What Is S3 versioning in Databases?
On This Page
What do you want to do?
Quick Definition
S3 versioning is like a safety net for your files in the cloud. When you turn it on, every time you upload, change, or delete a file in an S3 bucket, Amazon keeps a copy of the old version. This means you can always go back to an earlier version if you make a mistake, like accidentally deleting a file or saving a bad edit.
Common Commands & Configuration
aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=EnabledEnables versioning on the specified S3 bucket. Use this command to turn on versioning for data protection.
Tests the ability to enable versioning using the AWS CLI. The --versioning-configuration parameter with Status=Enabled is required. Note that this command does not require the bucket to be empty.
aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=SuspendedSuspends versioning on the bucket. Future uploads will have a null version ID, but existing versions remain. Use this to stop new version accumulation.
The exam emphasizes that versioning cannot be disabled once enabled, only suspended. Suspended state still retains previous versions.
aws s3api list-object-versions --bucket my-bucket --prefix documents/report.pdfLists all versions of objects with the specified prefix, including delete markers. Reveals the version history.
This command is key for finding and deleting specific versions or delete markers. The prefix parameter helps scope the query. Exam questions often ask how to see hidden deleted objects.
aws s3api delete-object --bucket my-bucket --key documents/report.pdf --version-id nullPermanently deletes the specific version with the given version ID. Use this to remove a delete marker or an old version.
Without --version-id, this command creates a delete marker. With --version-id, it permanently deletes that specific version. This distinction is a classic exam trap.
aws s3api delete-object --bucket my-bucket --key documents/report.pdfCreates a delete marker for the object if versioning is enabled. The object is not deleted, only hidden.
Tests understanding that normal delete creates a delete marker, not a permanent deletion. The exam will ask how to recover such an object, remove the delete marker.
aws s3api delete-objects --bucket my-bucket --delete '{"Objects":[{"Key":"doc.pdf","VersionId":"abc123"}]}'Permanently deletes multiple specific versions using version IDs in a batch request.
Useful for bulk cleanup. The exam may test the format of the delete request and that version IDs are required for permanent deletion.
aws s3api get-bucket-versioning --bucket my-bucketReturns the versioning state of the bucket (Enabled, Suspended, or empty if never configured).
Simple but essential for verifying state. The empty response indicates unversioned. This appears in troubleshooting questions.
aws s3api put-bucket-lifecycle-configuration --bucket my-bucket --lifecycle-configuration file://lifecycle.json
# Example lifecycle.json content:
# {
# "Rules": [{
# "Id": "Expire old versions",
# "Status": "Enabled",
# "NoncurrentVersionExpiration": {
# "NoncurrentDays": 30
# }
# }]
# }Configures a lifecycle rule to automatically expire noncurrent versions after 30 days. Helps control versioning costs.
The exam often requires writing or interpreting lifecycle JSON for version expiry. Note the use of NoncurrentVersionExpiration and NoncurrentDays.
Must Know for Exams
S3 versioning is a high-yield topic across several AWS certification exams. In the AWS Certified Cloud Practitioner (CLF-C01/CLF-C02), you need to know what versioning is, that it protects against accidental deletion, and that it can be used with MFA Delete for extra security. Questions are typically scenario-based, asking which feature prevents data loss. You do not need to know the API details, but you must understand the value proposition and the fact that versioning is not enabled by default.
For the AWS Certified Developer – Associate (DVA-C02), versioning topics go deeper. You must understand how version IDs work, how to retrieve specific versions using the S3 API, and how versioning interacts with pre-signed URLs and batch operations. Exam questions often present a scenario where an application updates an object and you need to troubleshoot why old versions are not accessible. You need to know that versioning must be enabled before the object was created to have previous versions. If versioning was enabled later, only objects uploaded after that point have version IDs. Developers also need to know how to list versions and delete specific versions programmatically.
