Open menu
-->

Enable Versioning for AWS S3 Buckets

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: Low (generally tolerable level of risk)

Ensure that your AWS S3 buckets have the versioning flag enabled in order to preserve and recover overwritten and deleted S3 objects as an extra layer of data protection and/or data retention.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Using versioning-enabled S3 buckets will allow you to preserve, retrieve, and restore every version of an S3 object. S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten by AWS users or applications and archiving previous versions of objects to AWS Glacier for long-term low-cost storage.

Audit

To determine if your S3 buckets have versioning enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the dashboard top right menu:

click the Properties tab from the dashboard top right menu

04 Click to expand the Versioning tab from the Properties panel and check the feature status. If the following message is displayed: “Versioning is currently not enabled on this bucket.”, S3 object versioning is not currently enabled for the selected bucket.

05 Repeat steps no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets within your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available in your AWS account:

[
    "myapp-status-reports"
]

03 Run get-bucket-versioning command (OSX/Linux/UNIX) using the name of the bucket that you want to examine, to determine if the selected S3 bucket has object versioning enabled. If the get-bucket-versioning command does not return any CLI output, the S3 Versioning feature is not enabled for the selected bucket:

aws s3api get-bucket-versioning
	--bucket myapp-status-reports

04 Repeat step no. 3 for each S3 bucket that you want to examine, available in your AWS account.

Remediation / Resolution

To enable object versioning for your existing S3 buckets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the dashboard top right menu:

click the Properties tab from the dashboard top right menu

04 Click on the Versioning tab from the Properties panel to expand the feature configuration section.

05 Click Enable Versioning button, then click the OK confirmation button within the dialog to activate object versioning for the selected bucket. The feature status should change to “Versioning is currently enabled on this bucket.”.

06 To test S3 object versioning, select an existing object within your versioning-enabled bucket, then select the Show tab from the Versions section. The object selected should have one or more versions listed under its name, e.g.:

select the Show tab from the Versions section

07 Repeat steps no. 3 – 6 for each S3 bucket available within your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets in your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available:

[
    "myapp-status-reports"
]

03 Run get-bucket-versioning command (OSX/Linux/UNIX) using the name of the bucket returned at the previous step to set up the versioning state for the selected S3 bucket (the command does not return any output):

aws s3api put-bucket-versioning
	--bucket myapp-status-reports
	--versioning-configuration Status=Enabled

04 To test the bucket versioning state run get-bucket-versioning command (OSX/Linux/UNIX) using the name of the bucket as command parameter:

aws s3api get-bucket-versioning
	--bucket myapp-status-reports

05 If the feature has been successfully enabled, the command output should return the following status value:

{
    "Status": "Enabled"
}

06 For further testing, run list-object-versions command (OSX/Linux/UNIX) to return the version information for an S3 object called myapp-report-05032016.pdf available in the selected bucket (myapp-status-reports):

aws s3api list-object-versions
	--bucket myapp-status-reports
	--key myapp-report-05032016.pdf

07 The command output should return all the versions metadata for the selected object:

{
    "Name": "myapp-status-reports",
    "Versions": [
        {
            "LastModified": "2016-05-09T17:07:00.000Z",
            "VersionId": "3vaCdyNYB_1pgAX43o63gBjuQxFvrHLA",
            "ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
            "StorageClass": "STANDARD",
            "Key": "reports/",
            "Owner": {
                "DisplayName": "john.doe",
                "ID": "718f3e58089ec3bd00296f84056525d7
                      8415fd5e56dcfda3f8309358e9989666"
            },
            "IsLatest": true,
            "Size": 0
        },
        {
            "LastModified": "2016-05-09T17:08:12.000Z",
            "VersionId": "sf0uHgzFV6rFMayv3DnM9IwsPHFg4XKv",
            "ETag": "\"6207895b60c102aef94978550f4bdc3c\"",
            "StorageClass": "STANDARD",
            "Key": "reports/myapp-report-05032016.pdf",
            "Owner": {
                "DisplayName": "john.doe",
                "ID": "718f3e58089ec3bd00296f84056525d7
                      8415fd5e56dcfda3f8309358e9989666"
            },
            "IsLatest": true,
            "Size": 720929
        },
        {
            "LastModified": "2016-05-09T17:07:09.000Z",
            "VersionId": "ewckgn8axw6_QxivG5DMyVFypFhsEKIi",
            "ETag": "\"687c58cf3148878f675051875aa84bb3\"",
            "StorageClass": "STANDARD",
            "Key": "reports/myapp-report-05032016.pdf",
            "Owner": {
                "DisplayName": "john.doe",
                "ID": "718f3e58089ec3bd00296f84056525d7
                      8415fd5e56dcfda3f8309358e9989666"
            },
            "IsLatest": false,
            "Size": 641497
        }
    ],
    "MaxKeys": 1000,
    "Prefix": "",
    "KeyMarker": "myapp-report-05032016.pdf",
    "IsTruncated": false,
}

08 Repeat steps no. 3 – 7 for each S3 bucket available within your AWS account.

References

Publication date May 10, 2016