Ensure that S3 buckets associated with CloudTrail trails have Object Lock feature enabled


To enhance the protection of your Amazon CloudTrail trail log files and meet regulatory requirements for data protection, it is recommended to configure the associated S3 buckets with the Object Lock feature. Object Lock is a feature provided by Amazon S3 that prevents the deletion of object versions for a specified retention period, adding an additional layer of data protection. The feature includes two modes, Governance and Compliance, that offer different levels of protection: Governance mode allows you to protect S3 objects from being deleted by most users, while still allowing some users to modify retention settings or delete the object if needed. Compliance mode ensures that object versions cannot be deleted or overwritten by any user, including the AWS root user. Once an object is locked in compliance mode, the retention period cannot be reduced or the retention mode changed, ensuring that the object version remains unaltered for the specified retention period. Enabling the Object Lock feature for your CloudTrail trail S3 buckets will prevent the accidental or intentional deletion of log files stored within them and help maintain the integrity of the log data. Additionally, this feature can help you comply with regulatory requirements for data protection within your organization.


To ensure that S3 buckets associated with CloudTrail trails have Object Lock feature enabled, follow these remediation steps:

  1. Open the Amazon S3 console.
  2. Navigate to the target bucket associated with your CloudTrail trail.
  3. Click on the "Properties" tab and then click on "Object Lock".
  4. Enable Object Lock by selecting either "Governance" or "Compliance" mode.
  5. Set a retention period that meets your organization's data protection and compliance requirements.
  6. Click on "Save" to save the Object Lock settings.

You should repeat these steps for each S3 bucket associated with your CloudTrail trails to ensure that Object Lock is enabled for all of them. By doing so, you can prevent the deletion of log files stored within the target buckets, ensuring the integrity of your CloudTrail logs and compliance with regulatory requirements.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.