Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS S3 Versioning, MFA Delete, and ACLs: Zero-Fluff Study Guide**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-s3-versioning-mfa-delete-and-acls-zero-fluff-study-guide

TECH **AWS S3 Versioning, MFA Delete, and ACLs: Zero-Fluff Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

AWS S3 Versioning, MFA Delete, and ACLs: Zero-Fluff Study Guide

For AWS Solutions Architect – Associate (SAA-C03) and Real-World Deployments


1. What This Is & Why It Matters

You’re a cloud engineer at a fintech startup. Your team just migrated a critical customer document storage system to S3. One day, a junior dev accidentally runs a script that overwrites thousands of files. Panic sets in—until you remember: S3 Versioning was enabled. You restore the files in minutes.

But what if someone maliciously deletes data? Or what if compliance requires an audit trail of every change? That’s where MFA Delete and ACLs come in.

Why this matters in production:
- Versioning = Time machine for your data. Without it, accidental deletions or overwrites are permanent.
- MFA Delete = A "nuclear launch code" for deletions. Prevents rogue admins or compromised credentials from wiping out buckets.
- ACLs = Granular access control (though IAM policies are preferred). Still used in legacy systems and cross-account sharing.

Real-world scenario:
You inherit a bucket storing medical records. Compliance requires: 1. No data loss (even from accidents).
2. Proof that deletions were authorized (MFA).
3. Restricted access (ACLs or IAM policies).

Ignore these, and you risk data loss, compliance violations, or security breaches.


2. Core Concepts & Components


? S3 Versioning

  • Definition: A feature that keeps multiple versions of an object in the same bucket.
  • Production insight: If you don’t enable versioning, a single PUT or DELETE operation is irreversible. Costs increase with version count—use lifecycle policies to archive/delete old versions.

? Version ID

  • Definition: A unique identifier for each version of an object (e.g., 3/L4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo).
  • Production insight: Version IDs are required to restore or delete specific versions. Without them, you’re stuck with the latest version.

? MFA Delete

  • Definition: Requires multi-factor authentication (MFA) to permanently delete an object version or suspend versioning.
  • Production insight: MFA Delete is your last line of defense against accidental/malicious deletions. Enable it for buckets with critical data (e.g., backups, legal documents).

? S3 Access Control Lists (ACLs)

  • Definition: Legacy access control mechanism that grants permissions at the bucket or object level (e.g., READ, WRITE, FULL_CONTROL).
  • Production insight: AWS recommends using IAM policies instead of ACLs for most use cases. ACLs are still used for cross-account access (e.g., granting READ to another AWS account).

? Bucket Owner Enforced (vs. Bucket Owner Preferred)

  • Definition:
  • Bucket Owner Enforced: The bucket owner automatically owns all objects, ignoring ACLs.
  • Bucket Owner Preferred: The bucket owner gets full control, but ACLs can override permissions.
  • Production insight: Use "Bucket Owner Enforced" to simplify permissions and avoid ACL conflicts. "Preferred" is for legacy compatibility.

? S3 Object Lock

  • Definition: WORM (Write Once, Read Many) protection to prevent object deletion/modification for a fixed period.
  • Production insight: Required for compliance (e.g., SEC, HIPAA). Works with versioning—each version is locked.

? S3 Lifecycle Policies

  • Definition: Rules to transition objects to cheaper storage classes (e.g., S3 IA, Glacier) or delete old versions.
  • Production insight: Without lifecycle policies, versioning can bloat storage costs. Example: Move non-current versions to Glacier after 30 days.


3. Step-by-Step Hands-On


Task: Enable Versioning, MFA Delete, and Configure ACLs for a Secure Bucket

Prerequisites:
- AWS account with admin IAM permissions.
- AWS CLI installed (aws --version).
- MFA device (virtual or hardware).


