Denying removal of Amazon S3 Object Lock legal hold

The s3:PutObjectLegalHold permission in an IAM role allows a principal to both add and remove legal holds on objects. This makes sense when the same principal is both applying and removing legal holds, for example to preserve relevant information when litigation is pending.

S3 Object Lock can help prevent Amazon S3 objects from being deleted or overwritten for a fixed amount of time or indefinitely. A locked version of an object cannot be deleted by an S3 Lifecycle expiration policy. Object Lock is maintained regardless of which storage class the object resides in and throughout S3 Lifecycle transitions between storage classes. There are two ways to manage object retention: retention periods and legal holds. An object version can have a retention period, a legal hold, or both.

• Retention period – A retention period specifies a fixed period of time during which an object version remains locked. You can set a unique retention period for individual objects. Additionally, you can set a default retention period on an S3 bucket, to apply to new object versions.
• Legal hold – A legal hold has no expiration date. Instead, a legal hold remains in place on an object version until you explicitly remove it.

As legal hold has no expiration date, users may wish to use this mode to apply an indefinite lock on objects they wish to protect from accidental or malicious deletion. In this scenario, it may be desirable to restrict permissions to remove legal hold from objects. You can do this with a condition key in the Condition element of an IAM policy, specifically "StringEquals": "s3:object-lock-legal-hold": "OFF" applied to the action "PutObjectLegalHold".

This could be applied in an S3 bucket policy, or more broadly and from outside of the account that owns the S3 bucket, by using a resource control policy (RCP). The following example resource control policy, attached to an account or organizational unit (OU), will prevent removal of S3 Object Lock legal hold on every object version in every S3 bucket in the accounts in scope, by any role other than the one specified:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyLegalHoldRemoval",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObjectLegalHold",
      "Resource": "arn:aws:s3:::*",
      "Condition": {
        "StringEquals": {
          "s3:object-lock-legal-hold": "OFF"
        },
        "StringNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::accountID:role/LegalHoldOverride"
        }
      }
    }
  ]
}

To manage legal hold on objects at scale, you can use S3 Batch Operations.

If you are looking for a solution to maintain indefinite immutability with Object Lock compliance mode, please instead refer to the solution Maintaining object immutability by automatically extending Amazon S3 Object Lock retention periods. For more information on S3 Object Lock see the User Guide, the video How to use Amazon S3 Object Lock, and the hands-on Amazon S3 data protection and global resilience workshop.

Please feel free to leave comments.