PRACTITIONER GUIDE | CLOUD SECURITY
Practitioner GuideUpdated 12 min read

AWS S3 Object Lock: Ransomware-Resistant Backup Architecture

Compliance
S3 Object Lock mode that prevents deletion by any principal including AWS root -- the only mode providing true ransomware-proof retention
0
AWS accounts that can delete a Compliance-mode locked object before the retention period expires, including the root account
MFA Delete
S3 bucket setting requiring a TOTP token to permanently delete object versions -- blocks automated credential-based deletion attacks
Cross-account
Backup vaulting strategy where copies are stored in a separate AWS account with no trust relationship to the primary account

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Ransomware operators targeting cloud environments have a specific playbook: compromise an IAM user with S3 permissions, enumerate buckets, and run aws s3 rm s3://backup-bucket --recursive before triggering the encryption payload. Without Object Lock, this attack succeeds in under a minute. S3 Object Lock in Compliance mode is the architectural control that makes this attack fail even if the attacker has root credentials. This guide covers the complete ransomware-resistant S3 backup architecture: Compliance mode retention, S3 Versioning, bucket policies restricting deletion to break-glass roles, cross-account vaulting, and CloudTrail-based deletion monitoring.

Configure Object Lock at Bucket Creation

Object Lock must be enabled at bucket creation -- it cannot be added to existing buckets. Plan your backup bucket architecture before creating any Object Lock buckets.

Create a new bucket with Object Lock enabled

Via AWS CLI: `aws s3api create-bucket --bucket <backup-bucket-name> --object-lock-enabled-for-bucket --region us-east-1`. Object Lock requires Versioning, which is automatically enabled when Object Lock is turned on. Confirm Object Lock is enabled: `aws s3api get-object-lock-configuration --bucket <backup-bucket-name>`.

Set a default bucket-level retention rule

Apply a default retention policy so all new objects are automatically protected: `aws s3api put-object-lock-configuration --bucket <backup-bucket-name> --object-lock-configuration 'ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=COMPLIANCE,Days=90}}'`. This ensures any object written to the bucket is automatically locked in Compliance mode for 90 days without requiring the writer to specify retention parameters per-object.

Apply a bucket policy blocking deletion from non-break-glass roles

Add a bucket policy with an explicit Deny on `s3:DeleteObject`, `s3:DeleteObjectVersion`, and `s3:PutBucketVersioning` for all principals except your break-glass IAM role: `"Condition": {"ArnNotEquals": {"aws:PrincipalArn": "arn:aws:iam::<account>:role/break-glass-admin"}}`. This provides defense-in-depth -- even if an attacker has IAM credentials with `s3:DeleteObject`, the bucket policy blocks the call unless they have the break-glass role, which requires a separate MFA-protected assume-role.

Enable MFA Delete on the bucket

MFA Delete requires the root account to enable: `aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa '<arn-of-mfa-device> <mfa-code>'`. Once enabled, permanently deleting object versions requires presenting an MFA token. This blocks automated credential-based deletion attacks that do not have physical access to the MFA device.

Implement Cross-Account Backup Vaulting

The most important ransomware protection principle: your backup copies must live in an account that production credentials cannot access.

Create a dedicated backup account

In AWS Organizations, create a new account used exclusively for backup storage. Apply an SCP to this account: `Deny` on all IAM and Organizations actions, allowing only the Backup service operations needed to receive and store recovery points. No human IAM users should have direct access to this account's resources -- access should only be possible via the break-glass emergency access account procedure.

Configure AWS Backup Vault Lock in the backup account

In the backup account's Backup Vault, enable Vault Lock: set a minimum retention period of 90 days and enable Vault Lock in Compliance mode. Once locked, the Vault Lock configuration cannot be modified or removed. This ensures that even if an attacker compromises the backup account, they cannot delete the Vault Lock configuration and then delete backup recovery points.

Create cross-account copy rules in the production Backup Plan

In the production account's AWS Backup Plan, add a copy action to each backup rule: set the destination vault ARN to `arn:aws:backup:<region>:<backup-account-id>:backup-vault/<vault-name>` and the destination IAM role to one that has `backup:CopyIntoBackupVault` permission in the backup account. Test the copy by triggering an on-demand backup and verifying the recovery point appears in the backup account's vault.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Monitor Deletion Events with CloudTrail and EventBridge

Ransomware detection depends on alerting within minutes of the first deletion event, not hours. CloudTrail S3 data events provide the necessary telemetry.

Enable S3 data events in CloudTrail

Create or update a CloudTrail trail to include S3 data events for all critical backup buckets. In the trail configuration, add an advanced event selector for S3: select `Read`, `Write`, and `Delete` operations on the specific bucket ARNs. Data events cost $0.10 per 100,000 events -- for backup buckets with low write frequency, this is negligible.

