Rule: S3 Bucket Versioning Should Be Enabled
This rule ensures that versioning is enabled for S3 buckets to prevent data loss and maintain data integrity.
| Rule | S3 bucket versioning should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
S3 bucket versioning should be enabled to comply with the security requirement specified in NIST 800-53 Revision 5. Versioning allows you to keep multiple versions of an object in S3, providing data durability and the ability to recover from both unintended and malicious actions.
Enabling versioning ensures that any modifications or deletions to objects in the bucket are tracked and retained, preventing accidental data loss and providing a way to revert to previous versions if needed.
Troubleshooting Steps:
If versioning is not enabled for an S3 bucket, you may encounter the following issues:
- 1.
Accidental data loss: Without versioning, if an object is accidentally overwritten or deleted, there is no way to retrieve the previous version.
- 2.
Malicious actions: If a user with sufficient permissions intentionally deletes or modifies objects, there is no way to recover the original data without versioning.
Necessary Codes (CLI, SDK, etc.):
To enable versioning for an S3 bucket, you can use the AWS Command Line Interface (CLI) with the following command:
aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled
Replace
<bucket-name>Remediation Steps:
Follow these steps to enable versioning for an S3 bucket:
- 1.
Open the AWS Management Console and navigate to the S3 service.
- 2.
Select the bucket for which you want to enable versioning.
- 3.
Click on the "Properties" tab.
- 4.
Under the "Advanced settings" section, click on the "Versioning" tile.
- 5.
Click on the "Edit" button.
- 6.
Select the "Enable versioning" option.
- 7.
Click on the "Save changes" button.
After completing these steps, versioning will be enabled for the selected S3 bucket. All subsequent modifications and deletions of objects in the bucket will be tracked and retained as different versions.