Article

S3 Object Lock: What Is It and How Can It Protect Against Ransomware

S3 Object Lock is a feature of the AWS S3 product that controls who can make significant changes to data.

S3 Object Lock: What Is It and How Can It Protect Against Ransomware   

The rate of ransomware attacks is increasing rapidly (up over 400% in 2020), and the cost of these attacks is significant. Many businesses are rightly concerned about mitigating ransomware threats. 

One simple step that many businesses can take to protect themselves against ransomware is to implement S3 Object Lock on their AWS S3 object storage. 

Below, we’ll show you: 

  • What S3 Object Lock is 
  • How it works 
  • Why you should use it 
  • Five ways S3 Object Lock protects against ransomware attacks 

What Is S3 Object Lock? 

S3 Object Lock is a feature in Amazon S3 that allows users and businesses to store files in a highly secure, tamper-proof way. It’s used for situations in which businesses must be able to prove that data has not been modified or destroyed after it was written, and it relies on a model known as write once, read many (WORM). 

Many businesses rely on S3 Object Lock and WORM when they need to demonstrate compliance or if they want an unchangeable permanent copy of data for auditing or recordkeeping. 

How Does S3 Object Lock Work? 

So, how does S3 Object Lock work? First, be aware that it’s part of the object storage approach to storing large volumes of often unstructured data, where content is organized into buckets of varying size but not limited to fixed-sized block storage or file hierarchy storage systems. It’s not applicable to those other methods. 

The specific details of how S3 Object Lock operates are complex and multifaceted. We’ll break the process down in the sections below. 

S3 Object Lock Functionality 

Object storage is less well understood than file hierarchy storage systems (which we all use on our personal machines) and block storage (which has been an enterprise storage standard for a while). For this reason, it’s worth reviewing S3 object lock functionality at a general level before drilling deeper. 

S3 object lock functionality revolves around keeping objects free from tampering, either for a set period (retention) or indefinitely until you remove the lock (legal hold). In object storage, data is organized into buckets with shared metadata, so the simplest way to implement Object Lock is at the bucket level. In S3 environments with Object Lock, users can create buckets with Object Lock enabled for the entire bucket. 

Users can then define retention settings for the bucket. For example, a financial services firm might set retention for seven years, based either on client agreements or audit requirements. Once the Object Lock is established, the data cannot be deleted, rewritten, or tampered with for seven years. After the retention expires, the data may be deleted or overwritten. 

In some situations, business users do not want an expiration date applied to certain objects. Setting an indefinite retention period, or legal hold, prevents the object from being deleted or overwritten indefinitely until the customer explicitly removes the hold. 

While applying retention settings to an entire bucket is the most straightforward application, it isn’t the ideal method in many scenarios. Amazon S3 Object Lock offers users the ability to define and apply retention settings at the object level as well as at the bucket level. That same financial services firm could set some records to be retained for five years, others for seven years, and others indefinitely—while keeping all such records within a single bucket. 

At present, object-level retention settings are exclusive to Amazon S3 environments. 

S3 Object Lock Protection Modes 

S3 Object Lock includes two levels of protection, either of which can be chosen as part of the retention period or legal hold process. Every object and bucket with Object Lock enabled includes the choice of either governance or compliance mode. 
 

Governance Mode 

Compliance Mode 

  • Enforces the general rules of a retention period or a legal hold  
  • Specific users who have special permission possess the ability to temporarily override retention settings or remove them  
  • This mode is best for storage that does not require compliance  
  • Stricter mode compared to governance  
  • Data cannot be deleted or changed by anyone, including the user with root privileges 
  • Retention settings cannot be overridden or relaxed by anyone, including the user with root privileges 
  • Users must wait for retention parameters to expire 
  • Best for environments where businesses store data that requires regular compliance monitoring  

Retention settings for either mode can be set in the following ways: 

  • “Retain-until-date” – specifying the date when the object will no longer be protected 
  • An ON/OFF “legal hold” 

S3 Object Lock Versioning 

To use Object Lock with a bucket (or objects within a bucket), you must first enable versioning for the bucket. Object Lock only works on buckets with versioning toggled on. This means S3 Object Lock versioning is an inseparable combination. 
Note: Object Lock must be enabled when creating a bucket. Users cannot add Object Lock to buckets that have already been created. Additionally, enabling Object Lock will lock a bucket in versioning mode. You won’t be able to turn versioning off later. 

Why Should You Use S3 Object Lock? 

Using S3 Object Lock is unquestionably a good idea for most businesses. Consider these reasons why: 

  • Protect files against accidental deletion: Objects and files under object lock literally cannot be deleted—not intentionally, not accidentally. 
  • Prevent tampering with sensitive files: Some files, even when compliance isn’t a factor, need to remain secure and tamper-proof. For example, files that could be evidence or could be used in an audit will benefit from object locks so there’s no question of their integrity. 
  • Show compliance: In industries with compliance considerations (medical, financial, etc.), compliance-level object locks serve as proof of compliance. 
  • Protect against ransomware: If a threat actor cannot physically destroy your files, their ransomware threats are virtually meaningless. 

Expert Recommended: Most data security professionals recommend S3 Object Lock as a protective measure for crucial data. 

How Does Object Lock Work Against Ransomware? 

Object Lock is an excellent defense against ransomware attacks. Consider these six ways Object Lock protects your business from this threat. 

Already battling the aftermath of a ransomware attack? Learn more about cloud recovery.   

Compatible with Additional Storage Services for Added Protection 

S3 Object Lock is an AWS-specific implementation, but it’s compatible with additional storage services—including Seagate Lyve Cloud object storage as a service. By diversifying your data across multiple platforms, you’ll experience added protection in both disaster recovery and ransomware scenarios.  

 
Data Protected by Object Lock is Unchangeable 

Because data under Object Lock cannot be changed, threat actors can’t threaten to modify or destroy the data. Even if they gain access, the damage they can do is limited to accessing and possibly disseminating information. 

WORM Creates Added Protection 

The WORM model is the underlying reason that data protected by Object Lock can’t be edited, rewritten, deleted, or otherwise damaged. WORM is a functionality of LTO tapes, and it's similar to the old air-gap concept, where physical backup tapes were removed from the premises so they couldn’t be accessed or corrupted. 

WORM essentially takes that concept and makes it digital. No matter how serious an attack is, companies can retrieve data stored in the WORM model and start again. 

Unauthorized Users Can’t Tamper with Data 

Internal threats, whether intentional or accidental, are another source of concern for many businesses. Whether the unauthorized user is a part of your organization or an external threat, tampering with data simply isn’t possible without special permissions (in governance mode) or at all (in compliance mode). 

Replaces Tapes and Retrieves Data 

S3 Object Lock renders LTO tape and air-gapped backups irrelevant by distributing immutable data across the cloud. Data storage and retrieval both happen via the cloud, eliminating the need for costly tape solutions. 

Provides Added Cushion to Your Enterprise Disaster Recovery Plan 

S3 Object Lock doesn’t replace your enterprise disaster recovery plan, but it adds cushion to it. By giving you another layer of unchangeable object storage, you’ll have another location to pull from if you need to execute your disaster recovery plan. 

Want to learn more about enterprise cloud storage? Check out our guide to backup challenges.