Site Reliability

Enable S3 versioning on critical buckets

Without versioning, an overwrite or delete is permanent. Turn it on and pair with a noncurrent-version lifecycle so you don't pay forever.

12 min·10 sections·AWS

Last reviewed 27 May 2026

S3 versioning: the basics

What does versioning actually protect against?

S3 versioning is a per-bucket setting that keeps every version of every object. With it off — the default — an overwrite replaces the object in place and a delete removes it permanently. There is no undo, no recycle bin, no support ticket that recovers a 2GB blob you accidentally clobbered with an empty file at 3pm on a Friday.

With versioning on, an overwrite preserves the prior version under a new version-id, and a delete adds a delete marker on top of the existing object. The object isn't gone — it's hidden behind the marker, and removing the marker restores it. Every mutation becomes recoverable, by anyone with s3:GetObjectVersion and a few seconds at the CLI.

Continuity check S3-DR-001 ("Versioning Disabled") flags every bucket where the versioning status is anything other than Enabled — either Suspended (was on, was turned off) or unset (never turned on). It runs per-bucket and emits a HIGH severity finding because the blast radius of an accidental or malicious delete on a bucket holding application state, configuration, or compliance data is enormous and unrecoverable.

In this lesson you'll learn which buckets genuinely need versioning, how to turn it on without breaking anything, how to pair it with a noncurrent-version lifecycle so the storage bill doesn't compound, and when to layer Object Lock or MFA Delete on top for harder protection. You'll see the inventory query that finds unversioned buckets and the activation call that takes effect instantly.

Fun fact

Versioning is one-way

Once you enable versioning on a bucket, you cannot fully disable it again. AWS only lets you move it to a Suspended state — new writes stop creating versions, but every existing version stays in place until you explicitly delete it or a lifecycle rule expires it. There is no "unversion this bucket" button. This is deliberate: the original feature spec assumed that if you ever needed versioning, you needed it forever, and turning it off should never be the cause of a data-loss incident.

Enabling versioning in action

Marco runs platform engineering at a fintech. A continuity audit flags 47 unversioned buckets across the org; the highest-priority one holds the Terraform state for production infrastructure — acme-prod-tfstate. Severity: HIGH. If anyone runs terraform destroy against the wrong workspace, or fat-fingers an aws s3 rm --recursive, the entire state file is gone with no recovery path.

He's resisted enabling versioning historically because of the cost story — Terraform state files churn on every apply, and keeping every version forever could double the bucket's storage line. But the math has shifted: the bucket is small (~2GB), and a lifecycle rule expiring noncurrent versions after 60 days keeps the bill flat while still giving him a 60-day undo window for every mutation.

He pulls the bucket list to confirm which other critical buckets are also unversioned, then enables versioning on the tfstate bucket as the first move.

First, list every bucket in the account whose versioning status is anything other than Enabled — these are the candidates the continuity check is flagging.

$ for b in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do echo "$b $(aws s3api get-bucket-versioning --bucket $b --query Status --output text)"; done

acme-prod-tfstate None

acme-prod-app-config None

acme-prod-secrets-backup None

acme-prod-audit-logs Enabled

acme-data-pipeline-staging None

acme-prod-cur-reports Enabled

acme-prod-customer-uploads Suspended

# tfstate, config, secrets-backup, customer-uploads — all unversioned. Pipeline staging is fine; it's re-derived from upstream.

Bucket inventory with versioning status. None means never turned on; Suspended means it was on and turned off.

Now enable versioning on the tfstate bucket. The call is instant — new writes will start creating versions immediately.

$ aws s3api put-bucket-versioning --bucket acme-prod-tfstate --versioning-configuration Status=Enabled

# No output on success — the call returns 200 and exits.

$ aws s3api get-bucket-versioning --bucket acme-prod-tfstate

{

"Status": "Enabled"

}

# Versioning is now on. Any object written from this moment is recoverable; objects already in the bucket remain at their current state — no retroactive version history.

Enabling versioning is a single API call, takes effect immediately, and never blocks reads or writes.

Versioning under the hooddeep dive

Every object in a versioned bucket gets a unique VersionId — a URL-safe string assigned at write time. The bucket index keeps every version of every key, ordered by write time, with one designated as the "current" version. A GET without a version-id returns the current version; a GET with ?versionId=... returns that exact version. A DELETE without a version-id writes a zero-byte delete marker that becomes the new current version, hiding everything below it. A DELETE with a specific version-id permanently removes that version.

