By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
For AWS Solutions Architect – Associate (SAA-C03) and Real-World Deployments
You’re a cloud engineer at a fintech startup. Your team just migrated a critical customer document storage system to S3. One day, a junior dev accidentally runs a script that overwrites thousands of files. Panic sets in—until you remember: S3 Versioning was enabled. You restore the files in minutes.
But what if someone maliciously deletes data? Or what if compliance requires an audit trail of every change? That’s where MFA Delete and ACLs come in.
Why this matters in production:- Versioning = Time machine for your data. Without it, accidental deletions or overwrites are permanent.- MFA Delete = A "nuclear launch code" for deletions. Prevents rogue admins or compromised credentials from wiping out buckets.- ACLs = Granular access control (though IAM policies are preferred). Still used in legacy systems and cross-account sharing.
Real-world scenario:You inherit a bucket storing medical records. Compliance requires: 1. No data loss (even from accidents).2. Proof that deletions were authorized (MFA).3. Restricted access (ACLs or IAM policies).
Ignore these, and you risk data loss, compliance violations, or security breaches.
PUT
DELETE
3/L4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo
READ
WRITE
FULL_CONTROL
Prerequisites:- AWS account with admin IAM permissions.- AWS CLI installed (aws --version).- MFA device (virtual or hardware).
aws --version
aws s3api create-bucket --bucket my-secure-bucket-$(date +%s) --region us-east-1 aws s3api put-bucket-versioning --bucket my-secure-bucket-1234567890 --versioning-configuration Status=Enabled
Verify:
aws s3api get-bucket-versioning --bucket my-secure-bucket-1234567890
Expected output:
{ "Status": "Enabled" }
echo "Version 1" > file.txt aws s3 cp file.txt s3://my-secure-bucket-1234567890/ echo "Version 2" > file.txt aws s3 cp file.txt s3://my-secure-bucket-1234567890/
List versions:
aws s3api list-object-versions --bucket my-secure-bucket-1234567890
{ "Versions": [ { "ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"", "Size": 10, "StorageClass": "STANDARD", "Key": "file.txt", "VersionId": "null", # First version has no ID "IsLatest": false, "LastModified": "2023-01-01T00:00:00Z" }, { "ETag": "\"d41d8cd98f00b204e9800998ecf8427f\"", "Size": 10, "StorageClass": "STANDARD", "Key": "file.txt", "VersionId": "3/L4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo", "IsLatest": true, "LastModified": "2023-01-01T00:01:00Z" } ] }
Prerequisite: Get your MFA device’s current code (e.g., 123456).
123456
aws s3api put-bucket-versioning \ --bucket my-secure-bucket-1234567890 \ --versioning-configuration Status=Enabled,MFADelete=Enabled \ --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device 123456"
{ "Status": "Enabled", "MFADelete": "Enabled" }
aws s3api delete-object --bucket my-secure-bucket-1234567890 --key file.txt
Expected error:
An error occurred (InvalidRequest) when calling the DeleteObject operation: Mfa Authentication must be used for this request
Delete with MFA:
aws s3api delete-object \ --bucket my-secure-bucket-1234567890 \ --key file.txt \ --version-id "3/L4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo" \ --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device 123456"
Scenario: Grant READ access to another AWS account (987654321098).
987654321098
aws s3api put-object-acl \ --bucket my-secure-bucket-1234567890 \ --key file.txt \ --acl bucket-owner-full-control \ --grant-read id="987654321098"
aws s3api get-object-acl --bucket my-secure-bucket-1234567890 --key file.txt
{ "Owner": { "DisplayName": "owner-display-name", "ID": "123456789012" }, "Grants": [ { "Grantee": { "Type": "CanonicalUser", "ID": "123456789012" }, "Permission": "FULL_CONTROL" }, { "Grantee": { "Type": "CanonicalUser", "ID": "987654321098" }, "Permission": "READ" } ] }
bash aws s3api put-public-access-block \ --bucket my-secure-bucket-1234567890 \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
json { "Rules": [ { "ID": "MoveOldVersionsToGlacier", "Status": "Enabled", "Filter": {}, "Transitions": [ { "Days": 30, "StorageClass": "GLACIER" } ], "NoncurrentVersionTransitions": [ { "NoncurrentDays": 30, "StorageClass": "GLACIER" } ], "Expiration": { "ExpiredObjectDeleteMarker": true } } ] }
S3 Versioning
bash aws s3api put-bucket-tagging \ --bucket my-secure-bucket-1234567890 \ --tagging 'TagSet=[{Key=Environment,Value=Production},{Key=Owner,Value=Finance}]'
s3:ObjectCreated:*
s3:ObjectRemoved:*
bash aws s3api put-bucket-logging \ --bucket my-secure-bucket-1234567890 \ --bucket-logging-status '{"LoggingEnabled":{"TargetBucket":"my-logs-bucket","TargetPrefix":"s3-access-logs/"}}'
403 Forbidden
DeleteObject
s3:GetObject
"A developer accidentally overwrites a file in S3. How do you restore it?" Answer: Use aws s3api list-object-versions to find the old version ID, then aws s3api get-object --version-id.
aws s3api list-object-versions
aws s3api get-object --version-id
MFA Delete:
"A rogue admin deletes objects. How do you prevent this?" Answer: Enable MFA Delete. Requires MFA for DELETE operations.
ACLs vs. IAM:
--grant-read
Enabled
bucket-owner-full-control
"You need to store compliance documents for 7 years with no modifications. Which S3 feature do you use?" Answer: S3 Object Lock in Compliance Mode (WORM protection) + versioning.
Challenge:1. Create a bucket with versioning enabled.2. Upload a file, modify it, then delete it.3. Restore the original version using the CLI.
Solution:
# 1. Create bucket aws s3api create-bucket --bucket my-challenge-bucket --region us-east-1 aws s3api put-bucket-versioning --bucket my-challenge-bucket --versioning-configuration Status=Enabled # 2. Upload/modify/delete echo "Original" > file.txt aws s3 cp file.txt s3://my-challenge-bucket/ echo "Modified" > file.txt aws s3 cp file.txt s3://my-challenge-bucket/ aws s3 rm s3://my-challenge-bucket/file.txt # 3. Restore original version VERSION_ID=$(aws s3api list-object-versions --bucket my-challenge-bucket --query 'Versions[?IsLatest==`false`].VersionId' --output text) aws s3api get-object --bucket my-challenge-bucket --key file.txt --version-id $VERSION_ID restored.txt cat restored.txt # Output: "Original"
Why it works: Versioning preserves all versions, and list-object-versions lets you fetch the original.
list-object-versions
aws s3api put-bucket-versioning
--versioning-configuration Status=Enabled,MFADelete=Enabled
--query
aws s3api delete-object
--version-id
--mfa
aws s3api put-object-acl
--grant-read id="CANONICAL_USER_ID"
GOVERNANCE
COMPLIANCE
NoncurrentVersionTransitions
Final Tip: Bookmark this guide. The next time you’re auditing a bucket or debugging a permissions issue, you’ll thank yourself. ?
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.