S3 bucket versioning

AWS-S3-003 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if S3 buckets have versioning enabled to protect against accidental deletion or overwrites.

Why it matters

Without versioning, deleted or overwritten objects are permanently lost with no recovery option. This is particularly dangerous during ransomware attacks - threat actors routinely delete S3 data after exfiltration to pressure victims into paying. The 2023 Royal ransomware group specifically targeted unversioned S3 buckets for permanent data destruction. Versioning combined with MFA Delete and Object Lock provides immutable backups that even a compromised admin account cannot destroy. AWS reports that customers with versioning enabled recover from accidental deletions 90% faster. For critical data, enable versioning alongside lifecycle rules to manage storage costs from accumulated versions.

Common causes

Versioning is often disabled to save storage costs, especially on buckets with high write volumes like log aggregation or temporary data processing. Teams creating buckets for short-term projects skip versioning assuming the data is disposable, but the bucket outlives the project. Some engineers disable versioning after seeing unexpected storage growth from accumulated object versions without setting lifecycle rules.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws s3api put-bucket-versioning --bucket BUCKET_NAME --versioning-configuration Status=Enabled

Remediation: Terraform

resource "aws_s3_bucket_versioning" "bucket" {
  bucket = "bucket-name"
  versioning_configuration {
    status = "Enabled"
  }
}