AWS Storage Blog
Automate Amazon S3 Versioning using AWS Config rules
Different enterprises and organizations have different data compliance requirements and regulations that they must adhere to for legal, security, safety, and best practice reasons. Historically, customers with data in Amazon S3 have manually performed remediation actions on non-compliant buckets. This includes writing and maintaining scripts running on regular intervals to check for non-compliant S3 buckets and to take remediation actions if necessary. As applications mature, the complexity of managing scripts increases in tandem. This task can be time consuming since you must make updates to scripts and maintain its servers.
In this blog, we cover the steps to set up an AWS Config managed rule to identify Amazon S3 buckets that do not have versioning enabled. We also go over implementing AWS Config automatic remediation by using AWS Systems Manager (SSM) Automation documents to configure versioning on the S3 bucket. For more information on how to leverage AWS Config to manage S3 compliance of logging, encryption and read/write access check out this blog post.
Solution service overview
When it comes to compliance, AWS Config allows you to track the configuration of your AWS resources and their relationships to other resources. AWS Config evaluates AWS resources against desired configurations by using AWS Config rules. These rules check whether your resources are compliant by continuously monitoring your AWS resource configurations. AWS Config enables you to author remediation actions using AWS Systems Manager Automation documents and package them together within a conformance pack that is easily deployable across your AWS organization.
S3 versioning is a process of retaining multiple versions of an object in the same Amazon S3 bucket. S3 Versioning preserves every version of each object stored in a bucket. It can be used to protect objects from unintended user actions such as accidental deletion or overwriting. In either case, the previous versions can be restored at any time. This facilitates auditing and compliance for your resources in the S3 bucket.
Prerequisites
- Enable AWS Config by following the instructions here.
- You need an S3 bucket that already exists in order to perform the steps in the tutorial. Follow the instructions here to create an S3 bucket.
Solution tutorial
- Sign in to the AWS Management Console and open the AWS Config console.
- On the left pane, choose Rules and select Add Rule.
- In the search box, type “s3-bucket-versioning-enabled” and select the rule with title s3-bucket-versioning-enabled.
- The console redirects you to the Add AWS managed rule Fill in the Name and the Description for the Rule.
- Set up the appropriate trigger. For more information on setting up the trigger, refer to this documentation.
- In the Parameters section, enter the values for the parameters such as AutomationAssumeRole, BucketName, and VersioningState.
- Under Remediation action, select AWS-ConfigureS3BucketVersioning and select Yes for Auto remediation
- Choose Save and now you can view the s3-bucket-versioning-enabled AWS Config rule.
At this point, the AWS Config rule you set up auto-remediates non-compliant resources. You can check the results on the Rule details page.
After the auto-remediation, you can verify that you enabled versioning by navigating to your Amazon S3 console and checking that you have multiple version IDs for a single object. The following screenshot shows versioning enabled for an S3 bucket:
Cleaning up
If you were following the steps in this blog post for testing purposes, ensure you delete the resources to prevent unwanted charges. This includes deleting your AWS Config rule, as shown by the steps here, and delete S3 Object Versions, as shown here.
Conclusion
In this post, we covered how to automatically enable S3 Versioning on non-compliant Amazon S3 resources using the AWS Config auto remediation feature for AWS Config rules. You can also use AWS Config rules to maintain compliance of other AWS resources using existing SSM documents or custom SSM documents. This solution allows you to automate the standardization of resource configuration by removing the need to write your own management scripts. As your system grows, the automation of resource configuration will prove helpful in reducing overhead to maintain standardized resource configuration.
For pricing details on AWS Config rules, visit the AWS Config pricing page. Thanks for reading this blog post! If you have any comments or questions, please don’t hesitate to leave them in the comments section.