AWS Storage Blog

Protect your resources from unintended deletions through Rule Lock for Recycle Bin

Security and data protection are top-of-mind for AWS customers, especially when dealing with business-critical cloud resources. Customers want to protect their production data from accidental data loss as well as from emerging threats like ransomware, malicious insiders or account takeover attacks. On November 23rd, 2022, we added stronger controls to Recycle Bin through the Rule Lock setting to help customers recover their resources in case of malicious deletion attempts.

Recycle Bin is a data recovery and protection feature that helps customers recover their resources in the event of accidental deletions. Customers can set up retention rules to retain deleted EBS Snapshots or EC2 AMIs in the Recycle Bin so that they can be recovered if needed. Each retention rule specifies a retention period (between one day and one year) for which the resources are retained in the Recycle Bin before permanent deletion. For example, you can set up a region-level retention rule for all EBS Snapshots in your account to ensure that you can recover your backups in case of accidental or malicious actions.

Rule Lock for Recycle Bin enables organizations to take a defense-in-depth approach by adding an independent layer of protection to enhance the security posture of critical resources. When you enable rule lock for a retention rule, the rule can no longer be modified or deleted by any user. You are also required to set an “unlock delay period” (between 7 to 30 days) at the time of configuring the lock. If the rule is unlocked by a malicious actor, it stays locked until the unlock delay period expires. This means that even in the case of a total account compromise, locked Recycle Bin rules cannot be modified or deleted immediately and your deleted resources are protected. The delay period allows you additional time to take remedial action while your deleted resources are safely retained in the Recycle Bin. The locked Recycle Bin retention rules can thus be used as an additional line of defense against threats like ransomware or account takeover attempts.

In a previous blog, we took you through the steps to set up Recycle Bin retention rules. In this post, I dive deep into the following topics to show you how to use Rule Lock for Recycle Bin retention rules:

  1. Locking your retention rules
  2. Unlocking your retention rules
  3. Re-locking a retention rule during the unlock delay period
  4. Monitoring rule lock status and identifying malicious activity

This will help you lock your retention rules so that they cannot be modified or deleted by any user, including Recycle Bin administrators. You’ll also be able to specify a delay period (between 7 and 30 days) after which a locked rule can be modified, enhancing your security posture against unintentional or malicious deletions of snapshots and AMIs.

Locking your retention rules

To get started, first open the Recycle Bin Console. In the navigation panel, choose Retention rules.

Click the 'Retention rules' option in the navigation menu on the left side of the page.

Once you’re on the Retention rules page, select Edit retention rule lock from the Actions dropdown menu after selecting the rule that you want to lock. In this example, we have already created a retention rule to protect all EBS Snapshots in the account by retaining them in the Recycle Bin for 10 days after initial deletion.

Note: Only users with appropriate IAM permissions to lock or unlock a rule can edit the retention rule lock. To learn more, see Recycle Bin IAM permissions.

On the retention rules page, select the rule that you want to lock/unlock and select 'Edit retention rule lock' in the Actions dropdown menu.

Select the Lock option under Rule lock settings and provide an Unlock delay period (between 7 to 30 days). In this example, we are setting an unlock delay period of 21 days.

Click on the checkbox to acknowledge that you understand that your rules cannot be modified or deleted after you lock them. Then, click the Save Changes button.

Note: If account permissions were compromised, the unlock delay period would give you additional time to detect and respond to security breaches. The length of this period should be longer than the time it takes for you to identify breaches. To set the right duration, you can review previous security incidents and assess the time needed to identify and remediate an account breach.

In the edit retention rule lock page, enter the unlock delay period in days. After entering the desired value, click the checkbox in the acknowledgement section.

When your retention rule is successfully locked, you will see the notification as shown below. The rule lock state of your retention rule will also change to Locked.

The banner for 'Successfully locked retention rule' is displayed at the top of the screen when the rule is locked.

Alternatively, you can also use the LockRule API to lock a retention rule.

After you’ve successfully locked a rule, it can no longer be modified or deleted as illustrated below.

The 'Edit retention rule' and 'Delete retention rule' options in the dropdown are grayed out for locked rules as they cannot be modified or deleted.