Object Lock is a separate layer that sits on top of versioning. It requires versioning to be enabled (you can't have Lock without versions to lock). Two modes: Governance lets IAM principals with the s3:BypassGovernanceRetention permission override the lock; Compliance doesn't — once an object is locked in compliance mode for a retention period, nobody, not even the root account, can delete it before the period expires. This is the layer that protects against ransomware: an attacker with full IAM permissions still can't delete locked versions.

Storage cost grows linearly with the number of versions retained. Every version is billed as a separate object at its storage class. This is why an enabled-and-untouched versioning policy can quietly double or triple a bucket's storage bill over a year — every overwrite keeps the old version forever. The fix is a Lifecycle rule with NoncurrentVersionExpiration set to 30-90 days depending on how long you actually need to be able to roll back.

# Inspect every version of a key — what versioning actually gives you.
aws s3api list-object-versions \
  --bucket acme-prod-tfstate \
  --prefix env/prod/terraform.tfstate

# Recover a deleted object by removing the delete marker.
aws s3api delete-object \
  --bucket acme-prod-tfstate \
  --key env/prod/terraform.tfstate \
  --version-id <delete-marker-version-id>

What is the impact of running unversioned?

The most direct impact is unrecoverable data loss. An accidental aws s3 rm, a bad CI/CD pipeline that uploads the wrong artefact, a misconfigured terraform apply that destroys state, a compromised CI key that wipes a bucket — every one of these is permanent on an unversioned bucket. The cost is whatever it takes to rebuild the data: hours, days, or in the case of customer-generated content, never.

The second-order impact is operational: without versioning, every change to a critical object becomes a high-stakes event. Engineers slow down, add review gates, manually back up files before edits — all because the underlying storage doesn't have an undo. The friction is invisible on the bill but very real in delivery speed.

The third-order impact is regulatory. SOC 2, ISO 27001, HIPAA, and most financial regulators expect demonstrable backup and recovery capability for systems handling regulated data. "We rely on S3 durability" is not an acceptable answer when an auditor asks how you recover from an accidental delete — S3's 11-nines durability protects against disk failure, not human or programmatic error.

Versioning does add real cost — typically 10-40% extra storage on busy buckets if left unbounded. That's why the right shape is always versioning enabled plus a noncurrent-version lifecycle rule. Storage you keep for 30-90 days as a safety net, then expire. The cost of the safety net is almost always trivial compared to the cost of not having it the one time it's needed.

How do you enable versioning safely?

Enabling versioning is a four-step loop. The activation itself is instant and harmless; the surrounding steps make sure you don't end up paying for protection you can't afford, or skipping protection you needed.

1. Inventory and triage which buckets need it

Not every bucket needs versioning. Buckets that should always have it: anything holding application state, configuration, secrets, Terraform/Pulumi state, customer-uploaded content, audit logs, or anything compliance-relevant. Buckets that may not: pure data-pipeline staging that's deterministically re-derived from an upstream source on every run, or temporary scratch buckets with explicit short TTLs. Walk the list and tag each bucket with critical, replaceable, or scratch before flipping anything on.

2. Enable versioning + a noncurrent-version lifecycle in the same change

Turn versioning on with put-bucket-versioning Status=Enabled and immediately add a Lifecycle rule expiring noncurrent versions after 30-90 days (90 is a common audit-friendly default; 30 is fine for high-churn buckets where storage cost is the constraint). Without the lifecycle, storage cost grows forever; with it, the bucket has a bounded recovery window and a bounded bill.

3. For ransomware-grade protection, layer Object Lock

For buckets holding compliance evidence, audit logs, or backups that must survive a credential compromise, enable Object Lock in Compliance mode with a retention period appropriate to the data (often 7 years for financial records). Object Lock requires versioning, must be enabled at bucket creation or via support ticket, and once a version is locked it cannot be deleted until the retention period expires — by anyone, including root. Use Governance mode if you need an emergency-break escape valve for trusted admins.

4. Prevent recurrence with AWS Config and SCPs

Enable the AWS Config managed rule s3-bucket-versioning-enabled to fire whenever someone creates a new bucket without versioning, or suspends versioning on an existing one. At the organisation level, add an SCP that denies s3:PutBucketVersioning calls with Status=Suspended for production accounts — engineers can enable but cannot disable. The combination catches both accidental misconfiguration and deliberate exfiltration prep.

# Enable versioning + add a 90-day noncurrent-version expiration in the same change.
aws s3api put-bucket-versioning \
  --bucket acme-prod-tfstate \
  --versioning-configuration Status=Enabled

aws s3api put-bucket-lifecycle-configuration \
  --bucket acme-prod-tfstate \
  --lifecycle-configuration '{
    "Rules": [{
      "ID": "expire-noncurrent-90d",
      "Status": "Enabled",
      "Filter": {},
      "NoncurrentVersionExpiration": { "NoncurrentDays": 90 }
    }]
  }'

Quick quiz

Question 1 of 5

You've just enabled versioning on a production bucket holding Terraform state. What's the most important follow-up step to make sure the change is operationally sound?

Keep learning

Dig deeper into S3 data-protection and durability primitives.

You've completed Enable S3 versioning on critical buckets. You now know which buckets need versioning, how to enable it without unbounded cost, when to layer Object Lock for ransomware-grade protection, and how to prevent the setting from being silently disabled. The next time a continuity audit flags an unversioned bucket, you'll have a four-step loop ready to run.

Back to the library

S3 versioning: what it costs and what it buys

A bounded storage increment that converts accidental deletes from unrecoverable disasters into a rollback operation

Amazon S3 stores objects — files, configuration, application state, Terraform plans, audit logs. By default a bucket has no version history: any overwrite or delete is immediate and permanent. There is no undo and no support escalation that can recover lost data. The continuity check S3-DR-001 flags these buckets at HIGH severity because the business cost of permanent data loss is nearly always far higher than the cost of the control.

S3 versioning keeps every prior copy of each object, indexed by a version-id, for as long as you choose. The storage bill does grow — every overwrite keeps the old copy — but that cost is entirely controllable. A lifecycle rule that expires non-current versions after 30 to 90 days puts a hard ceiling on retained storage, so you get a rolling recovery window without unbounded accumulation. The incremental cost on a well-governed bucket is typically 10-40% of the bucket's baseline storage spend.

The finance framing is a tiering decision with a predictable cost model: identify which buckets hold irreplaceable data, estimate the versioning storage increment (current bucket size × churn rate × retention window), and approve the spend tier-by-tier. The alternative — no versioning — is an unquantifiable tail risk that materialises the moment someone runs the wrong command. Most organisations find the premium trivially small against the data they're protecting.

This lesson is for the finance partner who wants to understand the cost structure of S3 versioning before approving it. You'll get a clear model of the storage increment, how a lifecycle rule puts a ceiling on it, which bucket categories justify the spend, and the governance levers — tiering policy, Config rules, and suppression standards — that keep both the risk and the storage bill under control. No CLI knowledge required.

Fun fact

Versioning is one-way

How a finance partner frames the versioning decision

Priya is the finance partner for the platform team. The continuity report lands with 47 HIGH-severity findings — 47 buckets with no version history. Rather than treat it as a bulk engineering task, she asks the tiering question: which of these 47 hold data that the business could not reconstruct if it were destroyed, and what would that reconstruction actually cost?

The team groups them in thirty minutes using bucket tags and naming conventions. Seven hold genuinely irreplaceable data: production Terraform state, application config, customer-uploaded documents, and audit logs. For those seven, Priya models the versioning increment — average bucket size times estimated churn rate times a 90-day retention window — and finds the total additional monthly storage cost is well under $200. Against the exposure of losing production infrastructure state or customer documents, the spend is trivially justified.

The remaining 40 buckets are data-pipeline staging: re-derived from upstream sources on every run, nothing irreplaceable. The team documents them as intentionally unversioned and suppresses the findings with a recorded reason. Priya's output for the finance review is a one-liner: seven critical buckets now version-protected at $180/month incremental cost; 40 pipeline buckets intentionally unversioned with sign-off. The spend is predictable, the risk is tiered, and both decisions are on the record.

What running unversioned actually costs — and the model for fixing it

The absence of versioning is a tail risk with a bimodal cost distribution: almost nothing, almost always — then a catastrophic one-time event when the bad command finally runs. The challenge for finance is that a bucket that has never had an incident looks identical on the bill to one that has versioning. The risk is invisible until it materialises.

The cost of a data-loss event on an unversioned bucket is almost always dominated by labour and business impact, not infrastructure. A lost Terraform state file for production infrastructure means days of engineering time to reconstruct it from provider APIs, plus the downstream delays to any infrastructure changes during the recovery window. A bucket holding customer-generated content that is accidentally wiped may have no recovery path at all — the cost is the customer relationship and any regulatory exposure.

The incremental cost of S3 versioning is predictable and modelable. For any bucket, the monthly storage increment is roughly: (average object size × daily write volume × retention days × $S3-per-GB). Pair that with a 90-day lifecycle expiration and the number is bounded. For most production buckets holding configuration or state, the monthly premium runs in the tens to low hundreds of dollars — a fraction of what a single recovery incident would cost in engineering hours alone.

Finance's role here is to push for the tiering decision and the lifecycle rule, not just approval of the versioning toggle. An organisation that enables versioning without a noncurrent-version lifecycle will see storage costs drift upward silently. The right package is both controls deployed together, with the lifecycle window set deliberately based on how long a recovery window the business actually needs.

How finance makes S3 versioning a governed spend decision

Finance can't run the AWS CLI, but it owns the approval framework that makes versioning a deliberate, bounded cost rather than either a hidden risk or an open-ended storage increment. Four levers.

1. Require a tiering decision before any enablement

Insist that the team classifies every flagged bucket before touching anything: critical (irreplaceable data), replaceable (re-derivable from upstream), or scratch (short TTL). Only critical buckets need versioning approved. This prevents both waste — paying the premium on pipeline staging — and gaps — skipping protection on buckets that quietly hold irreplaceable data.

2. Approve versioning only when paired with a lifecycle window

The storage cost of versioning is unbounded without a noncurrent-version expiration rule. Make it a gate: any versioning approval includes the lifecycle window (30-90 days) as part of the same change. That converts the cost from an open-ended accumulation into a predictable monthly increment — current bucket size × churn rate × retention days — that you can model and monitor on the bill.

3. Track the cost of intentional exceptions

Every bucket left unversioned by deliberate decision should carry a documented justification and an owner. Finance should be able to see not just what is protected, but what is not — and why. That paper trail is the difference between a defensible risk register entry and a blind spot that becomes a post-incident liability.

4. Flag versioning suspension as a cost and risk alert

A drop in versioning storage on a previously-protected bucket may mean someone suspended versioning to reduce the bill. That's a risk decision disguised as a cost optimisation. Work with engineering to add a Config rule alert on versioning suspension in production accounts so that any future budget-motivated disablement surfaces as an explicit conversation, not a silent change.

Quick quiz

Question 1 of 5

The team proposes enabling versioning on 47 flagged S3 buckets to clear the continuity findings. As the finance partner, what's the right response?

Keep learning

Dig deeper into S3 data-protection and durability primitives.

You've finished the finance partner's view of S3 versioning. You know the storage cost increment is predictable and modelable, why a lifecycle window is a mandatory pairing — not an optional follow-up — and the four levers: tiering classification, lifecycle-gated approvals, documented exceptions, and alerting on versioning suspension. The next time the continuity report lands, you'll have the framework to turn a list of HIGH findings into a deliberate, bounded spend decision rather than a blanket yes or no.

Back to the library

S3 versioning: the headline

Whether the organisation can recover from a bad delete without a crisis

S3 is where cloud workloads store their state — Terraform configurations, application data, audit logs, customer uploads. Without versioning, any overwrite or delete is permanent. A misconfigured script, a compromised credential, or a single mistaken command can erase data with no recovery path. This control — flagged HIGH severity — asks whether that scenario is possible on your critical buckets.

Versioning flips the default: deletes become reversible and overwrites keep their history. The cost increment is modest and controllable with a retention window. The leadership question is whether data loss from human or automated error is an acceptable business risk, or whether a small recurring storage cost is the right trade. For any bucket holding regulated data, customer records, or infrastructure state the answer is almost always clear.

A short read for the executive who needs to know what this control prevents and what the right posture looks like. You'll get the plain-English version of versioning — why it matters for data recovery, why it isn't free, and what a deliberate tiering policy looks like — without implementation detail. The goal is to be able to answer confidently when asked whether the organisation can recover from an accidental delete on its critical data stores.

Fun fact

Versioning is one-way

What it looks like when the organisation gets this right

At one company the VP of Engineering used to answer questions about data recovery with "we rely on S3 durability." That answer protected against disk failure, not against a developer running the wrong delete command — which is the scenario that actually happens. After adopting S3-DR-001 as a tracked control, the answer changed: a short, tiered list showing which buckets had versioning and a rollback window, and which were intentionally unversioned pipeline buckets with a documented reason.

What changed wasn't just the technical configuration. It was that the question "can we recover if someone deletes the wrong thing?" had a specific, defensible answer rather than a vague one. The critical buckets had a 90-day recovery window by policy. The non-critical ones were intentionally unprotected with a recorded justification. The residual risk was visible and owned.