The AWS Certified Solutions Architect – Associate (SAA-C03) exam includes versioning in the context of designing resilient and cost-effective architectures. You will see questions about combining versioning with lifecycle policies to automatically archive old versions to S3 Glacier after a retention period. Scenario questions might ask how to protect against accidental deletion while minimizing storage costs. The correct answer often involves enabling versioning and adding a lifecycle rule to expire noncurrent versions after 30 days. You must also understand that versioning is a prerequisite for S3 Object Lock and cross-region replication.
The AWS Certified Solutions Architect – Professional (SAP-C02) exam expects a comprehensive understanding. You need to know how versioning works with MFA Delete, how to implement policies that require MFA for permanent deletion, and how to use versioning with S3 Batch Operations to restore deleted objects. Professional exam questions might present a multi-account setup with complex lifecycle rules and ask you to troubleshoot why objects are not transitioning as expected. You need to understand the interaction between versioning, lifecycle, and replication.
For the AWS Certified Security – Specialty (SCS-C02), versioning is relevant for compliance and data protection. You must know how to combine versioning with S3 Object Lock to achieve a WORM model. Questions may ask about using MFA Delete to protect against unauthorized permanent deletion. You also need to understand how bucket policies can restrict version-specific actions.
Across all exams, common question patterns include: - A user accidentally deletes an object from a versioned bucket. What is the default behavior? (Answer: S3 adds a delete marker, and the object can be recovered by removing the delete marker.) - A user wants to permanently delete an object from a versioned bucket. What must they do? (Answer: Specify the version ID in the DELETE request.) - How can you control costs when using versioning? (Answer: Use lifecycle policies to expire old versions.) - What is the purpose of MFA Delete? (Answer: To require multi-factor authentication for permanent deletion and suspending versioning.) - Can you disable versioning after enabling it? (Answer: No, you can only suspend it.)
Exam questions often include distractors like 'enable logging,' 'enable encryption,' or 'create a backup.' The key is to remember that versioning is the native AWS feature specifically designed for recovery from accidental deletions and overwrites. Knowing the exact behavior of delete markers and the irreversible nature of enabling versioning will help you eliminate wrong answers quickly.
For Google Cloud and Azure related exams, S3 versioning is not a direct topic, but the concept of object versioning appears in Google Cloud Storage (object versioning) and Azure Blob Storage (soft delete and versioning). Understanding S3 versioning provides a foundation for those similar features. The exam relevance fields in this glossary reflect that but note that for Google and Azure exams this term is 'light_supporting' because the underlying concept translates, but exam questions do not directly test S3 versioning specifics.
Simple Meaning
Imagine you are writing a very important document on your computer. Normally, when you save a new version, the old one is gone forever. If you accidentally delete a paragraph or save over the file with a blank page, you have lost all your earlier work. Now imagine a magic file cabinet that keeps every single version of that document you have ever saved. If you delete the document, the cabinet still has a copy labeled 'deleted.' If you write a new version and save it, the cabinet puts the old one on a shelf with a date stamp. You can always open the cabinet, find the version you want, and pull it out. That is what S3 versioning does for files stored in Amazon S3.
In everyday life, we use similar ideas without thinking. For example, the 'undo' button in a word processor lets you go back a few steps, but it only remembers a short history. Version control in software development, like Git, keeps every change forever so developers can revert to an earlier version of code. S3 versioning is the same concept for files stored in the cloud. It protects you from human errors, software bugs, and even malicious attacks. When you enable versioning on an S3 bucket, Amazon S3 automatically assigns a unique version ID to each object every time you upload it. If you upload a file with the same name twice, you get two versions with different IDs. The latest version is what people see by default, but all previous versions remain accessible.
Versioning also helps with compliance and auditing. Some businesses need to keep records of every change for legal reasons. With versioning, they have a complete history of every file without having to manually copy it each time. Versioning works with lifecycle policies to automatically archive old versions or delete them after a certain time, saving money on storage costs. It also integrates with Multi-Factor Authentication (MFA) Delete, which adds an extra layer of security so that even if someone gains access to your AWS account, they cannot permanently delete a version without a second authentication factor.
A key thing to understand is that versioning is not the default. You must explicitly enable it on a bucket. Once enabled, it cannot be turned off; you can only suspend it. When you suspend versioning, new objects get a null version ID, but all existing versions remain. This is a one-way door concept that exam questions love to test. Also, versioning applies to all objects in the bucket, and you are billed for every version you keep. So if you have a file that you update 100 times, you are paying storage for 100 versions. That is why lifecycle policies are important to clean up old versions.
Finally, versioning is what makes S3 a durable and reliable storage service. It is the foundation for features like S3 Object Lock, replication, and restore from accidental deletion. Without versioning, a single delete command could wipe out data forever. With it, a delete operation just adds a delete marker, which hides the object but does not destroy it. You can always remove the delete marker to restore the object. This makes versioning a must-know concept for anyone working with AWS storage, especially for backup, disaster recovery, and compliance workloads.
Full Technical Definition
Amazon S3 versioning is a bucket-level configuration that preserves every object revision stored in the bucket. When enabled, each object upload generates a new version with a unique version ID. The version ID is a string assigned by S3, or you can specify your own version ID if you use the S3 API with the `x-amz-version-id` header. Versioning is implemented at the bucket level, meaning all objects in that bucket are subject to versioning once enabled. There is no per-object toggle; it is all or nothing for the bucket.
Versioning works by maintaining a set of object versions within the bucket's namespace. The object key (name) remains the same, but each version is stored as a separate entity with its own version ID. When you retrieve an object without specifying a version ID, S3 returns the latest version. To retrieve a specific version, you include the version ID in the GET request. The same applies to DELETE operations: a DELETE request without a version ID adds a delete marker, which becomes the latest version and hides the object. To permanently delete a specific version, you must include its version ID in the DELETE request.
Versioning is closely tied to the S3 data model. S3 stores objects in buckets, which are flat containers. There is no hierarchy; instead, key prefixes simulate a folder structure. Versioning does not change this flat structure but adds a version dimension to each key. Internally, S3 stores each version as a separate data object with its own metadata, including checksums, storage class, and encryption settings. The S3 API supports operations like `ListObjectVersions` to enumerate all versions and delete markers in a bucket. This operation returns metadata for each version, including version ID, last modified date, and whether it is a delete marker.
Versioning integrates with several other AWS services and features. With S3 Lifecycle policies, you can define rules to automatically transition older versions to cheaper storage classes like S3 Standard-IA or S3 Glacier, and eventually expire (delete) them after a specified number of days. For example, you might keep the latest 5 versions and automatically delete versions older than 90 days. This helps control storage costs while retaining protection. Versioning also works with S3 Replication, where you can replicate both current and previous versions to another bucket in a different region or AWS account for redundancy or compliance.
MFA Delete is a critical security feature that requires multi-factor authentication to permanently delete an object version or suspend versioning on a bucket. When MFA Delete is enabled, any operation that would permanently remove a version (including suspending versioning) must include a valid MFA code in the request headers. This prevents even root users from accidentally or maliciously destroying data without the second factor. MFA Delete can only be enabled by the bucket owner (the AWS account that created the bucket) and requires versioning to be turned on first.
One important technical nuance is that versioning cannot be disabled once enabled. You can only suspend it. When you suspend versioning, existing versions remain, but new uploads get a version ID of `null`. This means if you upload an object after suspension, it overwrites any existing `null` version. Suspending versioning does not merge versions or delete old ones; it just stops creating new version IDs. This is a common source of confusion and a frequent exam trap.
Another technical detail is the interaction between versioning and bucket policies. Bucket policies can restrict actions based on version ID. For instance, you can write a policy that denies `s3:DeleteObjectVersion` for version IDs that are older than a certain date. This is useful for compliance scenarios where you must retain all versions for a minimum period. Versioning also affects pre-signed URLs, which can be generated for specific version IDs to grant temporary access to a particular version.
From a performance standpoint, versioning adds minimal overhead. Listing objects in a versioned bucket is slower if you use `ListObjectVersions` because it returns all versions, but typical `ListObjects` calls (which return only the latest version) are unaffected. Storage overhead is linear with the number of versions, so you need to monitor costs. S3 calculates billing based on the total size of all versions. Using Intelligent-Tiering or lifecycle policies can optimize costs by moving older versions to cheaper storage.
Versioning is also fundamental to S3 Object Lock, which enforces a write-once-read-many (WORM) model. Object Lock requires versioning to be enabled, as it relies on version IDs to lock individual versions. Similarly, S3 Batch Operations can work on specific versions, such as restoring archived versions or changing storage classes en masse.
S3 versioning is a durable, bucket-level feature that maintains a complete revision history. It uses version IDs to distinguish between object versions, supports delete markers instead of permanent deletion, and integrates with lifecycle, replication, MFA Delete, and Object Lock. Understanding the immutable nature of versioning (once enabled, cannot be disabled) and the behavior of delete markers is critical for both real-world administration and certification exams.
Real-Life Example
Think of S3 versioning like having a personal librarian for a shared family photo album. The album sits on a table in your living room, and anyone in the family can add photos, remove photos, or write captions on the back. Without versioning, if your younger brother decides to remove your favorite vacation photo and replace it with a drawing of a dinosaur, the old photo is gone forever. The album only shows the dinosaur drawing, and you cannot get the vacation photo back.
Now imagine you hire that librarian. Every time someone touches the album, the librarian takes a snapshot of the entire album before and after the change. When your brother removes the vacation photo, the librarian notes that the removal happened and files the old photo away in a secure drawer. The album now appears to have the dinosaur drawing, but the librarian can instantly pull the vacation photo back out if you ask. Even if your brother accidentally spills juice on a page and destroys it, the librarian has a perfect copy of that page before the spill. Every version is preserved.
The librarian also keeps a log. If your brother tries to permanently tear out a page, the librarian records that as a 'delete action' but quietly stores the page in a protected archive. To actually destroy a page permanently, you would need to show both your ID and a special key (that is MFA Delete). Without that, the deletion is not final; the librarian just marks it as 'hidden.'
This analogy maps directly to S3 versioning. The photo album is your S3 bucket. The photos are objects. The family members are users or applications accessing the bucket. The librarian is the versioning system, which automatically creates a new version ID every time an object is uploaded, changed, or deleted. When a delete occurs, S3 does not actually remove the object; it adds a delete marker, which simply hides the current version. You can think of a delete marker as a sticky note that says 'this is deleted' placed on top of the latest version. The object is still there, just not visible by default.
To retrieve a 'deleted' photo, you ask the librarian (make a GET request with a specific version ID) and get the old version back. The librarian never throws anything away unless you explicitly tell them to delete a specific version ID. If you accidentally upload a photo with a bad edit, the librarian keeps the old version. You can revert by downloading the old version and re-uploading it, or by deleting the current version (which brings the previous one back).
The librarian also helps with storage costs. If the album gets too thick, you might tell the librarian to move old photos to a cheaper storage box (transition to Glacier) after a year, and after ten years, shred them (lifecycle expiration). But until you give those instructions, every version stays exactly as it was. This keeps your data safe but also means you pay for the storage of every version.
In real life, companies use versioning exactly like this. A marketing team might store their logo in an S3 bucket with versioning enabled. If a designer accidentally overwrites the logo with a wrong color, they can restore the previous version in seconds. If a developer accidentally deletes a configuration file, they can recover it without calling IT. If a ransomware attack encrypts files, the company can roll back to clean versions from before the attack. The librarian never forgets.
