Skip to main content

More Info:

The Amazon S3 buckets associated with your CloudTrail trails should have Object Lock feature enabled in order to prevent the objects they store (i.e. trail log files) from being deleted and meet regulatory compliance.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the “Object Lock Feature Should Be Enabled” misconfiguration in AWS, you can follow the below steps:
  1. Login to the AWS console.
  2. Go to the S3 service.
  3. Select the bucket for which you want to enable Object Lock feature.
  4. Click on the “Properties” tab.
  5. Scroll down to the “Object Lock” section.
  6. Click on the “Edit” button.
  7. Select the “Enable object lock” radio button.
  8. Choose the “Retention period” as per your requirement. You can choose either “Governance” or “Compliance” mode.
  9. Click on the “Save” button.
Once you have completed the above steps, the Object Lock feature will be enabled for the selected S3 bucket.

To remediate the “Object Lock Feature Should Be Enabled” misconfiguration in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine or EC2 instance.
  2. Run the following command to enable object lock on a specific S3 bucket: 
    aws s3 put-bucket-object-lock-configuration --bucket <bucket-name> --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":<number-of-days>}}}'
    Make sure to replace <bucket-name> with the name of the S3 bucket and <number-of-days> with the number of days for which the objects should be locked.
  3. Verify that the object lock feature has been enabled by running the following command: 
    aws s3 get-bucket-object-lock-configuration --bucket <bucket-name>
    This should return the object lock configuration for the specified bucket.
Repeat these steps for any other S3 buckets that need to have object lock enabled.
To remediate the “Object Lock Feature Should Be Enabled” misconfiguration in AWS using Python, you can use the following steps:
  1. Import the necessary AWS SDK libraries in your Python code. You can use the boto3 library for this.
import boto3
  1. Create an AWS S3 client object using the boto3.client() method.
s3 = boto3.client('s3')
  1. Use the put_bucket_object_lock_configuration() method of the S3 client object to enable the object lock feature for your S3 bucket. This method takes the following parameters:
  • Bucket: The name of the S3 bucket for which you want to enable the object lock feature.
  • ObjectLockConfiguration: A dictionary that contains the configuration settings for the object lock feature. In this case, we need to set the ObjectLockEnabled key to Enabled.
response = s3.put_bucket_object_lock_configuration(
    Bucket='your-bucket-name',
    ObjectLockConfiguration={
        'ObjectLockEnabled': 'Enabled'
    }
)
  1. Check the response of the put_bucket_object_lock_configuration() method to ensure that the object lock feature has been enabled successfully.
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
    print('Object lock feature has been enabled for your S3 bucket.')
else:
    print('Error enabling object lock feature for your S3 bucket.')
By following these steps, you should be able to remediate the “Object Lock Feature Should Be Enabled” misconfiguration in AWS using Python.

Additional Reading:

I