Versioning enabled for buckets holding important data
Demonstrate that versioning is enabled and actively functioning on all storage buckets containing important data, and that version retention meets recovery and forensic requirements.
Description
What this control does
This control requires that object versioning be enabled on cloud storage buckets (e.g., AWS S3, Azure Blob Storage, Google Cloud Storage) containing data classified as important, sensitive, or business-critical. Versioning preserves previous versions of objects when they are overwritten or deleted, maintaining a complete history of changes. This provides both data recoverability from accidental or malicious modifications and forensic evidence of unauthorized changes, serving as a safeguard against data corruption, insider threats, and ransomware attacks that attempt to encrypt or delete production data.
Control objective
What auditing this proves
Demonstrate that versioning is enabled and actively functioning on all storage buckets containing important data, and that version retention meets recovery and forensic requirements.
Associated risks
Risks this control addresses
- Permanent data loss from accidental overwrite or deletion by authorized users without a recovery mechanism
- Ransomware or destructive malware encrypting or deleting production objects with no ability to restore clean versions
- Insider threat actors deliberately corrupting or deleting critical business data to cause operational disruption
- Application bugs or failed deployments overwriting production data with corrupted or incomplete content
- Inability to perform forensic investigation or root cause analysis after unauthorized data modification events
- Compliance violations for data retention or auditability requirements in regulated industries
- Supply chain attacks targeting deployment pipelines that inject malicious content into stored objects
Testing procedure
How an auditor verifies this control
- Obtain the organization's data classification policy and identify buckets designated as holding important, sensitive, or business-critical data.
- Generate a complete inventory of all storage buckets across all cloud platforms and accounts in scope, including bucket names, cloud provider, and account identifiers.
- For each bucket identified as holding important data, query the versioning configuration status via cloud provider console, CLI, or API.
- Document which buckets have versioning enabled, suspended, or disabled, and compare against the list of buckets required to have versioning per policy.
- Select a sample of versioned buckets and examine version history for at least five objects to confirm multiple versions are being retained and timestamped correctly.
- Review lifecycle policies and retention rules to verify that versioned objects are retained for a duration consistent with recovery and compliance requirements.
- Test recoverability by simulating a restore operation: identify a previously modified or deleted object and verify that prior versions can be retrieved successfully.
- Examine monitoring and alerting configurations to confirm that versioning status changes or suspension events generate security alerts to appropriate personnel.
Where this control is tested