S3 Object Lock: What Is It and How Can It Protect Against Ransomware
S3 Object Lock is a feature of the AWS S3 product that controls who can make significant changes to data. Learn how this protects data.
The rate of ransomware attacks is increasing rapidly (up over 400% in 2020), and the cost of these attacks is significant. Many businesses are rightly concerned about mitigating ransomware threats.
One simple step that many businesses can take to protect themselves against ransomware is to implement S3 Object Lock on their AWS S3 object storage.
Below, we’ll show you:
S3 Object Lock is a feature in Amazon S3 that allows users and businesses to store files in a highly secure, tamper-proof way. It’s used for situations in which businesses must be able to prove that data has not been modified or destroyed after it was written, and it relies on a model known as write once, read many (WORM).
Many businesses rely on S3 Object Lock and WORM when they need to demonstrate compliance or if they want an unchangeable permanent copy of data for auditing or recordkeeping.
So, how does S3 Object Lock work? First, be aware that it’s part of the object storage approach to storing large volumes of often unstructured data, where content is organized into buckets of varying size but not limited to fixed-sized block storage or file hierarchy storage systems. It’s not applicable to those other methods.
The specific details of how S3 Object Lock operates are complex and multifaceted. We’ll break the process down in the sections below.
Object storage is less well understood than file hierarchy storage systems (which we all use on our personal machines) and block storage (which has been an enterprise storage standard for a while). For this reason, it’s worth reviewing S3 object lock functionality at a general level before drilling deeper.
S3 object lock functionality revolves around keeping objects free from tampering, either for a set period (retention) or indefinitely until you remove the lock (legal hold). In object storage, data is organized into buckets with shared metadata, so the simplest way to implement Object Lock is at the bucket level. In S3 environments with Object Lock, users can create buckets with Object Lock enabled for the entire bucket.
Users can then define retention settings for the bucket. For example, a financial services firm might set retention for seven years, based either on client agreements or audit requirements. Once the Object Lock is established, the data cannot be deleted, rewritten, or tampered with for seven years. After the retention expires, the data may be deleted or overwritten.
In some situations, business users do not want an expiration date applied to certain objects. Setting an indefinite retention period, or legal hold, prevents the object from being deleted or overwritten indefinitely until the customer explicitly removes the hold.
While applying retention settings to an entire bucket is the most straightforward application, it isn’t the ideal method in many scenarios. Amazon S3 Object Lock offers users the ability to define and apply retention settings at the object level as well as at the bucket level. That same financial services firm could set some records to be retained for five years, others for seven years, and others indefinitely—while keeping all such records within a single bucket.
At present, object-level retention settings are exclusive to Amazon S3 environments.
S3 Object Lock includes two levels of protection, either of which can be chosen as part of the retention period or legal hold process. Every object and bucket with Object Lock enabled includes the choice of either governance or compliance mode.
Retention settings for either mode can be set in the following ways:
To use Object Lock with a bucket (or objects within a bucket), you must first enable versioning for the bucket. Object Lock only works on buckets with versioning toggled on. This means S3 Object Lock versioning is an inseparable combination.
Note: Object Lock must be enabled when creating a bucket. Users cannot add Object Lock to buckets that have already been created. Additionally, enabling Object Lock will lock a bucket in versioning mode. You won’t be able to turn versioning off later.
Using S3 Object Lock is unquestionably a good idea for most businesses. Consider these reasons why:
Expert Recommended: Most data security professionals recommend S3 Object Lock as a protective measure for crucial data.
Object Lock is an excellent defense against ransomware attacks. Consider these six ways Object Lock protects your business from this threat.
Already battling the aftermath of a ransomware attack? Learn more about cloud recovery.
S3 Object Lock is an AWS-specific implementation, but it’s compatible with additional storage services—including Seagate Lyve Cloud object storage as a service. By diversifying your data across multiple platforms, you’ll experience added protection in both disaster recovery and ransomware scenarios.
Because data under Object Lock cannot be changed, threat actors can’t threaten to modify or destroy the data. Even if they gain access, the damage they can do is limited to accessing and possibly disseminating information.
The WORM model is the underlying reason that data protected by Object Lock can’t be edited, rewritten, deleted, or otherwise damaged. WORM is a functionality of LTO tapes, and it's similar to the old air-gap concept, where physical backup tapes were removed from the premises so they couldn’t be accessed or corrupted.
WORM essentially takes that concept and makes it digital. No matter how serious an attack is, companies can retrieve data stored in the WORM model and start again.
Internal threats, whether intentional or accidental, are another source of concern for many businesses. Whether the unauthorized user is a part of your organization or an external threat, tampering with data simply isn’t possible without special permissions (in governance mode) or at all (in compliance mode).
S3 Object Lock renders LTO tape and air-gapped backups irrelevant by distributing immutable data across the cloud. Data storage and retrieval both happen via the cloud, eliminating the need for costly tape solutions.
S3 Object Lock doesn’t replace your enterprise disaster recovery plan, but it adds cushion to it. By giving you another layer of unchangeable object storage, you’ll have another location to pull from if you need to execute your disaster recovery plan.
Want to learn more about enterprise cloud storage? Check out our guide to backup challenges.