Skip to main content

Compliance-Tagged Buckets Must Have Object Lock Enabled

ID: CTL.S3.LOCK.001 Category: Lifecycle and Governance Severity: Critical

What This Checks

S3 buckets tagged with any compliance framework (such as hipaa, soc2, gdpr, or pci-dss) must have S3 Object Lock enabled. This control fires when a compliance-tagged bucket has object_lock.enabled set to false.

Why It Matters

Regulatory frameworks including HIPAA, SOC 2, GDPR, and PCI-DSS require immutable storage for audit logs, compliance records, and protected data. S3 Object Lock provides Write Once Read Many (WORM) protection, preventing objects from being deleted or overwritten for a specified retention period. Without Object Lock, a compromised credential, a malicious insider, or even an accidental script can modify or destroy records that regulations require to be preserved in their original form. Auditors expect immutability controls on compliance-scoped storage.

What A Violation Looks Like

$ stave apply --controls controls/s3 --observations ./observations --max-unsafe 0s --now 2026-01-15T00:00:00Z
{
  "control_id": "CTL.S3.LOCK.001",
  "control_name": "Compliance-Tagged Buckets Must Have Object Lock Enabled",
  "resource_id": "acme-healthcare-patient-records",
  "resource_type": "aws_s3_bucket",
  "resource_vendor": "aws",
  "evidence": {
    "first_unsafe_at": "2026-01-14T23:00:00Z",
    "last_seen_unsafe_at": "2026-01-15T00:00:00Z",
    "unsafe_duration_hours": 1,
    "threshold_hours": 0,
    "matched_properties": [
      {
        "path": "properties.storage.tags.compliance",
        "value": "hipaa"
      },
      {
        "path": "properties.storage.object_lock.enabled",
        "value": false
      }
    ],
    "why_now": "Resource has been unsafe for 1 hours (threshold: 0 hours). Unsafe since 2026-01-14T23:00:00Z."
  },
  "mitigation": {
    "description": "Compliance-tagged bucket does not have S3 Object Lock enabled. Objects can be deleted or overwritten without WORM protection.",
    "action": "Enable S3 Object Lock on the bucket. Note: Object Lock can only be enabled at bucket creation. If the bucket already exists, create a new bucket with Object Lock enabled and migrate objects. Set a default retention period appropriate for your compliance framework."
  }
}

Correct Configuration

A safe observation has object_lock.enabled set to true:

{
  "properties": {
    "storage": {
      "kind": "bucket",
      "tags": {
        "compliance": "hipaa"
      },
      "object_lock": {
        "enabled": true
      }
    }
  }
}
  • CTL.S3.LOCK.002 -- Requires COMPLIANCE mode (not GOVERNANCE) for PHI buckets with Object Lock.
  • CTL.S3.LOCK.003 -- Enforces minimum retention period on Object Lock for PHI buckets.
  • CTL.S3.VERSION.001 -- Versioning is a prerequisite for Object Lock.
  • CTL.S3.GOVERNANCE.001 -- The compliance tag that gates this control works alongside the data-classification tag.