Step 1: Create a Bucket with Versioning

aws s3api create-bucket --bucket my-secure-bucket-$(date +%s) --region us-east-1
aws s3api put-bucket-versioning --bucket my-secure-bucket-1234567890 --versioning-configuration Status=Enabled

Verify:


aws s3api get-bucket-versioning --bucket my-secure-bucket-1234567890

Expected output:


{
  "Status": "Enabled"
}


Step 2: Upload a File and Check Versions

echo "Version 1" > file.txt
aws s3 cp file.txt s3://my-secure-bucket-1234567890/
echo "Version 2" > file.txt
aws s3 cp file.txt s3://my-secure-bucket-1234567890/

List versions:


aws s3api list-object-versions --bucket my-secure-bucket-1234567890

Expected output:


{
  "Versions": [
{
"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
"Size": 10,
"StorageClass": "STANDARD",
"Key": "file.txt",
"VersionId": "null", # First version has no ID
"IsLatest": false,
"LastModified": "2023-01-01T00:00:00Z"
},
{
"ETag": "\"d41d8cd98f00b204e9800998ecf8427f\"",
"Size": 10,
"StorageClass": "STANDARD",
"Key": "file.txt",
"VersionId": "3/L4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo",
"IsLatest": true,
"LastModified": "2023-01-01T00:01:00Z"
} ] }


Step 3: Enable MFA Delete

Prerequisite: Get your MFA device’s current code (e.g., 123456).


aws s3api put-bucket-versioning \
  --bucket my-secure-bucket-1234567890 \
  --versioning-configuration Status=Enabled,MFADelete=Enabled \
  --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device 123456"

Verify:


aws s3api get-bucket-versioning --bucket my-secure-bucket-1234567890

Expected output:


{
  "Status": "Enabled",
  "MFADelete": "Enabled"
}


Step 4: Test MFA Delete (Try to Delete Without MFA)

aws s3api delete-object --bucket my-secure-bucket-1234567890 --key file.txt

Expected error:


An error occurred (InvalidRequest) when calling the DeleteObject operation: Mfa Authentication must be used for this request

Delete with MFA:


aws s3api delete-object \
  --bucket my-secure-bucket-1234567890 \
  --key file.txt \
  --version-id "3/L4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo" \
  --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device 123456"


Step 5: Configure ACLs (Cross-Account Access)

Scenario: Grant READ access to another AWS account (987654321098).


aws s3api put-object-acl \
  --bucket my-secure-bucket-1234567890 \
  --key file.txt \
  --acl bucket-owner-full-control \
  --grant-read id="987654321098"

Verify:


aws s3api get-object-acl --bucket my-secure-bucket-1234567890 --key file.txt

Expected output:


{
  "Owner": {
"DisplayName": "owner-display-name",
"ID": "123456789012" }, "Grants": [
{
"Grantee": {
"Type": "CanonicalUser",
"ID": "123456789012"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"Type": "CanonicalUser",
"ID": "987654321098"
},
"Permission": "READ"
} ] }


4. ? Production-Ready Best Practices


Security

  • Enable MFA Delete for all buckets with critical data (backups, compliance docs).
  • Use IAM policies instead of ACLs for most use cases (ACLs are legacy).
  • Enable S3 Object Lock for compliance (e.g., SEC 17a-4, HIPAA).
  • Block public access at the account/bucket level: bash aws s3api put-public-access-block \
    --bucket my-secure-bucket-1234567890 \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Cost Optimization

  • Set lifecycle policies to transition old versions to S3 IA/Glacier: json {
    "Rules": [
    {
    "ID": "MoveOldVersionsToGlacier",
    "Status": "Enabled",
    "Filter": {},
    "Transitions": [
    {
    "Days": 30,
    "StorageClass": "GLACIER"
    }
    ],
    "NoncurrentVersionTransitions": [
    {
    "NoncurrentDays": 30,
    "StorageClass": "GLACIER"
    }
    ],
    "Expiration": {
    "ExpiredObjectDeleteMarker": true
    }
    }
    ] }
  • Monitor storage costs with AWS Cost Explorer (filter by S3 Versioning).

Reliability & Maintainability

  • Use "Bucket Owner Enforced" to avoid ACL conflicts.
  • Tag buckets for cost allocation and automation: bash aws s3api put-bucket-tagging \
    --bucket my-secure-bucket-1234567890 \
    --tagging 'TagSet=[{Key=Environment,Value=Production},{Key=Owner,Value=Finance}]'
  • Enable S3 Event Notifications to trigger Lambda on s3:ObjectCreated:* or s3:ObjectRemoved:*.

Observability

  • Enable S3 Server Access Logging to track requests: bash aws s3api put-bucket-logging \
    --bucket my-secure-bucket-1234567890 \
    --bucket-logging-status '{"LoggingEnabled":{"TargetBucket":"my-logs-bucket","TargetPrefix":"s3-access-logs/"}}'
  • Monitor 403 Forbidden errors (indicates permission issues).
  • Set CloudWatch Alarms for unusual activity (e.g., DeleteObject spikes).


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Not enabling versioning Accidental PUT/DELETE is permanent. Enable versioning on all critical buckets.
Enabling MFA Delete without MFA Can’t delete objects (even as admin). Ensure MFA is set up before enabling MFA Delete.
Using ACLs instead of IAM policies Overly complex permissions, security gaps. Use IAM policies for most cases; reserve ACLs for cross-account access.
No lifecycle policy on versions Storage costs explode. Set a lifecycle rule to transition/delete old versions (e.g., after 30 days).
Public ACLs on objects Data leaks (e.g., s3:GetObject public). Block public access at the bucket/account level.


6. ? Exam/Certification Focus


Typical Question Patterns

  1. Versioning:
  2. "A developer accidentally overwrites a file in S3. How do you restore it?"
    Answer: Use aws s3api list-object-versions to find the old version ID, then aws s3api get-object --version-id.

  3. MFA Delete:

  4. "A rogue admin deletes objects. How do you prevent this?"
    Answer: Enable MFA Delete. Requires MFA for DELETE operations.

  5. ACLs vs. IAM:

  6. "How do you grant read access to another AWS account?"
    Answer: Use ACLs (--grant-read) or a bucket policy (preferred).

Key Trap Distinctions

Concept Trap
Versioning "Suspend versioning" deletes all versions. Use Enabled instead.
MFA Delete Only works with versioning enabled.
ACLs bucket-owner-full-control is required for cross-account uploads.
Object Lock Requires versioning. Locks all versions (not just the latest).

Scenario-Based Question

"You need to store compliance documents for 7 years with no modifications. Which S3 feature do you use?" Answer: S3 Object Lock in Compliance Mode (WORM protection) + versioning.


7. ? Hands-On Challenge

Challenge:
1. Create a bucket with versioning enabled.
2. Upload a file, modify it, then delete it.
3. Restore the original version using the CLI.

Solution:


# 1. Create bucket
aws s3api create-bucket --bucket my-challenge-bucket --region us-east-1
aws s3api put-bucket-versioning --bucket my-challenge-bucket --versioning-configuration Status=Enabled

# 2. Upload/modify/delete
echo "Original" > file.txt
aws s3 cp file.txt s3://my-challenge-bucket/
echo "Modified" > file.txt
aws s3 cp file.txt s3://my-challenge-bucket/
aws s3 rm s3://my-challenge-bucket/file.txt

# 3. Restore original version
VERSION_ID=$(aws s3api list-object-versions --bucket my-challenge-bucket --query 'Versions[?IsLatest==`false`].VersionId' --output text)
aws s3api get-object --bucket my-challenge-bucket --key file.txt --version-id $VERSION_ID restored.txt
cat restored.txt  # Output: "Original"

Why it works: Versioning preserves all versions, and list-object-versions lets you fetch the original.


8. ? Rapid-Reference Crib Sheet

Command/Concept Key Details
aws s3api put-bucket-versioning --versioning-configuration Status=Enabled,MFADelete=Enabled
aws s3api list-object-versions Lists all versions of an object. Use --query to filter.
aws s3api delete-object Requires --version-id and --mfa if MFA Delete is enabled.
aws s3api put-object-acl --grant-read id="CANONICAL_USER_ID" for cross-account access.
MFA Delete ⚠️ Only works with versioning enabled.
ACLs ⚠️ Legacy; prefer IAM policies.
Object Lock ⚠️ Requires versioning. Use GOVERNANCE or COMPLIANCE mode.
Lifecycle Policy NoncurrentVersionTransitions moves old versions to cheaper storage.
Bucket Owner Enforced ⚠️ Overrides ACLs; use for simplicity.


9. ? Where to Go Next

  1. AWS S3 Versioning Docs
  2. S3 MFA Delete Guide
  3. S3 Object Lock for Compliance
  4. AWS S3 Security Best Practices

Final Tip: Bookmark this guide. The next time you’re auditing a bucket or debugging a permissions issue, you’ll thank yourself. ?



ADVERTISEMENT