Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
AWS Security Cookbook

You're reading from   AWS Security Cookbook Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS

Arrow left icon
Product type Paperback
Published in Feb 2020
Publisher Packt
ISBN-13 9781838826253
Length 440 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Heartin Kanikathottu Heartin Kanikathottu
Author Profile Icon Heartin Kanikathottu
Heartin Kanikathottu
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Managing AWS Accounts with IAM and Organizations 2. Securing Data on S3 with Policies and Techniques FREE CHAPTER 3. User Pools and Identity Pools with Cognito 4. Key Management with KMS and CloudHSM 5. Network Security with VPC 6. Working with EC2 Instances 7. Web Security Using ELBs, CloudFront, and WAF 8. Monitoring with CloudWatch, CloudTrail, and Config 9. Compliance with GuardDuty, Macie, and Inspector 10. Additional Services and Practices for AWS Security 11. Other Books You May Enjoy

Protecting data with versioning

In this recipe, we will learn to enable versioning on an S3 bucket. If versioning is enabled for a bucket, S3 keeps a copy of every version of the file within the bucket. Versioning protects data by providing a means to recover it in the case of unintentional actions such as deletes and overwrites.

Getting ready

We need a working AWS account with the following resources configured:

  1. A bucket: I will be using a bucket name awsseccookbook. Replace it with your bucket name.
  2. A user with administrator permission on S3: Configure a CLI profile for this user if you want to execute this recipe from the CLI. I will be calling both the user and the awssecadmin CLI profile.

How to do it...

We can enable versioning as follows:

  1. Go to the S3 bucket's Properties tab, click on Versioning, select Enable Versioning, and then click Save.
  2. Suspend versioning from the same screen by selecting Suspend versioning and click Save.

How it works...

In this recipe, we enabled and suspended versioning from the console. After we enable versioning, S3 stores every version of the object with a version ID. While making a GET request, we can specify the ID of the version to be returned. If you do not specify any version while making a GET request, S3 will return the latest version of the object.

We can restore an S3 version using either of the following ways:

  • Retrieve the version we want to restore and add it to the bucket with a PUT request (recommended).
  • Delete every version of the object available from the present version until the required version becomes the current version.

When you delete an object with versioning enabled, a delete marker is added as the latest version of the object. If you delete the delete marker, another version of the delete marker is created. We can delete a specific version of an object by specifying the version ID. When we delete a version, no delete markers are inserted.

Once versioning is enabled, it cannot be disabled, only suspended. No further versions are created when versioning is suspended. However, all previous versions will still be present. Once versioning is suspended, any new object will be stored with a NULL version ID and becomes the current object.

There's more...

We can enable and suspend versioning from the CLI using the put-bucket-versioning sub-command providing that bucket and versioning-configuration. versioning-configuration contain two parameters: MFADelete, which denotes the required state of MFA Delete (Enabled or Disabled), and Status, which denotes the required state of versioning (Enabled or Suspended). For versioning configuration, we can either use the shorthand form, --versioning-configuration MFADelete=Disabled,Status=Enabled, or we can specify a JSON file with the configuration as --versioning-configuration file://resources/versioning-configuration.json; the JSON file will look as follows:

{
"MFADelete": "Disabled",
"Status": "Enabled"
}

Complete CLI commands for enabling and suspending versioning are available with the code files.

Let's quickly go through some important concepts related to S3 versioning:

  • Versioning is a sub-resource of an S3 object.
  • A delete request on a suspended bucket will work as follows:

    • If there is a version with the NULL version ID(this is present only if the object was modified after suspending versions), it is deleted and then a delete marker with the NULL version ID is inserted.
    • If there is no version with the NULL version ID, a delete marker with the NULL version ID is inserted.
  • We can use life cycle management rules to transition older versions to other S3 storage tiers (archives) or even delete them.
  • We can protect versions by enabling MFA Delete. With MFA Delete for versioning, an extra level of authentication is required to delete versions. The MFA Delete configuration is stored within the versioning sub-resource.

Let's also quickly go through some scenario-based questions to understand versioning better:

  • We enabled versioning and PUT the same object twice (with modifications). We then disabled versioning and PUT the same object twice (with modifications). How many versions of the object will now be available if you check? 3.
  • We enabled versioning and PUT the same object twice, creating two versions as version 1 and version 2. We then disabled versioning and PUT the same object again, creating version 3. Later, we deleted the object. Can we restore this object? If yes, which version will be the latest? We can restore the object and the latest one following the restoration will be version 2.

See also

You have been reading a chapter from
AWS Security Cookbook
Published in: Feb 2020
Publisher: Packt
ISBN-13: 9781838826253
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image