Ensure that the S3 bucket has object lock enabled

Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period, to enforce retention policies as an additional layer of data protection and/or for strict regulatory compliance.

Risk Level: Low
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.CFT.OPE.08
Covered by Spectral: Yes
Category: Storage


AWS_S3_Bucket should have ObjectLockEnabled=true


From CFT
Set AWS::S3::Bucket ObjectLockEnabled to true and add appropriate rule under ObjectLockConfiguration.


  1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CloudFormation ruleset