Use the Conformity Knowledge Base AI to help improve your Cloud Posture

S3 Bucket Versioning Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: S3-012

Ensure that S3 object versioning is enabled for your Amazon S3 buckets in order to preserve and recover overwritten and deleted S3 objects as an extra layer of data protection and/or data retention.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Versioning-enabled Amazon S3 buckets will allow you to preserve, retrieve, and restore every version of an S3 object. S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten by AWS users or applications and archiving previous versions of objects to Amazon S3 Glacier for long-term low-cost storage. With S3 versioning, you can easily recover from both unintended user actions and application failures.


Audit

To determine if object versioning is enabled for your Amazon S3 buckets, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Bucket Versioning section, check the Bucket Versioning configuration attribute value. If the attribute value is set to Disabled or Suspended, the S3 object versioning is not enabled for the selected Amazon S3 bucket.

06 Repeat steps no. 3 – 5 to determine the object versioning configuration status for other Amazon S3 buckets available within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
    "cc-prod-web-data",
    "cc-project5-logs"
]

03 Run get-bucket-versioning command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter and custom query filters to describe the S3 object versioning status available for the selected bucket:

aws s3api get-bucket-versioning
  --bucket cc-prod-web-data
  --query 'Status'

04 The command output should return the requested configuration status:

null

If the get-bucket-versioning command output returns null or "Suspended", as shown in the example above, the S3 object versioning is not enabled for the selected Amazon S3 bucket.

05 Repeat steps no. 3 and 4 to determine the object versioning configuration status for other Amazon S3 buckets available in your AWS cloud account.

Remediation / Resolution

To enable S3 object versioning for your Amazon S3 buckets, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable S3 Object Versioning ",
  "Resources": {
    "ProtectedS3Bucket": {
      "Properties": {
        "BucketName": "cc-prod-web-data",
        "VersioningConfiguration": {
          "Status": "Enabled"
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Enable S3 Object Versioning '
Resources:
  ProtectedS3Bucket:
    Properties:
      BucketName: cc-prod-web-data
      VersioningConfiguration:
        Status: Enabled
    Type: AWS::S3::Bucket

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_s3_bucket" "protected-bucket" {
  bucket = "cc-prod-web-data"
  versioning {
    enabled = true
  }
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Bucket Versioning section, choose Edit to modify the object versioning configuration.

06 On the Edit Bucket Versioning page, select Enable under Bucket Versioning to enable the feature. Choose Save changes to apply the configuration changes. After enabling object versioning, you might need to update your lifecycle rules to manage previous versions of objects.

07 Repeat steps no. 3 – 6 to enable S3 object versioning for other Amazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Run put-bucket-versioning command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter, to enable S3 object versioning for the selected bucket. If the request is successful, the put-bucket-versioning command should not return an output:

aws s3api put-bucket-versioning
  --bucket cc-prod-web-data
  --versioning-configuration Status=Enabled

02 Repeat step no. 1 to enable S3 object versioning for other Amazon S3 buckets available within your AWS cloud account.

References

Publication date May 10, 2016