Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

6.2.2. Data Integrity Mechanisms

First Principle: Encryption protects confidentiality (prevents reading), but integrity mechanisms protect against unauthorized modification and deletion — equally critical threats that encryption alone doesn't address.

S3 Object Lock:
  • Compliance mode: No user (including root) can delete or overwrite during retention period
  • Governance mode: Users with special permissions can override the lock
  • Legal hold: Indefinite retention independent of retention period
  • Use case: regulatory retention (SEC 17a-4, HIPAA), ransomware protection
S3 Glacier Vault Lock:
  • Immutable compliance policy for Glacier vaults
  • Once locked, the policy cannot be changed or deleted
  • Use case: long-term archival with regulatory retention requirements
S3 Versioning:
  • Maintains all previous versions of objects
  • Deleting an object adds a delete marker — previous versions remain
  • Combined with Object Lock, provides defense against both accidental and malicious deletion
Digital Code Signing:
  • AWS Signer: Sign code artifacts to verify they haven't been tampered with
  • Validates integrity of Lambda deployment packages, IoT firmware, container images
  • Consumers verify the signature before executing — rejecting unsigned or modified code
File Validation:
  • S3 checksums (CRC32, SHA-256) verify data integrity during upload and download
  • CloudTrail log file integrity validation (digest files) proves logs haven't been tampered with
  • Enable log file validation on CloudTrail trails for forensic evidence integrity

⚠️ Exam Trap: Object Lock Compliance mode prevents EVERYONE from deleting — including root. Governance mode allows deletion with s3:BypassGovernanceRetention permission. Know the difference — the exam tests this frequently.

Scenario: A financial institution needs to retain trade records for 7 years with proof that records were never modified. You configure S3 Object Lock in Compliance mode with a 7-year retention period. Even if an attacker compromises the root account, the records cannot be deleted or modified during the retention window.

Reflection Question: Why does ransomware protection specifically require Object Lock (not just versioning), and what's the difference between Compliance and Governance mode in a ransomware scenario?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications