IAM User has S3 Object Lock Bypass Permissions

Tenacity Id

Risk Level




Last Updated:

April 21, 2022

An Identity Access and Management (IAM) user has been granted the ability to bypass S3 Object Lock protection with the s3:BypassGovernanceRetention​ permission. S3 Object Lock is used to store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. S3 Object Lock is used to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion. If you try to delete objects protected by S3 Object Lock governance mode and have s3:BypassGovernanceRetention permissions, the operation will succeed - overriding the S3 Object Lock. IAM users with this permission should be audited, reviewed, and monitored for activity. The s3:BypassGovernanceRetention permission should be removed if not required.