In this recipe, we will learn to enable versioning on an S3 bucket. If versioning is enabled for a bucket, S3 keeps a copy of every version of the file within the bucket. Versioning protects data by providing a means to recover it in the case of unintentional actions such as deletes and overwrites.

We need a working AWS account with the following resources configured:

1. A bucket: I will be using a bucket name awsseccookbook. Replace it with your bucket name.
2. A user with administrator permission on S3: Configure a CLI profile for this user if you want to execute this recipe from the CLI. I will be calling both the user and the awssecadmin CLI profile.

We can enable versioning as follows:

1. Go to the S3 bucket's Properties tab, click on Versioning, select Enable Versioning, and then click Save.
2. Suspend versioning from the same screen by selecting Suspend versioning and click Save.

In this recipe, we enabled and suspended versioning from the console. After we enable versioning, S3 stores every version of the object with a version ID. While making a GET request, we can specify the ID of the version to be returned. If you do not specify any version while making a GET request, S3 will return the latest version of the object.

We can restore an S3 version using either of the following ways:

• Retrieve the version we want to restore and add it to the bucket with a PUT request (recommended).
• Delete every version of the object available from the present version until the required version becomes the current version.

When you delete an object with versioning enabled, a delete marker is added as the latest version of the object. If you delete the delete marker, another version of the delete marker is created. We can delete a specific version of an object by specifying the version ID. When we delete a version, no delete markers are inserted.

Once versioning is enabled, it cannot be disabled, only suspended. No further versions are created when versioning is suspended. However, all previous versions will still be present. Once versioning is suspended, any new object will be stored with a NULL version ID and becomes the current object.

We can enable and suspend versioning from the CLI using the put-bucket-versioning sub-command providing that bucket and versioning-configuration. versioning-configuration contain two parameters: MFADelete, which denotes the required state of MFA Delete (Enabled or Disabled), and Status, which denotes the required state of versioning (Enabled or Suspended). For versioning configuration, we can either use the shorthand form, --versioning-configuration MFADelete=Disabled,Status=Enabled, or we can specify a JSON file with the configuration as --versioning-configuration file://resources/versioning-configuration.json; the JSON file will look as follows:

{
  "MFADelete": "Disabled",
  "Status": "Enabled"
}

Complete CLI commands for enabling and suspending versioning are available with the code files.

Let's quickly go through some important concepts related to S3 versioning:

• Versioning is a sub-resource of an S3 object.

• A delete request on a suspended bucket will work as follows:

  • If there is a version with the NULL version ID(this is present only if the object was modified after suspending versions), it is deleted and then a delete marker with the NULL version ID is inserted.
  • If there is no version with the NULL version ID, a delete marker with the NULL version ID is inserted.
• We can use life cycle management rules to transition older versions to other S3 storage tiers (archives) or even delete them.
• We can protect versions by enabling MFA Delete. With MFA Delete for versioning, an extra level of authentication is required to delete versions. The MFA Delete configuration is stored within the versioning sub-resource.

Let's also quickly go through some scenario-based questions to understand versioning better:

• We enabled versioning and PUT the same object twice (with modifications). We then disabled versioning and PUT the same object twice (with modifications). How many versions of the object will now be available if you check? 3.
• We enabled versioning and PUT the same object twice, creating two versions as version 1 and version 2. We then disabled versioning and PUT the same object again, creating version 3. Later, we deleted the object. Can we restore this object? If yes, which version will be the latest? We can restore the object and the latest one following the restoration will be version 2.

• You can enable MFA Delete to protect versions further by following this link: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html.