S3 – Versioning

Versioning is a method of keeping multiple modifications/versions of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket.

With versioning, you can easily recover from both unintended user actions, accidental deletes and application failures.

How Versioning works:

In Windows/Linux, if you try to store a file or copy a file with a name of the file which already exists, then you’ll get a pop up, error showing file already exists. Whereas, in versioning .

  • If you overwrite an object, it results in a new object version in the bucket. Remember, versioning will not create a new object/file when you overwrite, it’ll simply preserve and suppress the old version, with new version on top. You can always restore the previous version.

In versioning enabled buckets, by default, GET requests will retrieve the most recently written version. In order to retrieve the older version, you’ve to specify the version id of the object.

  • If you delete an object, instead of removing it permanently, Amazon S3 inserts a delete marker, which becomes the current object version.
  • Each version will take up the individual size of the object. If a 1GB file is uploaded to s3 bucket and then remove the contents of the source file upto 500MB and reuploads it with same name, then the 500MB file will be current version of the object and total object size would 1.5 GB.
  • Versioning can only be suspended after enabling, can’t be disabled.
  • Important: You can enable additional security for your S3 bucket by enabling Versioning and Multi factor authentication.

With respect to Versioning, Buckets can only be in 3 states.

  • unversioned (the default)
  • versioning-enabled
  • versioning-suspended.

S3 – Encryption

Encryption on any system requires three components:

(1) data to encrypt
(2) a method to encrypt the data using a cryptographic algorithm(AES)
(3) encryption keys to be used in conjunction with the data and the algorithm.


S3 supports encryption of data in transit and at rest.

The data at transit will be encrypted using SSL. For data at rest, you can encrypt using below options.

Server Side Encryption

How it works:


SSE- S3 (Server Side Encryption): Amazon handles key management and key protection using multiple layers of security.

In this model, data is encrypted before it is written to disk in Amazon S3. Each object is encrypted with a unique data key. As an additional safeguard, this key is encrypted with a periodically rotated master key(encrypted data key) managed by Amazon S3.


SSE – KMS (Key Management Service) : You can use AWS KMS to manage your encryption keys. It provides an audit trail so you can see who used your key to access which object and when, as well as view failed attempts to access data from users without permission to decrypt the data.


SSE-C (Customer provided keys) : You can use your own encryption key while uploading an object to Amazon S3.This encryption key is used by Amazon S3 to encrypt your data.

When you retrieve this object from Amazon S3, you must provide the same encryption key in your request. Amazon S3 verifies that the encryption key matches, decrypts the object, and returns the object to you.


Client Side Encryption:

You encrypt the files in your end using your preferred encryption types and then upload the encrypted filed to S3.


Scenarios – When to use:

Understanding of the given scenario is very important in the examination. You’ll be given a scenario for encrypting the files and you’ve to choose the right answer based upon the requirements and keywords mentioned.

Amazon handles the encryption/decryption and keys: 

SSE – S3 is the right option for this scenario. You needn’t to worry about encryption/decryption or keys, let AWS handles everything by themselves.

You want to manage/take hold of keys: 

SSE-C is the right option for this scenario. AWS handles the encryption/decryption, whereas you’ll be managing the keys.

You manage your keys and also wants to track who’s using your key/attempting to decrypt files without your permission:

SSE-KMS is the right option for this scenario. It provides an audit trail so you can see who used your key to access which object and when, as well as view failed attempts to access data from users without permission to decrypt the data.

Note: You can’t apply different types of server-side encryption to the same object simultaneously.