Site Reliability

Protect S3 buckets with AWS Backup

Versioning alone won't save you from ransomware that deletes versions. Layer AWS Backup or replication on top — and verify recovery.

14 min·10 sections·AWS

Last reviewed 27 May 2026

Unprotected S3 buckets: the basics

Why "11 nines of durability" isn't a backup strategy

S3 advertises 99.999999999% (11 nines) durability — meaning that across enough objects you should statistically lose one every few thousand years. People hear this number and conclude they don't need backups. Durability is not protection. Durability protects against disk failure, bit rot, and AZ loss; it does nothing to protect against the human or attacker who calls DeleteObject on the wrong key.

An "unprotected" bucket is one where there's no recovery path for an unintended deletion or overwrite. Versioning helps — but versions can be deleted too, by anyone with s3:DeleteObjectVersion. Ransomware operators have caught up: a modern S3-targeting attack lists every version of every object and deletes them one by one, leaving a bucket that looks intact in the API but contains nothing recoverable.

Continuity check COV-006 flags buckets with no second layer of protection — no Object Lock, no Cross-Region Replication, no AWS Backup coverage. The finding is LOW severity because not every bucket needs full DR (think build artifacts, generated thumbnails, ephemeral logs). It's a signal to decide, not an alarm to silence.

In this lesson you'll learn why versioning alone doesn't protect an S3 bucket, the three real protection layers (Object Lock, Cross-Region Replication, AWS Backup), how to pick at least two of them for any bucket holding business-critical data, and how to verify the recovery path actually works. You'll see the exact CLI calls to audit coverage across an account and to enable AWS Backup for an existing bucket.

Fun fact

The version-deletion ransomware playbook

In a widely-reported 2023 incident an attacker with a leaked IAM key didn't bother encrypting the victim's S3 bucket — they just enumerated every object version (ListObjectVersions) and called DeleteObjectVersion on each one in a tight loop. Versioning was enabled. MFA Delete was not. The bucket was empty in 4 hours and the only recovery was paying for a third-party backup product the company had luckily turned on a month earlier. Versioning is a speed bump for ransomware, not a wall.

Protecting an S3 bucket in action

Marco runs the data platform at a health-tech company. A continuity scan returns 34 buckets flagged as unprotected — among them sevenc3-patient-exports, a bucket holding nightly exports of de-identified patient data shared with three research partners. Severity is LOW but the bucket name is enough to make him sit up.

He pulls the bucket's current protection posture. Versioning is on, which is something — but Object Lock is off, there's no replication configured, and AWS Backup has never run against it. If someone with s3:Delete* on this bucket got compromised tonight, three months of patient exports would be gone by morning with no recovery path.

He decides on a two-layer plan: enable AWS Backup with a 35-day retention to cover accidental and malicious deletion, and add Cross-Region Replication to a second account for the partners' regulatory audit trail. Object Lock would be a third layer but the bucket is too active for compliance-mode immutability.

First, check what protection (if any) is already on the bucket — versioning, Object Lock, replication, in that order.

$ aws s3api get-bucket-versioning --bucket sevenc3-patient-exports && aws s3api get-object-lock-configuration --bucket sevenc3-patient-exports && aws s3api get-bucket-replication --bucket sevenc3-patient-exports

{

"Status": "Enabled",

"MFADelete": "Disabled"

}

An error occurred (ObjectLockConfigurationNotFoundError) when calling the GetObjectLockConfiguration operation: Object Lock configuration does not exist for this bucket

An error occurred (ReplicationConfigurationNotFoundError) when calling the GetBucketReplication operation: The replication configuration was not found

# Versioning on, but MFA Delete off, no Object Lock, no replication. Versions are deletable by any compromised key.

Current protection posture for the bucket — versioning is the only layer.

Now start an on-demand AWS Backup job. This validates the backup vault, plan, and IAM role end-to-end before the nightly schedule kicks in.

