AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Object Lock Feature Should Be Enabled
More Info:
The Amazon S3 buckets associated with your CloudTrail trails should have Object Lock feature enabled in order to prevent the objects they store (i.e. trail log files) from being deleted and meet regulatory compliance.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the “Object Lock Feature Should Be Enabled” misconfiguration in AWS, you can follow the below steps:
- Login to the AWS console.
- Go to the S3 service.
- Select the bucket for which you want to enable Object Lock feature.
- Click on the “Properties” tab.
- Scroll down to the “Object Lock” section.
- Click on the “Edit” button.
- Select the “Enable object lock” radio button.
- Choose the “Retention period” as per your requirement. You can choose either “Governance” or “Compliance” mode.
- Click on the “Save” button.
Once you have completed the above steps, the Object Lock feature will be enabled for the selected S3 bucket.
To remediate the “Object Lock Feature Should Be Enabled” misconfiguration in AWS using AWS CLI, follow these steps:
- Open the AWS CLI on your local machine or EC2 instance.
- Run the following command to enable object lock on a specific S3 bucket:
Make sure to replace
aws s3 put-bucket-object-lock-configuration --bucket <bucket-name> --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":<number-of-days>}}}'<bucket-name>with the name of the S3 bucket and<number-of-days>with the number of days for which the objects should be locked. - Verify that the object lock feature has been enabled by running the following command:
This should return the object lock configuration for the specified bucket.
aws s3 get-bucket-object-lock-configuration --bucket <bucket-name>
Repeat these steps for any other S3 buckets that need to have object lock enabled.
To remediate the “Object Lock Feature Should Be Enabled” misconfiguration in AWS using Python, you can use the following steps:
- Import the necessary AWS SDK libraries in your Python code. You can use the
boto3library for this.
import boto3
- Create an AWS S3 client object using the
boto3.client()method.
s3 = boto3.client('s3')
- Use the
put_bucket_object_lock_configuration()method of the S3 client object to enable the object lock feature for your S3 bucket. This method takes the following parameters:
Bucket: The name of the S3 bucket for which you want to enable the object lock feature.ObjectLockConfiguration: A dictionary that contains the configuration settings for the object lock feature. In this case, we need to set theObjectLockEnabledkey toEnabled.
response = s3.put_bucket_object_lock_configuration(
Bucket='your-bucket-name',
ObjectLockConfiguration={
'ObjectLockEnabled': 'Enabled'
}
)
- Check the response of the
put_bucket_object_lock_configuration()method to ensure that the object lock feature has been enabled successfully.
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
print('Object lock feature has been enabled for your S3 bucket.')
else:
print('Error enabling object lock feature for your S3 bucket.')
By following these steps, you should be able to remediate the “Object Lock Feature Should Be Enabled” misconfiguration in AWS using Python.