings for Block Public Access, choose the Block Public Access settings.
To enable S3 Object Lock, Choose Advanced settings, and read the message that appears, enter enable in the text box and choose Confirm.
Choose Create bucket.
Configure Object Lock’s Legal hold , if required.
Configure Object Lock’s retention period.
Important:
Object Lock can be enabled only for new buckets. To turn on Object Lock for an existing bucket, contact AWS Support.
A bucket with Object Lock enabled automatically enables versioning for the bucket.
When a bucket is created with Object Lock enabled, Object Lock can’t be disabled or suspend versioning for the bucket.
Object locks apply to individual object versions only. If an object is placed in a bucket that has a default retention period, and don't explicitly specify a retention period for that object, S3 creates the object with a retention period that matches the bucket default. After the object is created, its retention period is independent from the bucket's default retention period. Changing a bucket's default retention period doesn't change the existing retention period for any objects in that bucket.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-console.html