$ aws backup start-backup-job --backup-vault-name patient-data-vault --resource-arn arn:aws:s3:::sevenc3-patient-exports --iam-role-arn arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole --lifecycle DeleteAfterDays=35

{

"BackupJobId": "E1B2C3D4-5678-90AB-CDEF-1234567890AB",

"RecoveryPointArn": "arn:aws:backup:eu-west-1:123456789012:recovery-point:01234567-89ab-cdef-0123-456789abcdef",

"CreationDate": "2026-05-15T14:22:18.193000+00:00"

}

# Job queued. First full snapshot of a 240 GB bucket — completes in ~2 hours, subsequent runs are incremental.

Kicked off the first AWS Backup job — it's now independent of S3 versioning and lives in the backup vault.

S3 protection layers under the hooddeep dive

AWS Backup for S3 (GA since early 2023) operates by reading every object version through the S3 API and writing a point-in-time recovery point to a backup vault — a separate S3 storage namespace that lives in the AWS Backup service account, not yours. Because the vault is owned by the Backup service, an attacker with full S3 admin in your account cannot delete its contents directly; they'd need to assume a role with backup:DeleteRecoveryPoint against the vault. Vault Lock takes this further — once locked in compliance mode, even root can't delete.

Object Lock is enforced inside S3 itself at the object-version level. In governance mode an IAM principal with s3:BypassGovernanceRetention can still delete; in compliance mode nothing — not root, not AWS support, not a court order short of the retention period expiring — can delete the object. Compliance mode is genuinely irrevocable, which is why teams default to governance mode and only escalate when a regulator demands it.

Cross-Region Replication is async and version-aware. Every PUT and DELETE on a versioned source bucket replicates to the destination bucket within seconds, including delete markers. Critical detail: a delete on the source replicates as a delete marker by default — if you want the destination to retain the original object even when the source deletes it, set DeleteMarkerReplication: Disabled. That's the configuration that makes CRR a real backup rather than a mirror.

# Audit every bucket in an account for at least one protection layer beyond versioning.
for bucket in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do
  LOCK=$(aws s3api get-object-lock-configuration --bucket "$bucket" 2>/dev/null && echo YES || echo NO)
  REPL=$(aws s3api get-bucket-replication --bucket "$bucket" 2>/dev/null && echo YES || echo NO)
  BACKUP=$(aws backup list-protected-resources --query "Results[?ResourceArn=='arn:aws:s3:::$bucket']" --output text)
  echo "$bucket  lock=$LOCK  repl=$REPL  backup=${BACKUP:-NO}"
done

What is the impact of an unprotected S3 bucket?

The most direct impact is irrecoverable data loss. A junior engineer running a cleanup script with the wrong prefix, a leaked IAM key used by a ransomware crew, or a misconfigured Lambda that wipes the bucket on a deploy rollback — all of these end the same way if the only protection is versioning that the same caller can also delete. Recovery time is hours to weeks of engineering work reconstructing from upstream sources (if those even exist).

The second-order impact is regulatory. HIPAA, GDPR, SOC 2, and PCI DSS all require demonstrable backup and recovery procedures for regulated data. A patient-data bucket with no point-in-time recovery is an audit finding the moment a regulator asks the question — and the audit cost dwarfs the backup cost.

The third-order impact is decision paralysis under pressure. When a deletion incident happens at 3am, the team that has AWS Backup configured runs one restore command and goes back to sleep. The team that has only versioning spends the night reading docs about --list-object-versions and writing recovery scripts in a state where mistakes are most expensive.

On the cost side, AWS Backup for S3 isn't free — it's roughly $0.05 per GB-month of backup storage plus per-object request charges. A 1 TB bucket with 10 million objects costs about $50/month for the storage and another $30 or so for the monthly snapshot requests. Compared to the cost of the incident it prevents (legal fees, breach disclosure, churn), this is a rounding error. Compared to the cost of every bucket being backed up indiscriminately, it's a real number — which is why coverage decisions should be data-class-driven, not blanket.

How do you protect S3 buckets properly?

Bucket protection is a four-step loop. Skip any step and either you're paying for backups of buckets that don't need them, or you'll find out which buckets needed protection during an incident.

1. Classify every bucket by data class

Tag each bucket with a data classification — regulated, business-critical, operational, ephemeral. Build artifacts and transient CDN caches are ephemeral; nightly patient exports and customer-facing assets are regulated or business-critical. Only the top two tiers need a second protection layer; the bottom two can rely on versioning or nothing at all. Without this step every coverage decision is ad-hoc and you'll over-protect cheap data and under-protect expensive data.

