Classify the data first — Object Lock requires versioning and can only be enabled at bucket creation. Create a new bucket with Object Lock enabled and choose GOVERNANCE or COMPLIANCE retention to match the protection level required. Migrate the objects from the old bucket and cut consumers over. Set a default retention period so new objects inherit protection.

Compliance Medium severity

AWS Security Hub · S3

S3.15: Buckets should have Object Lock enabled

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub S3.15 check?

S3.15 checks that a general-purpose bucket has Object Lock enabled. It reports FAILED when Object Lock is not configured, meaning objects can be overwritten or deleted with no write-once-read-many protection.

Why does S3.15 matter?

Object Lock gives a bucket WORM protection, so ransomware, a compromised credential or an accidental script cannot tamper with or delete protected objects within their retention period. Without it, anyone with write access can quietly destroy data that compliance or recovery depends on.

How do I fix S3.15?

Classify the data first — Object Lock requires versioning and can only be enabled at bucket creation.
Create a new bucket with Object Lock enabled and choose GOVERNANCE or COMPLIANCE retention to match the protection level required.
Migrate the objects from the old bucket and cut consumers over.
Set a default retention period so new objects inherit protection.

Remediation script · bash

# 1. Create the locked replacement bucket (versioning enabled automatically).
aws s3api create-bucket \
  --bucket fintech-db-snapshots-locked \
  --region us-east-1 \
  --object-lock-enabled-for-bucket

# 2. Set a default retention rule. Use COMPLIANCE for true regulatory WORM.
aws s3api put-object-lock-configuration \
  --bucket fintech-db-snapshots-locked \
  --object-lock-configuration \
    'ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=COMPLIANCE,Days=2555}}'

# 3. Migrate existing data, then repoint the backup job at the new bucket.
aws s3 sync s3://fintech-db-snapshots s3://fintech-db-snapshots-locked

# 4. Confirm the lock is in place before decommissioning the old bucket.
aws s3api get-object-lock-configuration --bucket fintech-db-snapshots-locked

Full walkthrough (console steps, edge cases and verification) in the lesson Enable Object Lock on S3 general purpose buckets.

Is S3.15 a false positive?

Object Lock cannot be bolted onto an existing bucket — it is a creation-time setting, so fixing S3.15 means create-new-and-migrate, not flipping a switch.

Full lesson Enable Object Lock on S3 general purpose buckets Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for S3 controls ↗ Check your own account for S3.15 →

S3.1 Account-level S3 public access is not fully blocked
S3.2 Public S3 buckets expose data to anyone on the internet
S3.3 Buckets can be written to by anyone on the internet
S3.5 S3 is accepting unencrypted HTTP requests
S3.6 Bucket policy grants broad access to other AWS accounts
S3.8 Buckets can still be made public; Block Public Access is off
S3.9 No S3 access logs, so reads and writes go unaudited
S3.10 Versioned buckets should have lifecycle configurations
S3.11 Buckets should have event notifications enabled
S3.12 ACLs should not be used to manage bucket access
S3.13 Buckets have no lifecycle rules and grow forever
S3.17 Buckets should be encrypted at rest with KMS keys