[tgsovlerkhgsel]

From my understanding, you can't delete a bucket that has objects and I assume you can't empty a bucket that has locked objects, but what happens if you close the entire account?

AWS recommends to use accounts for segmentation, and has APIs to manage accounts (https://docs.aws.amazon.com/wellarchitected/latest/security-..., https://docs.aws.amazon.com/cli/latest/reference/organizatio...).

There is a 90 day recovery period, but I can think edge cases where this isn't enough. There is some data that companies need exactly once a year for financial reporting/audits etc. but losing it is seriously expensive. Imagine the person managing that data being disgruntled and closing the account holding the data (and just that data, so the deletion isn't noticed) 6 months before the next audit.

Can you close an account with locked data in it? If yes, is the data actually deleted, or could the org recover it?

Another interesting scenario that could test how reliable the lock is would be a griefer (i.e. an actor that wants to cause damage without profiting from it) who gets access to an organization's account, uploads a large amount of data, and locks it. Will Amazon simply keep the data and waive the cost, or will support unlock the data, or will the organization be forced to pay up? The latter two both have interesting implications (compromised support agents and social engineering in the first case, extortion in the second case - think "we have taken over your AWS account and created several paths of access, send XX bitcoin or we'll lock this exabyte of data and you'll pay $XXXXXXXX in AWS fees, if you start taking away our access or deleting the data we'll see before you finish and use one of the remaining accounts to lock the data").

[jeffalyanak]

It's much harder to hide the fact that you have closed an account completely and much easier to put in a periodic check that the account still exists.

The difficulty with ransomware is that—without object lock—you would need to check that all data is still valid. That is usually going to be very difficult to do and any heuristic checks are liable to miss some cases.

On the other hand, checking that an account is still extant is easy and, since that's an operation that should not be undertaken without a whole oversight process, you can significantly limit who has the permission to do so.

[tgsovlerkhgsel]

Oh, I totally agree that this solves at least 99% of the problem. I'm just wondering if this is an edge case that remains.