Hi there,
I'm looking to compile a complete list of ways to protect data in S3 from accidental or malicious deletion.
Assuming that Object locking is not in play, and that we can't rely on cross-region replication for a redundant copy, are there any other ways to completely destroy data aside from the following:
- DeleteObject API Call from an authenticated IAM principal (be that a role or a user)
- PutObject API Call over an existing object without object versioning in play.
- A lifecycle policy that deletes objects.
- The Root user issues a DeleteObject Call
Note that in certain infrequent administrative circumstances, I will need to still be able to delete an object (So object locking with compliance mode is not usable here)
In short, It appears that data can be protected from Administrators (: permissions on *) by doing the following (please confirm?):
Either:
- Implement Object Locking in governance mode
- Explicitly Deny s3:BypassGovernanceRetention and s3:GetBucketObjectLockConfiguration
- Enable detective measures to undo these configurations.
- Prevent the root account from being used
OR:
- Explicitly deny s3:DeleteObject, s3:DeleteObjectVersion, and s3:PutLifecycleConfiguration
- Enable Versioning (to prevent overwrite)
- Enable detective measures to undo these configurations.
- Prevent the root account from being used
OR:
- Store a redundant copy of the object in a backup bucket and protect accordingly.
- Restrict IAM access completely to backup copy
- Enable detective measures to undo these configurations.
- Prevent the root account from being used