Auto Enable S3 Versioning for new buckets created in your AWS Account.

Why AWS recommends to enable versioning in your S3 Bucket?

Versioning in Amazon S3 is a critical feature that allows users to store multiple versions of an object within a single bucket. This capability provides several benefits, including the ability to recover from accidental deletions, protect against data corruption, and comply with regulatory requirements. With versioning enabled, every write operation on an object generates a new version of that object, which is assigned a unique version ID. This ensures that previous versions of an object are preserved and can be accessed or restored at any time.

Additionally, versioning protects against malicious attacks and human errors, such as overwriting important data or deleting critical files. In summary, versioning in Amazon S3 is essential for data durability, security, and compliance, and should be enabled for any mission-critical or sensitive data stored in the cloud.

How to enable versioning on your S3 Bucket?

To manually enable versioning for an Amazon S3 bucket, follow these steps:

1. Log in to the AWS Management Console and navigate to the S3 dashboard.
2. Select the bucket for which you want to enable versioning.
3. Click on the "Properties" tab in the top right corner of the screen.
4. Scroll down to the "Versioning" section and click the "Edit" button.
5. Select the "Enable versioning" option and click "Save."

Imagine if you have multiple buckets created in your account or in dev environment, to manually enable versioning will be so much time consuming and is prone to human error, if some bucket is missed.

Using AWS Lambda with AWS Event Bridge to auto enable versioning!

Event-driven architecture (EDA) is a software design pattern that enables services and applications to respond to events in a decoupled and asynchronous manner. In EDA, services communicate with each other through events, which are triggered by changes in the system state, user actions, or external inputs.

Well, to solve the manual tasks to enable versioning in each bucket and to make sure the buckets are deployed with consistency across your environment, this blog post describes how you can use power of Lambda and Event driven architectures/tools such as AWS Event Bridge Rules, alongside with S3 APIs to automatically enable versioning for newly created S3 buckets.

To automatically enable versioning of new S3 buckets created in your AWS account follow these steps:

1. Create a Lambda Function with below code, using python 3.10 runtime and name it appropriate to your use case.

import boto3

import json

def lambda_handler(event, context):

? ? # Get the bucket name from the event

? ? bucket_name = event['detail']['requestParameters']['bucketName']

? ? # Enable versioning on the bucket

? ? s3 = boto3.client('s3')

? ? s3.put_bucket_versioning(

? ? ? ? Bucket=bucket_name,

? ? ? ? VersioningConfiguration={

? ? ? ? ? ? 'Status': 'Enabled'

? ? ? ? }

? ? )

? ? # Log a success message

? ? print(f'Bucket versioning enabled for {bucket_name}')

? ? # Return a success response

? ? return {

? ? ? ? 'statusCode': 200,

? ? ? ? 'body': json.dumps('Bucket versioning enabled')

? ? }

2. Modify the Lambda Role to allow enable versioning on the new S3 bucket that gets created, by attaching below AWS managed policy to your Lambda Role.

Please Note: Always use the least privilege access model when providing permission to your Lambda role as per AWS Best practice, this blog is simply for reference.

3. Create a Event Bridge Rule with event pattern as below:

{

?"detail-type": ["AWS API Call via CloudTrail"],

?"source": ["aws.s3"],

?"detail": {

??"eventSource": ["s3.amazonaws.com"],

??"eventName": ["CreateBucket"]

?}

}

4. Add the Target of this rule created in (Step 3) as the Lambda Function you created earlier.

5.Go back to your lambda function and add the Event Bridge Rule created in (Step 3) as a Trigger for your Lambda function, and deploy the function.

6. Create a "Test" bucket in your AWS Account, with versioning disabled by default.

7. Once the "Test" bucket in your AWS Account gets created, wait for 15 seconds and check if the versioning has been now enabled automatically for your new bucket.

8. If Lambda is successful you will see versioning enabled under properties of your new "Test" bucket automatically along with success cloud watch logs of your Lambda function.

Conclusion:

In the above blog post we used the power of event driven architecture coupled with AWS Lambda and S3 APIs, to carry out a manual task of enabling versioning automatically whereas also achieving consistency across all our newly created S3 Buckets. We also saw how enabling versioning can provide several benefits, including the ability to recover from accidental deletions, protect against data corruption, and comply with regulatory requirements.

Follow for more!