Note: When a resource is deleted, if it matches both a locked retention rule and an unlocked retention rule, the rule with the longest retention period will take precedence. Aligned with this, we’ve also made an update to the considerations for using region-level rules and tag-level rules. Previously, if a resource matched a Region-level rule and a tag-level rule upon deletion, the retention period of the tag-level rule was applied to the resource. Now, regardless of the type of retention rule, Recycle Bin will always apply the qualifying rule with the longest retention period to a deleted resource. If any qualifying rule has Rule Lock enabled, the retention period defined in it will be applied to the resource if there is no other qualifying rule with a longer retention period.

Unlocking retention rules

You can unlock a retention rule to allow it to be modified or deleted. To do this, simply select the retention rule that you want to unlock and then select Edit retention rule lock in the Actions dropdown menu.

Select the Unlock option in the rule settings page.

The rule lock state says 'locked' for a locked rule. Select the 'Unlock' option to unlock the rule.

You will be asked to confirm your intent by typing ‘unlock’ in the window.

You'll have to type in 'unlock' in the pop-up window to confirm your intent.

The rule will go into the Pending unlock state once you confirm and will be unlocked after the unlock delay period expires.

In the retention rules page, the rule lock state for rules in the pending unlock state is displayed as 'pending unlock'

Note: Only users who have permissions to unlock the rule can execute this action.

Re-locking a retention rule during the unlock delay period

If a rule has been unlocked unintentionally due to an accidental or malicious action, you can lock the rule again. To do this, select the retention rule that you want to lock again and select Edit retention rule lock in the Actions dropdown menu.

A rule cannot be edited in the pending unlock state. You can, however, re-lock the rule by selecting the 'Edit retention rule lock' option in the Actions dropdown menu.

You can then re-lock the rule by selecting the Lock option so that it cannot be modified or deleted.

You can re-lock a rule in the unlock pending state by choosing the 'Lock' option. The 'unlock delay period' field cannot be edited and stays the same when you lock the rule.

Note: You cannot change the unlock delay period for a rule in the unlock pending state. You can modify the rule only after the delay period expires.

Monitoring rule lock status and identifying malicious activity

Recycle Bin sends events to Amazon EventBridge for actions performed on retention rules. With EventBridge, you can establish rules that trigger programmatic actions in response to these events. For example, you can create a rule that sends a notification to your email when a retention rule is unlocked. You can also create a rule to receive daily notifications until the unlock delay period lapses when a retention rule is unlocked. This will help you identify unintended rule actions and take corrective steps. For more information, see Creating Amazon EventBridge rules that react to events.

In addition to Amazon EventBridge, you can also set up trails using AWS CloudTrail to track these events. You can use the information collected by CloudTrail to determine the request that was made to Recycle Bin, the IP address from which the request was made, who made the request, when it was made, and additional details.

Lastly, you can also monitor the lock status through the retention rules page in the Console or the GetRule and ListRules API calls. As shown below, if your rule has been unlocked by any user, the Rule lock state of your retention rule will change to Pending unlock. In the Details section, you can also view the time at which the rule is scheduled for unlock.

The rule lock state can be 'locked', 'unlocked' or 'pending unlock'. This is visible under the 'Rule lock state' column in the Retention rules page.

Conclusion

In this blog, we reviewed the new Rule Lock setting for Recycle Bin retention rules and showed you how to lock and unlock your retention rules. We also discussed how to enable notification mechanisms for monitoring your rule lock status to take corrective actions in case of unintended changes to the rule lock status.

Rule Lock for Recycle Bin provides you with the ability to recover from accidents or malicious security events. With the Rule Lock setting, you can add an additional layer of protection to your resources by locking your Recycle Bin retention rules. As locked retention rules cannot be modified or deleted, your resources are safely retained in the Recycle Bin even in the case of an account compromise. For more information and to get started today, see Recycle Bin documentation.

Thank you for reading this blog post on putting Rule Lock into practice. If you have any questions or comments, please leave a comment in the comments section.

Learn more

Setting up Rule Lock 

Required IAM permissions

Monitor Recycle Bin using Amazon EventBridge