That's the right end state: not versioning on every bucket regardless of cost, but a deliberate tier where the buckets that matter are protected, the ones that don't are documented, and the posture is maintained by a Config rule that fires the moment someone creates an unversioned bucket in a production account.

Why this appears on the risk register

S3 buckets are where organisations store the things that are hard or impossible to recreate: infrastructure state, customer uploads, compliance records, application configuration. Without versioning, any delete or overwrite is permanent. The question this control asks is whether the organisation is one bad command away from a data-loss incident with no recovery path — and for unversioned critical buckets, the answer is yes.

The HIGH severity rating reflects the asymmetry of the risk. The cost of enabling versioning is small and predictable. The cost of not having it is unbounded and back-loaded — nothing happens for years, and then the one incident where it would have mattered makes the entire saving irrelevant. This is the pattern that belongs on a risk register, not just a security findings dashboard.

The right posture is a deliberate tier: versioning on every bucket that holds data the business cannot reconstruct, a lifecycle window that bounds the storage cost, and a documented decision for every bucket left unversioned. An auditor, a regulator, or a board asking about data recovery capability should get a specific answer — not a reference to S3's hardware durability guarantees.

The leadership posture on S3 versioning

The executive handle is not to mandate versioning on every bucket — it's to ensure that every bucket's protection decision is deliberate, on the record, and matched to the data's business importance.

1. Set a default: critical data buckets are versioned

Make it policy that any bucket holding data the organisation cannot reconstruct — infrastructure state, customer records, compliance evidence — carries versioning by default. A clear policy removes the per-bucket debate and means the systems that matter are protected by design.

2. Accept intentional exceptions for replaceable data

Pipeline staging and scratch buckets correctly have no versioning. Driving the finding count to zero would mean paying for protection on data that can be regenerated on demand. The goal is the right tier per bucket, not uniform coverage.

3. Require that lifecycle windows are set alongside versioning

Versioning without a retention window is a cost control failure — storage grows silently forever. Make it a standing requirement that any versioning enablement includes a lifecycle expiration. This keeps the protection programme from becoming an uncontrolled cost line.

4. Ask for the recovery posture, not the finding count

At the leadership review the right question is: "For every bucket holding data we cannot recreate, do we have a versioning policy with a defined recovery window and a lifecycle bound on cost?" A consistent yes means data protection is governed by policy. That's the one-minute confidence signal this control is designed to provide.

Quick quiz

Question 1 of 5

A board member asks: "If a developer accidentally deletes our production customer-upload bucket, can we recover it?" Your audit shows that bucket has versioning enabled with a 90-day lifecycle window. What's the correct answer?

Keep learning

Dig deeper into S3 data-protection and durability primitives.

That's the lesson. Two takeaways: an unversioned critical bucket means the honest answer to "can we recover from an accidental delete?" is no, and versioning is a per-bucket tiering decision because the cost — while small — compounds if left ungoverned. The leadership question is whether every bucket holding irreplaceable data is protected with a defined recovery window, exceptions are documented, and the cost is bounded by a lifecycle policy — not whether the finding count is zero.

Back to the library

Part of the learning path Build in resilience

Enable S3 versioning on critical buckets

S3 versioning: the basics

Versioning is one-way

Enabling versioning in action

Versioning under the hooddeep dive

What is the impact of running unversioned?

How do you enable versioning safely?

1. Inventory and triage which buckets need it

2. Enable versioning + a noncurrent-version lifecycle in the same change

3. For ransomware-grade protection, layer Object Lock

4. Prevent recurrence with AWS Config and SCPs

Quick quiz

Keep learning

S3 versioning: what it costs and what it buys

Versioning is one-way

How a finance partner frames the versioning decision

What running unversioned actually costs — and the model for fixing it

How finance makes S3 versioning a governed spend decision

1. Require a tiering decision before any enablement

2. Approve versioning only when paired with a lifecycle window

3. Track the cost of intentional exceptions

4. Flag versioning suspension as a cost and risk alert

Quick quiz

Keep learning

S3 versioning: the headline

Versioning is one-way

What it looks like when the organisation gets this right

Why this appears on the risk register

The leadership posture on S3 versioning

1. Set a default: critical data buckets are versioned

2. Accept intentional exceptions for replaceable data

3. Require that lifecycle windows are set alongside versioning

4. Ask for the recovery posture, not the finding count

Quick quiz

Keep learning

Related site reliability lessons