Hello! Sorry for reviving a post that’s probably already old.
I’m looking to improve security/protection of my restic buckets in AWS S3, in the event of a server being hacked and the hacker getting access to the IAM credentials (and destroying the backups with it).
As mentioned above,
be aware that s3:PutObject
normally also allows to overwrite objects with whatever you like (garbage, empty objects) so this policy alone won’t be an effective ransomware protection - _IAM_USER_ID_
won’t be able to remove important files from the repository but still can completely destroy it…
And as a alternative, this was mentioned:
if you enable bucket versioning it will work totally fine 
I was now considering to enable versioning in my buckets, but I’m a bit confused how “practicable” it would be to restore a bucket that has been tempered.
My understanding of versioning is that each object gets their own version, and it’s not possible to restore a whole bucket state from a point in time, right?
So, if I want to restore a bucket which got several files destroyed, I’d have to be looking at each object’s versions, also would have to know which objects were affected, and restore the correct version for each. Am I thinking well here?
There was also this suggestion, above:
There’s also another mechanism called object lock - it wont stop the user from creating new version but it wont also allow to remove the particular version keeping it immutable
@teran - could you please clarify this one? Will that work well with restic?
If I have an IAM user that only has “PutObject” access, I suppose it will be able to create new snapshots, and then I need to run some “aws” command to lock all those files, is it? And then, before purging the snapshots, we would unlock the objects?
Do new snapshots not need to update existing files in the bucket, ever?
What about the meta/state files? (like config
and index
)
Anyway - I was looking into this, and seems that Object Lock only works if Versioning is enabled.
I need to be careful also, with extra costs due to Versioning. Restic itself already gives “versioning” (the snapshots themselves), so I was hoping to add extra protection without significant extra costs.
I’m still looking to see what’s my best option! 
Thank you!