2. Pick the right protection mix per tier

Regulated data: AWS Backup with Vault Lock plus CRR to a second account. Business-critical data: AWS Backup with 35-day retention plus versioning + MFA Delete. Operational data: versioning with lifecycle rules to Glacier on non-current versions. Use Object Lock in compliance mode only when a regulator specifically requires write-once retention — it's genuinely irrevocable, including by you. Mixing layers matters more than picking the "best" one.

3. Verify recovery, not just backup

A backup you've never restored from is a hypothesis, not a backup. At least quarterly, restore one recovery point from each Backup plan to a scratch bucket and diff a sample of objects against the source. AWS Backup's start-restore-job makes this a single CLI call. Restoration is the part most likely to surprise you — IAM permissions on the destination bucket, KMS key access, and lifecycle rules on the restored objects are all places things go wrong silently.

4. Prevent unprotected buckets from being created

Add an AWS Config rule (s3-bucket-versioning-enabled and a custom rule for AWS Backup coverage) that flags any new bucket within minutes. For prevention, an SCP at the org level can deny s3:CreateBucket calls that aren't accompanied by an immediate Backup plan tag. Most teams find the Config-rule alert is enough — production buckets stay covered, dev buckets get a 24-hour grace period, and the policy stays out of the engineer's way.

# Enable AWS Backup coverage for a bucket and verify the recovery path on the same day.
aws backup start-backup-job \
  --backup-vault-name patient-data-vault \
  --resource-arn arn:aws:s3:::sevenc3-patient-exports \
  --iam-role-arn arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole \
  --lifecycle DeleteAfterDays=35

# Once the first recovery point exists, restore it to a scratch bucket to prove the path works.
aws backup start-restore-job \
  --recovery-point-arn arn:aws:backup:eu-west-1:123456789012:recovery-point:01234567-89ab-cdef-0123-456789abcdef \
  --iam-role-arn arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole \
  --metadata DestinationBucketName=sevenc3-restore-scratch \
  --resource-type S3

Quick quiz

Question 1 of 5

Your bucket has versioning enabled. An attacker with a leaked IAM key holding s3:Delete* runs a script that calls DeleteObjectVersion on every version of every object. What actually saves you?

Keep learning

Dig deeper into S3 data protection patterns and the AWS Backup integration.

You've completed Protect S3 buckets with AWS Backup. You now know why versioning alone is a speed bump rather than a defence, how to combine AWS Backup, Object Lock, and Cross-Region Replication into a layered strategy that matches each bucket's data class, and how to verify the recovery path actually works before you need it. The next time a continuity scan flags an unprotected bucket, you'll have a four-step loop ready to run — classify, layer, verify, prevent.

Back to the library

Unprotected S3 buckets: what it costs and what it's covering

11 nines of durability is a hardware guarantee, not a line item in your insurance policy

S3's famous 11-nines durability statistic is about disk hardware. It says the platform won't silently lose your data to a failed drive. It says nothing about what happens when an IAM key with delete permissions is compromised, or when a Lambda function running a cleanup job gets a regex wrong. Those aren't hardware failures — they're permission events, and they're fully covered by the durability guarantee because the deletion happened exactly as requested.

The cost picture for S3 data loss is almost always dominated by labour and liability, not recovery infrastructure. A bucket holding regulated customer data that gets wiped has a reconstruction cost measured in engineering weeks (if upstream sources even exist), a breach notification cost that starts at legal fees and ends with churn, and a potential regulatory fine that dwarfs both. AWS Backup for S3 runs roughly $0.05 per GB-month for backup storage. For a 1 TB business-critical bucket that's about $50 per month — pennies against the exposure.

COV-006 is flagging buckets where no second protection layer exists. Finance's job here isn't to mandate coverage everywhere — it's to ensure the spend on backup storage is allocated to the data that actually justifies it, and that buckets holding regulated or revenue-critical data are never left in the unprotected column because nobody got around to deciding.

This lesson is for the finance partner who wants to understand what backup spend on S3 actually buys, how to model the cost of coverage against the cost of the incident it prevents, and how to make data classification drive protection decisions rather than leaving coverage gaps by default. No CLI knowledge needed — you'll leave with a tiering framework, a cost model for AWS Backup, and the four finance levers that keep both protection and spend defensible at audit.

