S3 Versioning enabled
Description
S3 buckets have versioning enabled.
⚠️ Risk Impact
Without versioning, accidental or malicious deletes are permanent. Ransomware can encrypt + delete original; versioning enables recovery.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
aws s3api put-bucket-versioning --versioning-configuration Status=Enabled.
💀 Real-World Attack Scenario
A SaaS company's S3 bucket containing customer files was hit by a script that deleted + overwrote contents. Without versioning, recovery required customer re-uploads. With versioning, recovery would have been trivial.
💰 Cost of Non-Compliance
Data-loss incidents: variable; recovery cost can be $100K-$500K.
📋 Audit Questions
- 1.Versioning enabled on critical buckets?
- 2.MFA Delete configured?
🎯 MITRE ATT&CK Mapping
🏗️ Infrastructure as Code Fix
resource "aws_s3_bucket_versioning" "main" {
bucket = aws_s3_bucket.main.id
versioning_configuration { status = "Enabled" }
}⚡ Common Pitfalls
- ⛔Versioning enabled but no MFA Delete
- ⛔Versioning + no lifecycle = storage costs grow
- ⛔Versioning on production but not backups
📈 Business Value
Versioning is the recovery foundation against accidental + malicious deletes.
⏱️ Effort Estimate
5 minutes per bucket
EchelonGraph audits versioning status
🔗 Cross-Framework References
Automate CIS AWS 2.1.3 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →