Amazon S3

S3 bucket versioning & policies

By Abhinay Durishetty
6 mins read
Bucket Versioning

Imagine you're reading a captivating novel. As you progress through the story, there are crucial plot points or dramatic twists that you want to remember. So, at these pivotal moments, you place a bookmark. As the story unfolds, you might want to revisit a particular event or remind yourself of a character's backstory. Instead of flipping haphazardly through the pages, you simply return to your bookmarked page, finding the exact moment you wanted to recall.

Bucket versioning in Amazon S3 operates much like these bookmarks. Every time you modify or update an object (akin to progressing in the story), a new "bookmark" or version is created. If you ever need to reference a past "chapter" of your data or even revert to it, versioning allows you to easily go back to any of the saved "bookmarks", ensuring you never lose track of your data's narrative.

Just as bookmarks provide the comfort of never losing a significant moment in a story, bucket versioning ensures that every version of your data is preserved and easily accessible.

What is Bucket Versioning?

Bucket versioning is an S3 feature that keeps multiple variants of an object in the same bucket. It provides a mechanism to store all versions of an object, including all writes and deletes.
Key Features
Retains all versions of an object, including all changes.
Guards against accidental deletions and overwrites.
Allows retrieval of any version of an object.
How to Use Versioning?

  • Enabling: Access the bucket's 'Properties' in the S3 Management Console. Under 'Versioning', choose 'Enable'. Remember, once versioning is enabled for a bucket, it cannot be fully turned off, only suspended.

  • Object Retrieval: When you request a versioned object, S3 will provide the latest version. To retrieve a specific version, you need its version ID.

  • Object Deletion: Deleting a versioned object will insert a delete marker, making the object invisible unless a specific version is requested. Deleting a specific version requires its version ID.

  • Cost Implications: Versioning can increase storage costs. S3 will charge for storing multiple versions of an object. It's essential to monitor storage usage and implement lifecycle policies if necessary, to manage costs.
Bucket Policies

Amazon S3 bucket policies provide a centralized, JSON-based policy language to manage permissions for S3 resources. They are primarily used to grant or deny permissions to the operations and resources defined in the policy.

Key Concepts:

  • Resource-Based Policies: Bucket policies are resource-based, meaning they are attached directly to the resource (in this case, the S3 bucket). They define who has access and what actions they can perform.

  • Principal: This specifies who is allowed or denied access. It can be an AWS account, IAM user, IAM role, federated user, AWS service, etc.
Bucket Policy Elements
Specifies the policy language version.
Contains an array of individual statements that define the permissions.
Sid (Optional)
A unique identifier for the statement.
Can be Allow or Deny.
Who the permissions apply to.
The S3 operations
The bucket and/or object(s) the statement applies to.
Condition (Optional)
The conditions under which the statement is in effect.
Example Bucket Policy

Let's say you want to grant read access to an S3 bucket named "my-example-bucket" only to users accessing from specific IP addresses.

In this example,

  • The policy uses the 2012-10-17 version.
  • The Effect is set to Allow.
  • The policy applies to all principals ('*'), meaning anyone.
  • The allowed action is 's3:GetObject', which means reading objects.
  • The policy is applicable to all objects in the "my-example-bucket".
  • The Condition specifies that the source IP address must be from the IP range.

Best Practices

  1. Explicit Deny: If there's a match to a "Deny" in any policy, the request is denied even if there's an "Allow" statement elsewhere.
  2. Regular Audits: Review bucket policies periodically to ensure that they adhere to your security guidelines.
  3. Avoid Broad Permissions: Be cautious with the use of * for principals or actions. Be specific wherever possible.

Amazon S3 bucket policies, with their JSON-based format, offer a precise mechanism to control access to S3 resources.