Fun fact

The version-deletion ransomware playbook

How a finance partner sizes up the S3 backup decision

Priya is the finance business partner on call for the data platform team. The month-end continuity report lands and 34 buckets are flagged as unprotected. Rather than escalate all 34 as a security emergency, she asks the tiering question first: how many of these buckets hold data that would cost the company real money to lose?

Working with the platform lead, she groups the 34 into four data classes. Twelve are ephemeral — build caches, CDN thumbs, transient logs. Sixteen are operational — team-internal reports and tooling artifacts that could be regenerated from source in a day. Five are business-critical — customer-facing static assets and financial exports. One is regulated: sevenc3-patient-exports, nightly de-identified data shared with research partners under a BAA.

Her cost model takes ten minutes. The regulated bucket is 240 GB and growing; at $0.05/GB-month for backup storage plus request charges, AWS Backup with a 35-day retention runs roughly $15–20 per month. CRR to a second account adds another $6 in replication transfer. Total: under $30/month. Versus the cost of a breach notification on a patient data bucket — legal fees alone start at $50,000. She approves the spend on the spot and documents the decision for the cost review: regulated and business-critical buckets carry explicit backup cost; the other 28 are single-layer by design with a recorded reason.

The financial exposure of an unprotected S3 bucket

The unit economics of S3 backup are unusually favourable — the cost of not protecting a bucket is almost always orders of magnitude larger than the cost of protecting it. AWS Backup for S3 runs about $0.05 per GB-month of backup storage plus request charges per snapshot. A 500 GB regulated bucket protected with a 35-day backup plan costs roughly $25–35 per month all in. That is the full, predictable insurance premium.

On the other side of the ledger, a deletion incident against a regulated bucket has a cost floor that begins with breach counsel ($25,000–$100,000 to assess and notify), rises with regulator involvement (HIPAA penalties range from $100 to $50,000 per record per violation), and peaks with customer churn. For any bucket holding data subject to HIPAA, GDPR, or PCI DSS, the math tips decisively in one direction: backup spend is not a nice-to-have.

The finance lever is to make data class the input, not bucket count. Blanket coverage of all S3 buckets in an account is waste — build caches and ephemeral logs don't need $0.05/GB/month backup storage. But regulated and business-critical buckets must be covered, and the finance contribution is to make sure the protection cost for those buckets is a budget line, not a surprise — and that the absence of a budget line for a regulated bucket is itself flagged as a risk.

The right metric for cost reviews is not "total S3 backup spend" but "percentage of regulated and business-critical buckets with funded backup coverage." A hundred percent on that metric, with every uncovered bucket in a lower tier by documented decision, is the financially defensible posture.

What finance can drive on S3 bucket protection

Finance can't enable AWS Backup via the console, but it owns the classification policy and the cost model that make protection decisions consistent rather than ad-hoc. Four levers, used at the monthly cloud review.

1. Anchor the tier policy in the budget

Agree with engineering that regulated and business-critical buckets are budgeted with their backup cost included — $0.05/GB-month for AWS Backup storage plus CRR transfer for regulated data. That makes protection a planned line item, not a cost that appears when someone finally enables backup and next month's bill goes up unexpectedly. It also creates a forcing function: any regulated bucket without a backup line in the budget is a coverage gap, visible before an incident rather than after.

2. Track coverage by data class, not bucket count

The metric that matters is the percentage of regulated and business-critical buckets with active backup coverage, confirmed by a successful restore test in the last 90 days. Total bucket count and total backup spend are supporting numbers; the primary signal is whether the data that costs the most to lose is covered. Ephemeral and operational buckets being uncovered is expected and cost-appropriate — report them separately so they don't inflate the risk headline.

3. Require documented decisions for every uncovered bucket

Any bucket not covered by an AWS Backup plan should carry a data-class tag and a recorded rationale — either "ephemeral, no backup needed" or "business-critical, ticket open, owner: [name]." A silent absence of coverage is an unmanaged risk; a recorded decision to leave a low-value bucket unprotected is a managed one. Finance should push back when the second category contains buckets with names like patient-exports or financial-records.

4. Model backup spend against incident exposure annually

Once a year, run a simple expected-value comparison: total annual backup spend across regulated and business-critical buckets against the estimated cost of a single data-loss incident on the highest-value bucket (legal fees, breach notification, engineering reconstruction time, regulatory fine exposure). For almost every organization, the backup spend is a rounding error against the incident exposure, making this the easiest insurance premium to defend in a cost review.

Quick quiz

Question 1 of 5

A continuity scan flags 22 S3 buckets as unprotected. Eight are regulated data buckets totalling 800 GB; fourteen are build-cache and CDN thumbnail buckets. As the finance partner, what is the right spend decision?

Keep learning

Dig deeper into S3 data protection patterns and the AWS Backup integration.

You've finished the finance partner's view of S3 bucket protection. You know that AWS Backup storage runs about $0.05/GB-month, why the backup premium on regulated data is the cheapest insurance line on the cloud bill, and the four levers — tier-based budgeting, coverage-rate tracking by data class, documented decisions for every unprotected bucket, and an annual expected-value model — that keep both the protection and the spend defensible. Next time 34 unprotected buckets appear on the continuity report, you'll have the classification question ready before the cost conversation starts.

Back to the library

Unprotected S3 buckets: the governance gap

"Highly durable" and "recoverable after a human error or attack" are not the same promise

Amazon S3 is marketed on durability — the platform almost never loses data to hardware failure. What it doesn't protect against is an authorized deletion. A compromised credential, a misconfigured automation, or a developer running the wrong script can empty a bucket in minutes, and S3's durability guarantee will confirm that every delete completed successfully. Versioning slows this down but doesn't stop it: attackers now routinely delete every version in a loop.

COV-006 surfaces which buckets have no second protection layer beyond versioning. The severity is LOW because not every bucket matters equally — build artifacts and log caches can be regenerated. The leadership risk is the buckets it surfaces that should not be in that column: patient data, financial records, customer-facing assets. Those need a deliberate decision — a named protection tier backed by policy — not a default of "nobody checked yet."

The governance question this control raises is whether data classification is driving protection decisions, or whether protection (and its absence) is happening by accident. Organizations that answer this well have a tier list — regulated, business-critical, operational, ephemeral — and a standing rule for each tier. COV-006 findings are the leading indicator that the tier list either doesn't exist or isn't being enforced.

A concise read for the leader who wants to know what this control is measuring and what the one governance question is. You'll get the plain-English distinction between S3 durability and S3 recoverability, why versioning is insufficient, and what a mature data-protection posture looks like: a tier list matched to business value, every bucket in a tier, and protection decisions on the record rather than left to chance. No implementation depth required.

Fun fact

The version-deletion ransomware playbook

What good data-protection governance looks like in practice

At a health-tech company, the CISO came back from a tabletop exercise with one uncomfortable answer: when the facilitator asked "if someone deleted all the data in the patient-export bucket tonight, what's the recovery path?" the answer was "we'd have to reconstruct from upstream sources — maybe 2–3 weeks of engineering work." The bucket had versioning. Nobody had tested whether the deleted versions were recoverable.

The finding that surfaced the gap wasn't a critical-severity alert — it was a LOW-severity continuity finding that had sat unactioned for six weeks because the team assumed versioning was sufficient. The CISO's read was not that the security team had failed; it was that there was no policy connecting data classification to mandatory protection tiers. The bucket held regulated data and nobody had ever said that regulated data requires at minimum AWS Backup plus a second-account copy.

After putting that tier policy in writing, the resolution took one sprint: the regulated bucket got AWS Backup with Vault Lock and cross-region replication in the second account; five business-critical buckets got AWS Backup with 35-day retention; the rest were classified and documented. The governance outcome was a clear answer to the CISO's tabletop question — and a standing rule so the next bucket created in that class couldn't skip coverage by accident.

Why unprotected S3 buckets are a governance finding, not just a technical one

The organizational risk of an unprotected bucket containing regulated data is not primarily technical — it's liability. HIPAA, GDPR, SOC 2, and PCI DSS all require demonstrable data backup and recovery procedures. A patient-data bucket with no point-in-time recovery path fails that requirement the moment a regulator or auditor asks. The question isn't whether the engineering team knows how to fix it; it's whether the organization had a policy that required it in the first place.

