S3-003 Disabled Bucket versioning

Risk level: Low

Rule ID: S3-003

Make sure the versioning flag is enabled in your AWS S3 buckets so you can recover items if they are accidentally deleted or overwritten. After versioning is enabled for a bucket:

  • Amazon S3 inserts a delete marker on the object if you delete an object rather than removing it permanently. The delete marker then becomes the current version of the object.
  • If you overwrite an object, Amazon S3 will create a new version of the object in the bucket.
  • S3 versioning can also be used to archive objects to low-cost storage classes using lifecycle policies to save some costs.

This rule is used by the following::

  • AWS Well-Architected Framework Lens
  • FTR Lens

Audit

Perform the following steps to see if your provisioned S3 buckets have versioning enabled.

 

Using AWS Console

1. Sign in to the AWS Management Console.
 
2. Navigate to S3 Management Console at https://console.aws.amazon.com/s3/.
 
3. Select the S3 bucket you want to examine, click on the Properties tab, and scroll down to Bucket Versioning.


 
4. If you see Bucket Versioning as Disabled, S3 bucket versioning is not enabled for this bucket.
 
5. Steps 3 and 4 should be repeated for each S3 bucket in your AWS account that you want to inspect.

Using AWS CLI

1. Run the list-buckets command to get a list of all existing S3 buckets within your account:

aws s3api list-buckets \\
	--query 'Buckets[*].Name'

 
2. This command should return the name of all provisioned S3 buckets.

[
	ncode.demo
]

 
3. Run the get-bucket-versioning command to determine if the selected S3 bucket has object versioning enabled or not, as shown below:

aws s3api get-bucket-versioning \\
	--bucket ncode.demo

 
4. If no CLI output is produced, S3 Versioning is not configured for the specified bucket.
 
5. Step 3 should be repeated for each S3 bucket in your AWS account that you want to evaluate.

Remediation / Resolution

Perform the following to activate object versioning for your S3 buckets:

 

Using AWS Console

1. Sign in and navigate to the AWS S3 Management Console at https://console.aws.amazon.com/s3/.
 
2. Choose the S3 bucket you want to examine, click on the Properties tab, and scroll down to Bucket Versioning.
 
3. Click on Edit and select Enable in the dialog box. Click on Save Changes.


 
4. Recheck the Bucket Versioning section. It should now show the feature status as Enabled.


 
5. Perform steps 2 – 4 for each S3 bucket available within your AWS account.

Using AWS CLI

1. Run the list-buckets command to retrieve the list of all provisioned S3 buckets within your AWS account:

aws s3api list-buckets \\
	--query 'Buckets[*].Name'

 
2. This command should return the name of all provisioned S3 buckets.

[
	ncode.demo
]

 
3. Run the get-bucket-versioning command on the specified bucket name. This should not return any output since that Versioning has not been enabled on the S3 bucket.

aws s3api get-bucket-versioning \\
	--bucket ncode.demo

 
4. Run the put-bucket-versioning command as shown below to enable versioning on the specified bucket.

aws s3api put-bucket-versioning \\
	--bucket ncode.demo \\
	--versioning-configuration Status=Enabled

 
5. Rerun the get-bucket-versioning command to validate that the versioning has been enabled on the bucket.

aws s3api get-bucket-versioning \\
--bucket ncode.demo

 
6. If AWS correctly processed the versioning command, the output should return a positive status:

{
    "Status": "Enabled"
}

 
7. You should repeat steps 3–6 for any other S3 bucket you want to activate versioning for.

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.