Rule: S3 Bucket Versioning Should Be Enabled
This rule ensures that versioning is enabled for S3 buckets to maintain data integrity and security.
| Rule | S3 bucket versioning should be enabled |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ High |
S3 Bucket Versioning for AWS Audit Manager Control Tower Guardrails
Overview
To maintain a robust security posture and compliance in an AWS environment, AWS Audit Manager Control Tower Guardrails recommends enabling versioning on S3 buckets. Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. When you enable versioning for an S3 bucket, if an object is deleted, a simple marker is used instead of removing the object. If an object is overwritten, it results in a new version of the object being created.
Enabling versioning can serve several purposes:
- Protecting against unintended overwrites or deletions.
- Archiving the data stored over time.
- Facilitating a robust backup solution.
Troubleshooting
If you find that versioning is not enabled on an S3 bucket, or if there are issues with object versioning, follow these troubleshooting steps:
Step 1: Confirm Bucket Versioning Status
Check the bucket's versioning status using the AWS Management Console, AWS CLI, or AWS SDKs.
Using the AWS Management Console:
- 1.Navigate to the Amazon S3 console.
- 2.Click on the bucket you wish to check.
- 3.Go to the 'Properties' tab.
- 4.Under the 'Bucket Versioning' section, you can see if versioning is Enabled, Suspended, or Not enabled.
Using the AWS CLI:
aws s3api get-bucket-versioning --bucket your-bucket-name
The output will show if versioning is
EnabledSuspendedStep 2: Enable Versioning
If versioning is not enabled, you can enable it using the console or CLI.
Using the AWS Management Console:
- 1.Navigate to the Amazon S3 console.
- 2.Click on the bucket you wish to modify.
- 3.Go to the 'Properties' tab.
- 4.In the 'Bucket Versioning' section, click 'Edit'.
- 5.Select 'Enable' and click 'Save changes'.
Using the AWS CLI:
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled
Step 3: Verify Versioning Is Enabled
Double-check that versioning is enabled following the check described in Step 1.
Code Examples
There are no additional code examples needed for enabling versioning outside of the CLI commands provided above. However, for configuration management or infrastructure provisioning, such as using AWS CloudFormation, the following is an example snippet:
Resources:
S3BucketWithVersioning:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: 'your-versioned-bucket'
VersioningConfiguration:
Status: 'Enabled'
Remediation Guide
If versioning is disabled, follow the troubleshooting steps provided. Here is the step-by-step guide for remediation using AWS CLI:
- 1.Open your terminal or command prompt.
- 2.Run the AWS CLI command to enable versioning on the specific S3 bucket:
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled
- 1.Ensure you have the necessary permissions to modify bucket properties.
- 2.Verify that versioning is now enabled by running the get-bucket-versioning command:
aws s3api get-bucket-versioning --bucket your-bucket-name
The output should now show
"Status": "Enabled"Enabling versioning as part of your AWS Audit Manager Control Tower Guardrails ensures compliance with AWS security best practices and aids in data recovery scenarios. By following the steps outlined without filler content, this guide remains concise and focused on accelerating SEO for the mentioned rule.