Innovation Series

Amazon S3 Security Part 4: Data Immutability

Aashish Aacharya (AJ), Senior Cloud Security Engineer

In the previous part of the five parts series, we discussed how we can achieve data integrity using Amazon S3 features. In this series, we will walk you through how to enable Amazon S3 cross-region/account replication to achieve data immutability to keep it remote and secure, segregate access, ensure compliance, as well as increase performance by minimizing latency to increase operational efficiency. 

Amazon S3 replication

Replication enables automatic and asynchronous copying of objects across Amazon S3 buckets, owned by the same AWS region/account or by different regions/accounts, and to a single or multiple destination bucket/s. Some of the use cases for replication are for data compliance requirements, minimizing latency, or increasing operational efficiency.

To create a replication rule, go to the Amazon S3 console, and select the S3 bucket (note that replication requires versioning to be enabled for both the source and destination buckets). Under the “Properties” tab of the S3 bucket, edit the “Bucket Versioning” field.

Bucket versioning

Next, select “Enable” and save the changes.

Enable bucket versioning

Next, to create bucket replication rules, under the “Management” tab, go to “Replication rules” and click “Create replication rule."

Create replication rules

Provide a replication rule name and select a status for the rule during creation. Please note that for the batch job to work (we discuss it later in this article) the status has to be enabled first. 

Rule configuration

You can choose to apply the rule to all objects or filter objects by prefix, object tags, or a combination of both. In this example, let’s apply it to all objects in the bucket.

Tags by bucket

For the destination, you can choose the same or different AWS accounts. Ideally, especially for sensitive logs, a separate AWS account is recommended — in case the owner's AWS account is compromised, you will have a backup copy in a safe location. It also allows the destination AWS account to be locked for security and compliance and is less susceptible to tampering in the same way the source account might be. It’s always a best practice to segregate AWS users or AWS IAM role access levels for the source and destination AWS accounts. 

Let’s use the same account but a bucket in a different region in this example.

Choose a destination

You will need to provide an IAM role. You can also simply select to “Create new role" automatically. 

Provide an IAM role

Additionally, you have options to change the destination storage class and replicate objects encrypted with AWS KMS, if needed. Let’s use default options. Let’s also enable RTC as well as replication metrics and notifications and click “Save." 

Choose your options

You can enable a one-time batch operations job from the replication configuration to replicate objects that already exist in the bucket and synchronize the source and destination buckets. Let’s select the option for this example. If you do not select the option, only new objects will be replicated.

Replicate objects

To do this you will have to create a batch job, like in the example below, and click “Save." 

Create a batch job

You can monitor the progress of the job under the “Batch Operations” tab in the Amazon S3 console (note that if you haven’t enabled replication from the Amazon S3 bucket’s “Management” tab yet, the job will fail).

Monitor progress under "Batch Operations"

When the batch job is ready, you will observe the status as “Awaiting your confirmation." You will need to click “Run job” for the job to trigger. The status will then change to “Ready” and then “Active” during the progress, before “Completing” and finally “Completed."

Monitor progress
Monitor progress
Monitor progress
Monitor progress
Monitor progress
Monitor progress

You can then download the completion report and verify all jobs:

Download and verify jobs

The .csv report sample looks like this:

Example report


We can use Amazon S3 cross-region/account replication feature for achieving data immutability to meet compliance requirements, minimize latency, or increase operational efficiency. In the next and final part of the series, we will discuss some additional security measures for your Amazon S3 data. 

Next Steps

Return to the intro of this series for links to each of the blogs in this series and read the final issue to learn more about additional security layers in Amazon S3. You can also learn more about the technical innovations and best practices powering cloud backup and data management. Visit the Innovation Series section of Druva’s blog archive.

About the Author

I have been in the cloud tech world since 2015, wearing multiple hats and working as a consultant to help customers architect their cloud journey. I joined Druva four years ago as a cloud engineer. Currently, I lead Druva’s cloud security initiatives, roadmap, and planning. I love to approach cloud security pragmatically because I strongly believe that the most important component of security is the humans behind the systems. 

Get my hands-on style weekly cloud security newsletter. Subscribe here

Find me on LinkedIn: