S3 content protection and deletion methods

Question

Hi there,

I'm looking to compile a complete list of ways to protect data in S3 from accidental or malicious deletion. 
Assuming that Object locking is not in play, and that we can't rely on cross-region replication for a redundant copy, are there any other ways to completely destroy data aside from the following:

1. DeleteObject API Call from an authenticated IAM principal (be that a role or a user)
2. PutObject API Call over an existing object without object versioning in play. 
3. A lifecycle policy that deletes objects. 
4. The Root user issues a DeleteObject Call

Note that in certain infrequent administrative circumstances, I will need to still be able to delete an object (So object locking with compliance mode is not usable here)

In short, It appears that data can be protected from Administrators (*:* permissions on *) by doing the following (please confirm?):

Either: 
   1. Implement Object Locking in governance mode
   2. Explicitly Deny s3:BypassGovernanceRetention and s3:GetBucketObjectLockConfiguration
   3. Enable detective measures to undo these configurations. 
   4. Prevent the root account from being used

OR: 
   1. Explicitly deny s3:DeleteObject, s3:DeleteObjectVersion, and s3:PutLifecycleConfiguration
   2. Enable Versioning (to prevent overwrite) 
   3. Enable detective measures to undo these configurations. 
   4. Prevent the root account from being used

OR: 
   1. Store a redundant copy of the object in a backup bucket and protect accordingly. 
   2. Restrict IAM access completely to backup copy 
   3. Enable detective measures to undo these configurations. 
   4. Prevent the root account from being used

AWS-User-3779086 · Accepted Answer

They all look good to me, one more way would be using MFA delete to protect your data.

You can lock root out of that as well but as root user, you have permissions to delete bucket policies. So, you delete existing one and put a new one back.

Ed Gummett · Answer

Another option would be to apply Object Lock in Legal Hold (indefinite) mode to the objects in scope (S3 Batch Operations can help with this), and restrict who can remove that property as per https://repost.aws/articles/ARHP6wZxPyQ-6xGawE5MFPuw/denying-removal-of-amazon-s3-object-lock-legal-hold.

If versioning is not enabled, you can also enforce use of conditional writes for if-none-match to prevent overwrites, per https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-writes-enforce.html

If versioning is enabled, denying s3:DeleteObjectVersion via a [Resource Control Policy (RCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) (as well as s3:PutLifecycleConfiguration and s3:PutBucketVersioning) will prevent deletion. Ensure you already have a Lifecycle rule to expire noncurrent versions after your desired recovery window, as well as the usual rules to [delete expired delete markers](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lifecycle-config-conceptual-ex7) and [incomplete multipart uploads](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-expire-mpu)

If you you do want to use Object Lock, take a look at this solution for short-term, indefinite immutability: https://aws.amazon.com/blogs/storage/maintaining-object-immutability-by-automatically-extending-amazon-s3-object-lock-retention-periods/

S3 content protection and deletion methods

Add your answer

Relevant content