Context: There are many reasons for wanting a very trustworthy timestamp on a document, as discussed in many other questions here such as this one I wrote in 2010. E.g., in an election auditing context, one thing we're interested in is a cheap, quick, secure way to publish hashes of ballot images (or batches of them) in a way that commits to their existence at a particular point in time. Such timestamped hashes can be used in later audits to help secure the chain-of-custody of the paper ballots.
One recent recommendation I heard was to simply publish the hashes in S3 buckets, claiming that objects are immutable and provide a creation date (called "Last-Modified" unfortunately), as discussed at S3 LastLodified timestamp for eventually-consistent overwrite PUTs - Stack Overflow
That seems like a plausible approach. But in reality, how hard to hack are S3 Last-Modified timestamps? Often things like this depend on the implementation and benefit from an informed threat analysis. I'd assert, e.g. that an Amazon insider with lots of access could change a timestamp somehow. If nothing else, they could change the implementation, though it could get very messy. Hacking the API servers might be another approach.
Can anyone shed light on whether there are attacks that can be mounted by outsiders that would change a timestamp? Given the value of hacking an election, or covering a hack up by hacking the audit also, I'll stipulate that I'm interested in everything from script kiddies to advanced persistent threats by nation-state actors.
I'd also be interested in insights on how hard insider attacks might be.
For bonus points, compare the hackability of this S3 approach to my current favorite low-overhead,seemingly hard-to-hack approach these days: Stellar timestamps via STELLARAPI.IO