COV-006 is a signal about process maturity, not just technical gap. When this finding surfaces on a bucket holding regulated data, the root cause is almost never "nobody knew how to enable backup." It's that data classification didn't drive a mandatory protection policy, or the policy existed but wasn't enforced as new buckets were created. Both are governance failures, and both are invisible until something goes wrong.

The executive framing is about the strength of the decision record. When an auditor or a post-incident reviewer asks "why wasn't this bucket backed up?", there should be one of two answers: "it was, here's the backup plan" or "it was explicitly classified as ephemeral and single-layer by design, with sign-off on that date." An unprotected regulated bucket that nobody classified and nobody approved is the answer that produces the fine.

The leadership lever on S3 data protection

The executive action on this control isn't a technical one — it's writing down the tier policy that makes protection decisions automatic rather than case-by-case.

1. Publish a data classification tier with mandatory protection per tier

The organization needs a short, enforced list: regulated data requires AWS Backup plus a second-account copy; business-critical data requires AWS Backup with tested restore; operational data requires versioning; ephemeral data requires nothing. With that policy written and signed off, every new bucket created has a mandatory protection level from day one, and COV-006 findings become evidence that the policy is working — or evidence that it's being bypassed, which is its own conversation.

2. Make recovery testing a tracked commitment, not an assumption

A backup that has never been restored from is a hypothesis. The leadership commitment is quarterly restore testing against each Backup plan, with a pass/fail result that goes into the continuity review alongside the coverage percentage. This matters because the failure mode people discover at 3am — IAM permissions wrong on the destination bucket, KMS key not accessible, lifecycle rules eating the restored objects — are all invisible until the restore is actually run.

3. Ask for the coverage rate on regulated and business-critical buckets

The one question for the leadership review: what percentage of regulated and business-critical S3 buckets have active, tested backup coverage, with every gap either resolved or carrying a documented justification and owner? A consistent answer above 95% means data protection is governed by policy. Anything below that with no improvement trend is a signal that the classification tier isn't being enforced.

Quick quiz

Question 1 of 5

Your CISO reports that 100% of regulated S3 buckets have AWS Backup coverage, but restore testing has never been run on any of them. What is the right read?

Keep learning

Dig deeper into S3 data protection patterns and the AWS Backup integration.

That's the lesson. Two things to take away: versioning is not a backup — a compromised key can delete every version, and S3's durability guarantee will confirm every delete was a success. And protection that hasn't been tested isn't protection — it's a hypothesis. The leadership contribution is a written data classification tier, mandatory protection at each tier, and quarterly restore testing on the record. When those three are in place, COV-006 findings stop being surprises and start being evidence that the policy is working.

Back to the library

Part of the learning path Build in resilience

Protect S3 buckets with AWS Backup

Unprotected S3 buckets: the basics

The version-deletion ransomware playbook

Protecting an S3 bucket in action

S3 protection layers under the hooddeep dive

What is the impact of an unprotected S3 bucket?

How do you protect S3 buckets properly?

1. Classify every bucket by data class

2. Pick the right protection mix per tier

3. Verify recovery, not just backup

4. Prevent unprotected buckets from being created

Quick quiz

Keep learning

Unprotected S3 buckets: what it costs and what it's covering

The version-deletion ransomware playbook

How a finance partner sizes up the S3 backup decision

The financial exposure of an unprotected S3 bucket

What finance can drive on S3 bucket protection

1. Anchor the tier policy in the budget

2. Track coverage by data class, not bucket count

3. Require documented decisions for every uncovered bucket

4. Model backup spend against incident exposure annually

Quick quiz

Keep learning

Unprotected S3 buckets: the governance gap

The version-deletion ransomware playbook

What good data-protection governance looks like in practice

Why unprotected S3 buckets are a governance finding, not just a technical one

The leadership lever on S3 data protection

1. Publish a data classification tier with mandatory protection per tier

2. Make recovery testing a tracked commitment, not an assumption

3. Ask for the coverage rate on regulated and business-critical buckets

Quick quiz

Keep learning

Related site reliability lessons