What Is Amazon S3 Object Lock? Part 1

A summary of how Amazon S3 Object lock and Immutable backups work and how support for Amazon S3 Object Block using N2WS can optimize security
Share This Post

Data is the backbone of all businesses, and ensuring fast data recovery is essential for business continuity. Protecting your copy of backed-up data through tamper-proof mechanisms is important to achieve this. In this blog, we’ll explore the features of Amazon S3 Object Lock and how N2WS helps you safeguard your data backup using this capability.

What Is Object Lock?

Amazon S3 object lock implements the write-once-read-many (WORM) model to protect the objects stored in it. When the feature is enabled, objects cannot be overwritten or deleted—neither permanently nor for a defined period of time once it is stored in S3. In highly regulated environments, this provides an additional layer of security to protect against unauthorized or accidental data deletion. 

Object Lock helps achieve compliance when you need to capture a baseline copy of the data that cannot be overwritten or deleted once it is written. The data stored becomes immutable and tamper-proof. Organizations in sectors like healthcare and finance would require such safety guardrails to be in place to protect data, especially critical data backup copies that are an essential part of their business continuity plans. 

You can protect individual objects or all objects stored in a given S3 bucket using the Amazon S3 Object Lock functionality. The duration for which the lock is applied is also flexible. This helps in environments where different sets of objects in S3 buckets have different requirements of immutability and retention periods. 

Immutable Backups and Why They’re Important

Backups help restore a business to a working state in the event of data loss, corruption, or malware attacks. If the data backup is tampered with, rendering it unusable, then the organization will not be able to meet its defined recovery time objective (RTO). This could result in a breach of your organization’s SLA, which would have financial penalties as well as legal repercussions.

Immutable backups using WORM storage address this concern, as they ensure that the backup copy once created in storage is not altered in any manner nor deleted. Even in the event of a malware infection that affects live data, the immutable backup copies in WORM storage stay protected. The data cannot be modified or destroyed even if attackers gain unauthorized access to the backup storage. Thus, the recovery process is not impacted, and you can restore your business-critical applications to a working state quickly.

Protect your data with immutable backups
Try N2WS Backup & Recovery to:

How Object Lock Works and the Different Modes

Amazon S3 Object Lock provides two configuration options for managing object retention. The first one is based on the retention period, and the other is called a legal hold.

Retention Period 

Amazon S3 allows a fixed retention period to be configured, during which the data stored in it remains locked. The data is written as WORM-protected and cannot be changed or deleted during the mentioned retention period. The minimum retention period that can be configured is one day. There is no upper limit on the maximum retention period, so you can configure it per your requirement.

While configuring the retention period, there are two modes to choose from: governance mode or compliance mode

Amazon S3 Object Lock Governance Mode

In governance mode, you can assign special permissions to some users to modify the retention period settings or delete the data. Ideally, these rights should be assigned only to admin users, while other users will not be allowed to make any changes to the data. 

Amazon S3 Object Lock Compliance Mode

Compliance mode is for when you don’t want any users, including the root user of the AWS account, to delete the data during the retention period. 

Governance mode will suit most customers, while compliance mode will be helpful for customers who want to store compliant data. N2WS uses the governance mode of Amazon S3 Object Lock to protect your data backup copy in the cloud.

Legal Hold

You can also configure Amazon S3 Object Lock with a retention period that has no expiration date. This is called a legal hold and is always enforced unless explicitly removed by users with special permission. When administrators are unsure of how long the data must stay immutable, they can use a legal hold.

How to Set Up Your S3 Buckets with Object Lock

Let’s take a look at the steps to configure Object Lock for S3 storage. 

  1. From the Amazon S3 management page, click on “Create bucket.”
  2. On the next page, provide the name for the bucket and enable Bucket Versioning.    Note: It is mandatory to enable bucket versioning before configuring Object Lock.
  3. Under advanced settings, select “Enable” for Object Lock. You should also click the acknowledgment on the page to accept it, then click on “Create bucket.”
  4. Next, you need to configure the retention mode and retention period. Click on your newly created bucket->Properties ->Object Lock->Edit.
  5. To configure your retention period, select “Enable” under “Default retention.” You can also select the default retention mode, i.e., either “Governance” or “Compliance” as well as the retention period. Once done, click on “Save changes” to update the configuration.
    Note: Select the governance mode for N2WS Backup Repositories.

The Object Lock feature is now configured for storage. Except for designated admin users with specific IAM permissions, the objects in this storage cannot be overwritten or deleted by users during the retention period. 

N2WS Support for Object Lock

N2WS Backup & Recovery helps protect your business-critical data using Amazon S3 Object Lock. Support for Object Lock is available starting from N2WS version 4.1. The backup copy remains safe even in the event of a malware infection, and using the one-click recovery capability of N2WS, you can restore your critical business applications to a working state. Combining this with N2WS’ native capability to protect important workloads like SAP HANA, you can create backups protected by Amazon S3 Object Lock that help your business bounce back from ransomware attacks within defined SLAs. 

The Amazon S3 Object Lock integration used by N2WS also helps protect you from accidental deletion of your data backup copies. Objects in Amazon S3 buckets, cannot be deleted until the end of the defined governance period. 

Threat actors in the cloud target data, especially data backups, rendering them unusable through malware infections. Businesses then end up paying the ransom to recover the data since they have no other option to bring their services back online. Statistics indicate that every 40 seconds, a company gets hit by a ransomware attack. Combining its native backup capability with Amazon S3 Object Lock, N2WS offers a comprehensive solution that safeguards your workloads from such threats.

Activate your free trial of N2WS Backup & Recovery to learn more about the solution.

Next step

Protect your data with immutable backups

Allowed us to save over $1 million in the management of AWS EBS snapshots...

N2WS vs AWS Backup

Why chose N2WS over AWS Backup? Find out the critical differences here.

N2WS in comparison to AWS Backup, offers a single console to manage backups across accounts or clouds. Here is a stylized screenshot of the N2WS dashboard.

Try N2WS for Free