Use Immutable Storage - AWS Security Incident Response Guide

Use Immutable Storage

When copying logs and other evidence to an alternative account, make sure that the replicated data is protected. In addition to protecting the secondary evidence, you also must protect the integrity of the data at the source. Known as immutable storage, these mechanisms protect the integrity of your data by preventing the data from being tampered with or deleted.

Using the native features of Amazon S3, you can configure an Amazon S3 bucket to protect the integrity of your data. For example, by using S3 Object Lock, you can prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely. Managing access permissions with S3 bucket policies, configuring S3 versioning, and enabling MFA Delete are other ways to restrict how data can be written or read. This type of configuration is useful for storing investigation logs and evidence, and is often referred to as write once, read many (WORM). You can also protect the data by using server-side encryption with AWS Key Management Service (AWS KMS) and verifying that only appropriate IAM principals are authorized to decrypt the data.

Additionally, if you want to securely keep data in a long-term storage after the investigation is completed, consider moving the data from Amazon S3 to Amazon S3 Glacier using object lifecycle policies. Amazon S3 Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. It is designed to deliver 99.999999999% durability, and provides comprehensive security and compliance capabilities.

Moreover, you can protect the data in Amazon S3 Glacier by using the Amazon S3 Glacier Vault Lock, which allows you to easily deploy and enforce compliance controls for individual Amazon S3 Glacier vaults with a vault lock policy. You can specify security controls, such as WORM, in a vault lock policy and lock the policy from future edits. Once locked, the policy can not be changed. Amazon S3 Glacier enforces the controls set in the vault lock policy to help achieve your compliance objectives, such as for data retention. You can deploy a variety of compliance controls in a vault lock policy using the AWS Identity and Access Management (IAM) policy language.