Welcome 192TB to the Ootbi Family | Learn more here >>

S3 Object Lock for Ransomware Protection

Ransomware attacks show no signs of abating. If anything, they are getting worse. According to Black Kite, ransomware incidence nearly doubled in early 2023 compared to last year.

With the integrity of their businesses on the line, prudent entrepreneurs must take every action to resist ransomware. For example, they might consider using S3 Object Lock, which prevents data manipulation in S3-compatible object storage.

Although Amazon launched S3 storage 17 years ago as a cloud-based technology, today, many vendors – including Object First – offer S3-compatible object storage entirely on-premises, thanks to S3 API.

S3-compatible object storage holds data as objects in virtual containers called buckets. S3 Object Lock complements object storage and proves invaluable to anyone who wants to make it more secure.

What Is S3 Object Lock

S3 Object Lock is a feature in S3-compatible object storage. That makes the data stored in it untouchable. Changing or erasing objects secured by the lock is impossible. As a result, all attempts at encryption fail–while the data remains accessible to trusted individuals.

With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. The WORM model forbids modifications but allows authenticated access. As long as the lock is in place, the data stays immutable but can be read by authorized personnel.

Preserving the state of objects in S3 buckets is called object retention. It is achieved in either two ways: by setting a retention period or placing a legal hold. In the first case, the lock expires automatically after a set time. In another, it must be manually deactivated.

Reasons to Use S3 Object Lock for Ransomware Protection

A ransomware attack consists of two stages — gaining unlawful access to another party’s data and encrypting it. S3 Object Lock neutralizes the second stage. Even if a threat actor gets into an S3 bucket, the lock will render all their efforts at encryption ineffective.

Ransomware attempts at S3 Object Lock-protected data fail because of the unparalleled features S3 Object Lock affords regarding data security. These features include:

  • WORM storage — The write-once-read-many model means no one can overwrite the locked data by accident or purpose.
  • Availability — People with the right permissions can still access and read the data.
  • Outsider and insider threat protection — Even the staff authorized to read the data cannot modify it.
  • Ransomware protection — Write protection in S3 Object Lock makes encryption—the cornerstone of ransomware—impossible.
  • Integrity — With S3 Object Lock, organizations can rest assured that their data is tamper-proof, accurate, and complete.
  • Immutable backups — S3 Object Lock fortifies object storage backups by making them unchangeable.
  • Replacement for off-site LTO tapes and physical air gaps — S3 Object Lock makes LTO tapes and physical air gaps redundant because it supplants them with immutability and logical air gaps.
  • Proof of compliance — S3 Object Lock can be legally binding proof of compliance.

Organizations may also need to enforce S3 Object Locks due to legal requirements. This is especially true for heavily regulated industries like finance or healthcare. In case of an audit, S3 Object Lock provides proof that the records under scrutiny are intact.

S3 Object Lock offers two ways of managing retention. Retention periods lend themselves well to tamper-proofing the data, while legal holds perfectly align it with regulations.

S3 Object Lock Retention Periods

A retention period specifies the duration for which a stored object remains write-protected. There are two ways to define the duration of every object lock-enabled bucket.

One way is to set a default retention period while creating a new Object Lock-enabled bucket. The period will then apply to every object located in that bucket.

Alternatively, if a bucket does not have a default retention period, every object earmarked for protection should hold the preferred expiry date in a variable called Retain Until Date.

There is one caveat to remember about retention periods. Although they all end eventually, object locks don’t always expire with them. This is because retention periods can run in parallel with legal holds, and one may happen to outlast the other.

S3 Object Lock Legal Holds

A legal hold is an alternative retention method in Object Lock. Unlike a retention period, it does not have an expiry date. Instead, anyone with the s3:PutObjectLegalHold permission can institute and revoke legal holds anytime.

Legal holds and retention periods are independent of each other and can both act on the same object simultaneously. If the retention period ends first, the legal hold keeps working until removed, and vice versa.

S3 Object Lock Retention Modes

For every retention period, S3 Object Lock users must choose between two retention modes: governance and compliance.

