Ensure Rule Compliance: S3 Bucket Versioning Enabled
Check if S3 bucket versioning is enabled to meet high severity compliance standards.
| Rule | S3 bucket versioning should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
S3 Bucket Versioning for Compliance with NIST 800-53 Revision 5
NIST 800-53 Revision 5 requires that organizations implement data retention policies that support versioning in order to protect against unauthorized alterations and deletions. AWS S3 bucket versioning is a feature that aligns with this requirement. It maintains multiple variants of an object within an S3 bucket, which is crucial for data recovery and maintaining data integrity.
Understanding S3 Bucket Versioning
When S3 bucket versioning is enabled, every time an object is updated or deleted, a new version is created, enabling you to recover from both unintended user actions and application failures. Here's a detailed description of the rule:
- Versioning State: Once enabled, you cannot completely turn off versioning; you can only suspend it.
- MFA Delete: This can be enabled to provide an additional layer of security, requiring multi-factor authentication (MFA) to delete an object version.
- Lifecycle Policies: These can be applied to non-current versions, helping to automate the management of these versions, including permanent deletion.
Checking if Versioning is Enabled
To confirm if S3 bucket versioning is enabled on your buckets, you can use the AWS Management Console or AWS CLI.
AWS Management Console:
- 1.Navigate to the S3 service.
- 2.Select the bucket you wish to inspect.
- 3.Click on the "Properties" tab.
- 4.Look for the "Versioning" card and check if it's enabled.
AWS CLI:
Execute the following command to retrieve the versioning status of the bucket:
aws s3api get-bucket-versioning --bucket YOUR_BUCKET_NAME
Replace
YOUR_BUCKET_NAMEEnabling Versioning on an S3 Bucket
If versioning is not enabled, follow these steps to enable it:
AWS Management Console:
- 1.Go to the Amazon S3 dashboard.
- 2.Select the bucket you want to modify.
- 3.Click on the "Properties" tab.
- 4.Find and click on the "Versioning" card.
- 5.Choose "Enable" and save the changes.
AWS CLI:
To enable versioning via the command line interface, run:
aws s3api put-bucket-versioning --bucket YOUR_BUCKET_NAME --versioning-configuration Status=Enabled
Replace
YOUR_BUCKET_NAMEUtilizing Lifecycle Policies and MFA Delete (Optional for Enhanced Security)
Lifecycle Policies
- 1.Go to the bucket "Properties."
- 2.Click on "Lifecycle" to add a new lifecycle policy.
- 3.Configure rules for non-current versions according to your data retention policy.
MFA Delete
MFA Delete requires the use of root account credentials and also MFA to permanently delete an object version:
- 1.This setting can only be enabled or disabled using the AWS CLI.
- 2.Enable MFA Delete by running:
aws s3api put-bucket-versioning --bucket YOUR_BUCKET_NAME --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::account-id:mfa/device serial number MFA-code"
Replace the relevant details with your bucket information and MFA device information.
Troubleshooting Common Issues
Unauthorized Errors
- Ensure you have the necessary permissions to enable versioning on the bucket.
- Actions on S3 buckets may require specific S3 permissions or IAM policies.
Versioning Not Working as Expected
- Verify versioning is enabled. If it is suspended, versioning will only apply to newer objects.
- Check your bucket policies and IAM roles that may restrict modifications to the versioning state.
MFA Delete Problems
- Make sure you're using root account credentials as IAM users can't manage MFA Delete.
- Check your MFA device's accuracy and ensure the MFA code is correct.
Following these guidelines will help you maintain compliance with NIST 800-53 Revision 5 by utilizing S3 bucket versioning effectively. By ensuring S3 buckets have versioning enabled, your organization will have an important recovery mechanism in place for critical data.