To enhance the protection of your Amazon CloudTrail trail log files and meet regulatory requirements for data protection, it is recommended to configure the associated S3 buckets with the Object Lock feature. Object Lock is a feature provided by Amazon S3 that prevents the deletion of object versions for a specified retention period, adding an additional layer of data protection. The feature includes two modes, Governance and Compliance, that offer different levels of protection: Governance mode allows you to protect S3 objects from being deleted by most users, while still allowing some users to modify retention settings or delete the object if needed. Compliance mode ensures that object versions cannot be deleted or overwritten by any user, including the AWS root user. Once an object is locked in compliance mode, the retention period cannot be reduced or the retention mode changed, ensuring that the object version remains unaltered for the specified retention period. Enabling the Object Lock feature for your CloudTrail trail S3 buckets will prevent the accidental or intentional deletion of log files stored within them and help maintain the integrity of the log data. Additionally, this feature can help you comply with regulatory requirements for data protection within your organization.
To ensure that S3 buckets associated with CloudTrail trails have Object Lock feature enabled, follow these remediation steps:
You should repeat these steps for each S3 bucket associated with your CloudTrail trails to ensure that Object Lock is enabled for all of them. By doing so, you can prevent the deletion of log files stored within the target buckets, ensuring the integrity of your CloudTrail logs and compliance with regulatory requirements.