Create EventBridge rules for deletion alerts

Create an EventBridge rule matching S3 events with detail-type `Object Delete Markers Created` or `Object Permanently Deleted` from your backup bucket. Route to a Lambda function that: checks if the deleting principal is in the approved list, counts the deletion volume in the last 5 minutes, and pages the on-call team if the principal is unexpected or the deletion volume exceeds 100 objects per 5-minute window.

Alert on Object Lock rejection events

Object Lock rejection events appear in CloudTrail as `DeleteObject` calls with `errorCode: AccessDenied` and `errorMessage` containing 'Object Lock'. Create a dedicated high-priority alert for any Object Lock rejection -- these events indicate an active attempt to delete a protected object, which is a strong ransomware or insider threat signal that warrants immediate investigation.

The bottom line

S3 Object Lock in Compliance mode is the only AWS control that provides tamper-proof backup protection against a fully compromised AWS account. Enable it at bucket creation (it cannot be added later), set default retention to Compliance mode for 90 days minimum, add a bucket policy blocking deletion from non-break-glass principals, and configure cross-account Backup vaulting so no production credential can reach the backup copies. These four controls together make ransomware attacks against your backup infrastructure fail regardless of the credential scope compromised.

Frequently asked questions

What is the difference between S3 Object Lock Governance mode and Compliance mode?

Governance mode allows deletion by principals with the `s3:BypassGovernanceRetention` IAM permission. This is useful for operational flexibility -- a storage administrator can remove incorrectly locked objects. Compliance mode allows no deletions or retention period reductions by any principal for the duration of the retention period, including the AWS root account. AWS must be contacted to shorten Compliance mode retention periods. For ransomware-resistant backups, Compliance mode is required -- an attacker who compromises root credentials cannot delete Compliance-mode locked objects.

Can you enable Object Lock on an existing S3 bucket?

No. Object Lock can only be enabled at bucket creation time. To protect an existing bucket's data, create a new bucket with Object Lock enabled, copy the existing data to the new bucket (the copied objects will not have Object Lock retention applied automatically -- you must set retention on each object after copying), and update your applications to write to the new bucket. Use S3 Batch Operations to apply a default retention rule to all existing objects in the new bucket after the copy.

How does S3 Versioning interact with Object Lock to protect against ransomware?

S3 Versioning preserves previous versions when objects are overwritten. Ransomware that overwrites objects with encrypted versions creates new versions -- the original unencrypted version is preserved. Without Object Lock, the previous versions can be deleted with `DeleteObjectVersion` API calls. With Object Lock on previous versions, even the delete of old versions is blocked. Enable both: Versioning to preserve overwrites, Object Lock to prevent deletion of any version during the retention window. Set the bucket's default retention to apply to all new object versions automatically.

What is MFA Delete and does it overlap with Object Lock?

MFA Delete requires presenting a valid TOTP code from an MFA device to permanently delete object versions or disable Versioning. It is separate from Object Lock -- MFA Delete can be enabled without Object Lock. MFA Delete protects against credential compromise without TOTP device access, while Object Lock protects against any deletion during the retention period regardless of MFA possession. For maximum ransomware protection, use both: Object Lock for the retention period guarantee, MFA Delete as an additional layer for objects where Object Lock is not applied.

How do you set up cross-account backup vaulting with AWS Backup?

Create a dedicated backup account in your AWS Organization that has no trust relationships with production accounts. In AWS Backup, create a Backup Vault in the backup account with a Vault Lock policy (analogous to Object Lock but for the Vault itself). In the production account, create a Backup Plan that copies recovery points to the backup account's vault: set the destination vault ARN to the backup account's vault. Use an IAM role in the backup account that the production Backup service can assume for cross-account copies. The backup account should have an SCP blocking any principal from modifying the Vault Lock configuration.

How do you monitor S3 deletion events for ransomware detection?

Enable CloudTrail S3 data events for all buckets containing critical data. Create EventBridge rules matching `DeleteObject`, `DeleteObjectVersion`, and `DeleteBucket` events from unexpected principals. Route these to a Lambda function that evaluates: is this principal in the approved list for deletion? Is this deletion volume above the baseline rate for this bucket? Alert if unexpected principals perform deletions or if deletion rate exceeds 10x the hourly baseline. Object Lock rejection events (`DENY` on `DeleteObject` due to lock) are particularly valuable -- they indicate an active deletion attempt against a protected object.

How long should you set the Object Lock retention period?

Base the retention period on your recovery time objective and ransomware detection timeline. CISA recommends 90-day minimum for operational backups, with annual compliance backups extending to 1-3 years. The critical parameter is: how long does it typically take your organization to detect a ransomware event? If detection takes 30 days on average, a 30-day retention period means the encryption may have occurred before the retention clock started. Set the retention period to your mean detection time plus a safety margin -- typically 90 days for operational backups. Compliance-mode retention cannot be shortened, so choose a period you are confident in before enabling.

Sources & references

  1. Amazon S3 Object Lock Documentation
  2. S3 MFA Delete Configuration
  3. AWS Backup Cross-Account Backup

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.