Identify and remediate public cloud compliance misconfigurations, mitigate security threats and control your expenses from one simple, easy to use platform.
April 21, 2022
An Identity Access and Management (IAM) user has been granted the ability to bypass S3 Object Lock protection with the s3:BypassGovernanceRetention permission. S3 Object Lock is used to store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. S3 Object Lock is used to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion. If you try to delete objects protected by S3 Object Lock governance mode and have s3:BypassGovernanceRetention permissions, the operation will succeed - overriding the S3 Object Lock. IAM users with this permission should be audited, reviewed, and monitored for activity. The s3:BypassGovernanceRetention permission should be removed if not required.