Governance mode

The governance mode is less air-tight but more flexible. It locks objects from everyone except those with the s3:BypassGovernanceRetention permission. They can freely modify and delete protected objects and change their retention settings.

Why use the governance mode? For example, to experiment with object lock features without running the risk of irreversibly freezing your data.

Compliance mode

The compliance mode is less forgiving but more secure than its counterpart. Under this mode, no one can modify the object lock settings, not even the root user. The only way to change anything is to wait until the end of the retention period.

The compliance mode offers uncompromised assurance but no way of going back on it. The point-of-no-return capability makes it especially suitable for showing compliance and adhering to legal regulations, but it’s also the only mode that’s 100% tamper-proof.

Ootbi – S3-compatible, on-prem immutable storage

Take S3 Object Lock with immutability and resilience to ransomware. Add quick setup, simplicity, and affordability. Mix it all together, and you’ll get Ootbi – a physical backup storage solution from Object First.

Ootbi is an object storage backup box you can rack, stack, and power in 15 minutes. It ships S3-ready, Veeam-optimized, on-prem by design, and with flexible capacity options: 64, 128, or 192 TB per appliance. These appliances can be mixed and matched into clusters of maximum 4 nodes each, scaling up to 768TB backup storage per cluster.

Furnished with Lockdown OS and a dedicated HTTPS interface, Ootbi is secure, simple, powerful, affordable, and efficient. Get yourself one today, put ransomware gangs out of business, and gain the peace of mind you deserve.


What is S3 Object Lock?

S3 Object Lock is a feature in object storage that prevents overwriting the data in it. As a result, the data becomes ransomware-proof. The lock has a suite of options for fine-tuning protection and authorization.

Why should I use S3 Object Lock?

For threat protection

Even air-gapped storage occasionally connects to a network and becomes exposed to outside threats. Organizations should use an extra layer of protection to stay safe. S3 Object Lock adds immutability to offline storage, providing assurance against cyberattacks such as ransomware.

For regulation compliance

S3 Object Lock enables compliance with legal regulations such as SEC 17a-4, CFTC, FINRA, and other laws that enforce stringent data retention standards.

What storage can I use with S3 Object Lock?

S3 Object Lock works with object storage. This kind of storage lends itself well to holding large quantities of unstructured data. For this reason, it’s often used and recommended for backups.

Can I use S3 Object Lock on-premises?

S3 Object Storage originally emerged as a cloud-first technology but has since been adapted for offline architectures thanks to S3 API. You can get the advantages of S3 Object Lock on-premises by obtaining S3-compatible storage, such as Ootbi from Object First.

What is S3-compatible storage?

S3-compatible storage brings the benefits of S3 Object Lock to on-premises and private cloud environments. It stores data in virtual containers called buckets. An example of S3-compatible storage is Ootbi from Object First.

How does S3 Object Lock work?

You can enable S3 Object Lock for any versioned bucket on creation. Once you do, choose between two options for write-protecting the objects in the bucket: a retention period and a legal hold.

What is the difference between a retention period and a legal hold in S3 Object Lock?

A retention period defines a specific time in which an object is write-protected. A legal hold applies for the protection indefinitely until an authorized person lifts it. What’s important is that retention periods and legal holds are not mutually exclusive and can run in parallel.

How to set up a retention period in S3 Object Lock?

You can set up a default retention period when creating a versioned bucket. The default will automatically apply to every object in the bucket. Without a default, you must assign retention periods separately for each object. Individual retention periods will override the default if it is present.

How to set up a legal hold in S3 Object Lock?

An authorized user can activate and deactivate a legal hold on an object. To specify the user, grant them the s3:PutObjectLegalHold permission.

What is the difference between governance and compliance in S3 Object Lock?

Every retention period must have either of two modes — governance or compliance.

Governance mode gives selected users the right to change the settings of S3 Object Lock and modify the data it protects. To grant the right, assign the s3:BypassGovernanceRetention permission.

Compliance mode prevents any modifications regardless of permissions. Once the retention period is set in compliance mode, there is no way around it. It is the safest option but also the least forgiving.

Book a Free Online Demo!

Request a demo
Stay up to date on the latest tips and news

By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Object First Privacy Policy.