Description:

S3 Object Versioning can be used to protect from unintended overwrites and deletions. Versioning helps to keep multiple variants of an object in the same bucket and can be used to preserve, retrieve, and restore every version of every object stored in the S3 bucket

 

Rationale:

Enable versioning for a bucket, Amazon S3 automatically generates a unique version ID for the object being stored. For example, in one bucket, you can have two objects with the same key, but different version IDs. If you notice a significant increase in the number of HTTP 503-slow down responses received for Amazon S3 PUT or DELETE object requests to a bucket that has S3 Versioning enabled, you might have one or more objects in the bucket for which there are millions of versions.


Impact:

Versioning-enabled buckets can help you recover objects from accidental deletion or overwrite.

 

Default Value:

Versioning is not enabled by default and has to be explicitly enabled for each bucket.

 

Audit:

  1. Sign in to the AWS Management Console.

  2. Navigate to s3 consile at https://s3.console.aws.amazon.com/

  3. In the Buckets list, choose the name of the bucket that you want to examine

  4. Choose Properties tab.

  5. In Properties under Bucket Versioning section, we can see the Bucket versioning is enabled or not.


Remediation:

Pre-Requisite:

  1. Sign in as admin or IAM user with required permissions

  2. Need alteast one s3 bucket exists

Implementation Steps:

  1. Sign in to the AWS Management Console 

  2. Open the S3 console at https://console.aws.amazon.com/s3. 

  3. In the Buckets list, choose the name of the bucket that you want to enable versioning for.

  4. Choose Properties.

    Using versioning in S3 buckets - Amazon Simple Storage Service 


    put-bucket-versioning — AWS CLI 1.20.4 Command Reference


  5. Go to Bucket versioning section and  click on Edit 

  6. Choose Enable in Bucket Versioning.

  7. Click on Save changes.


Via CLI:

aws s3api put-bucket-versioning --bucket DOC-EXAMPLE-BUCKET1 --versioning-configuration Status=Enabled


Backout Plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to s3 consile at https://s3.console.aws.amazon.com/

  3. In the Buckets list, choose the name of the bucket that you want to disable

  4. Choose Properties tab.

  5. In Properties under Bucket Versioning section, click on edit and choose Suspend


Note:

As Versioning maintains multiple copies of the same objects as whole and charges accrue for multiple versions for e.g. for a 1GB file with 5 copies with minor differences, you would consume 5GB of S3 storage space and be charged for the same.

Objects that are stored in your bucket before you set the versioning state have a version ID of null. When you enable versioning, existing objects in your bucket do not change. What changes is how Amazon S3 handles the objects in future requests.

The bucket owner (or any user with appropriate permissions) can suspend versioning to stop accruing object versions. When you suspend versioning, existing objects in your bucket do not change. What changes is how Amazon S3 handles objects in future requests.

Reference: