S3 Bucket Object Versioning

Overview

This check verifies that your Amazon S3 buckets have object versioning enabled. Versioning keeps multiple copies of each file in your bucket, so you can recover previous versions if something goes wrong.

Risk

Without versioning, deleted or overwritten files are gone forever. If someone accidentally deletes important data, or if a compromised account mass-deletes files, you have no way to recover them. Versioning acts as a safety net for your data.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify S3 bucket settings, or
• AWS CLI installed and configured with appropriate credentials

Setting up AWS CLI (if needed)

If you do not have the AWS CLI installed:

1. Install the AWS CLI following the official installation guide
2. Configure your credentials:

   aws configure

3. Enter your AWS Access Key ID, Secret Access Key, and set the default region to us-east-1

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to S3 (search for "S3" in the top search bar)
3. Click on the bucket you want to update
4. Select the Properties tab
5. Scroll down to the Bucket Versioning section
6. Click Edit
7. Select Enable
8. Click Save changes

That's it! Versioning is now enabled on your bucket.

AWS CLI (optional)

Run the following command, replacing <your-bucket-name> with your actual bucket name:

aws s3api put-bucket-versioning \
    --bucket <your-bucket-name> \
    --versioning-configuration Status=Enabled \
    --region us-east-1

Example:

aws s3api put-bucket-versioning \
    --bucket my-application-data \
    --versioning-configuration Status=Enabled \
    --region us-east-1

Note: When you enable versioning for the first time, AWS recommends waiting 15 minutes before performing write operations (PUT or DELETE) to allow the change to fully propagate.

CloudFormation (optional)

Use this template to create or update an S3 bucket with versioning enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable versioning on an S3 bucket

Parameters:
  BucketName:
    Type: String
    Description: Name of the S3 bucket

Resources:
  S3BucketWithVersioning:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref BucketName
      VersioningConfiguration:
        Status: Enabled

Outputs:
  BucketArn:
    Description: ARN of the bucket with versioning enabled
    Value: !GetAtt S3BucketWithVersioning.Arn

Deploy the stack:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name s3-versioning-stack \
    --parameter-overrides BucketName=<your-bucket-name> \
    --region us-east-1

Note: CloudFormation cannot modify an existing bucket that was created outside of CloudFormation. Use the Console or CLI method for existing buckets.

Terraform (optional)

For new buckets, use the following configuration:

variable "bucket_name" {
  description = "Name of the S3 bucket"
  type        = string
}

resource "aws_s3_bucket" "example" {
  bucket = var.bucket_name
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id

  versioning_configuration {
    status = "Enabled"
  }
}

For existing buckets managed by Terraform, add the aws_s3_bucket_versioning resource referencing your existing bucket:

resource "aws_s3_bucket_versioning" "existing" {
  bucket = "your-existing-bucket-name"

  versioning_configuration {
    status = "Enabled"
  }
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After enabling versioning, confirm it is active:

1. In the AWS Console, go to your bucket's Properties tab
2. Look for Bucket Versioning - it should show Enabled

CLI verification

aws s3api get-bucket-versioning \
    --bucket <your-bucket-name> \
    --region us-east-1

Expected output:

{
    "Status": "Enabled"
}

If the output is empty {}, versioning has never been enabled on this bucket.

Additional Resources

• AWS S3 Versioning Documentation
• Managing Object Versions
• Using MFA Delete
• S3 Lifecycle Policies for Versioned Objects

Notes

• Versioning cannot be disabled once enabled - you can only suspend it. Suspending versioning stops creating new versions but preserves existing versions.
• Storage costs increase with versioning because all versions are retained. Consider setting up lifecycle rules to automatically delete old versions after a certain period.
• MFA Delete adds an extra layer of protection by requiring multi-factor authentication to delete versions or change versioning state. Consider enabling it for critical buckets.
• Object Lock can be combined with versioning to make objects immutable for compliance requirements (WORM - Write Once Read Many).
• Versioning is not supported for S3 directory buckets (S3 Express One Zone storage class).