Enabling S3 Versioning is not a backup strategy

Andreas WittigUpdated 02 Mar 2022

Here are three reasons why enabling S3 Versioning is not a backup strategy. Instead, you should consider AWS Backup for S3, which AWS released on February 18th, 2022. AWS Backup enables you to control and automate managing backups centrally. To do so, AWS Backup supports EC2/EBS, EFS, FSx, RDS, DynamoDB, Neptune, DocumentDB, and Storage Gateway.

Use AWS Backup for S3 to avoid data loss!

Do you use S3 Versioning to protect against data loss? Here are three reasons why this is not enough.

Warning I had issues with backing up and restoring data. Check out my Twitter thread to learn more.

#1 Accidental deletion

So you enabled S3 Versioning for all your buckets. S3 will not delete the data but create a deletion marker for the object when someone deletes an object. So in case you delete an object accidentally, you can recover the data quickly. But what, when you delete not only the object but all of its versions accidentally? In this case, something comparable to an offsite backup becomes essential.

Think of AWS Backup as an offsite backup for your data stored on S3.

#2 Malicious deletion

And it can get even worse. What if an attacker tries to delete all data from your AWS account? An attacker also could delete all objects and versions. S3 Versioning does not mitigate the risk of malicious data deletion.

Looking for a new challenge?

  • tecRacer

    Cloud Consultant

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Spain, and Switzerland
    AWS only Infrastructure as Code EC2 Containers Serverless
  • tecRacer

    Cloud Migration Specialist

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Spain, and Switzerland
    Lift&Shift Transformation EC2 RDS VPC

Again, consider AWS Backup for S3 instead. AWS Backup supports vault locks an effective countermeasures against the malicious deletion of your backup.

#3 Point-In-Time Recovery

Imagine you rolled out a change to the batch job, which processes data stored on S3 every night. Due to a mistake in the code, the batch job corrupts a lot of objects. As you have S3 Versioning enabled, you want to roll back all the objects within a bucket to a specific point-in-time. However, doing so requires a lot of API calls to S3 - ListObjectVersions, GetObject, and PutObject. Recovering to a certain point in time is quite complicated and error-prone.

AWS Backup for S3 comes with point-in-time recovery for S3 out-of-the-box. Recovering a bucket becomes quite simple.

Unboxing AWS Backup for Amazon S3

I hope I could convince you that AWS Backup for S3 has some advantages over S3 Versioning for backing up data. Check out my unboxing video, including a demo, pricing, and limitations.

Update 2022/03/02: Correction related to AWS Backup for S3: copying backups cross-region and cross-account is currently not supported. The Management Console let’s you create a backup job with a copy configuration, but it will fail. The official documentation mentions this limitation.

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 345 articles, 45 podcast episodes, and 37 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Ross Mohan, Ross Mohan, sam onaga, Shawn Tolidano, Thorsten Hoeger, Todd Valentine, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.