The key takeaway is that versioning gives you a safety net. It is not automatic; you have to enable it. But once on, it acts as a diligent librarian, silently keeping every draft, every mistake, and every deletion, so you can always go back in time.
Why This Term Matters
S3 versioning matters because data loss is expensive and often preventable. In a cloud environment where multiple users, applications, and automated processes access the same storage, mistakes happen. A developer might accidentally overwrite a critical configuration file during a deployment. A script might have a bug that deletes thousands of objects. A disgruntled employee might try to sabotage data. Without versioning, these events can lead to permanent data loss, downtime, and significant business impact. Versioning provides a simple, cost-effective safety net that allows recovery from accidental deletions or overwrites within seconds. It also supports compliance requirements by keeping an immutable audit trail of all object changes.
From a practical IT perspective, versioning is the foundation for many data protection strategies. AWS itself recommends enabling versioning for any bucket that stores important data, especially those used for backups, logs, or customer content. It integrates with S3 Lifecycle policies to automate the transition of old versions to cheaper storage, balancing data protection with cost. It also works with S3 Replication to copy versions across regions or accounts for disaster recovery. For organizations subject to regulations like HIPAA, GDPR, or SOX, versioning helps meet record-keeping and data retention mandates because it ensures that no data can be permanently deleted without explicit action.
Versioning also enhances security. With MFA Delete, you can prevent any single compromised credential from permanently destroying data. This is crucial for protecting against insider threats or account takeovers. Even if an attacker gains full access to the AWS console, they cannot permanently delete object versions or suspend versioning without the multi-factor authentication token. This extra layer of protection is simple to implement but highly effective.
For IT professionals, understanding versioning is necessary for designing resilient architectures. When you build a system that stores user uploads, logs, or transaction records, you need to plan for failure. Versioning is the easiest way to add a recovery mechanism without writing custom code. It also simplifies backup strategies; instead of building a complex incremental backup system, you can rely on versioning and lifecycle policies to automatically retain and archive data.
Finally, versioning matters because it is a core concept tested in multiple AWS certification exams. The AWS Certified Cloud Practitioner, AWS Certified Developer – Associate, and AWS Certified Solutions Architect – Associate all include questions about versioning behavior, delete markers, MFA Delete, and lifecycle interactions. A deep understanding of versioning can differentiate you from other candidates and prepare you for real-world scenarios where data protection is paramount.
How It Appears in Exam Questions
In AWS certification exams, S3 versioning questions generally fall into three patterns: scenario-based, configuration-based, and troubleshooting.
Scenario-based questions present a business problem and ask you to choose the best AWS feature to solve it. The classic scenario: 'A company stores critical data in S3. An employee accidentally deletes several objects. The company wants the ability to recover deleted objects quickly. What should they enable?' The answer is S3 Versioning. Another common scenario: 'A company needs to keep multiple versions of an object for compliance, but wants to automatically delete versions older than 90 days to save costs.' The correct solution is to enable versioning and configure a lifecycle policy to expire noncurrent versions after 90 days.
Configuration-based questions ask you to identify which settings or steps are required to achieve a goal. For example: 'A developer wants to permanently delete a specific version of an object from a versioned bucket. Which action should they take?' The answer: 'Send a DELETE request specifying the version ID.' Or: 'A security team wants to prevent even the bucket owner from permanently deleting objects without a second authentication factor. What should they enable?' The answer: 'MFA Delete.' Another configuration question: 'A user accidentally suspended versioning on a bucket. What happens to existing versions?' The answer: 'Existing versions remain, and new objects get a null version ID.'
Troubleshooting questions ask you to diagnose why something is not working. For instance: 'An application uploads an object to an S3 bucket every hour. The bucket was created with versioning enabled, but the latest version shows an older file. Why?' The answer could be that a delete marker was added, so the latest version is a delete marker. To fix this, you must delete the delete marker. Or: 'A company enabled versioning and configured a lifecycle rule to delete noncurrent versions after 30 days. After 30 days, the objects are still present. What could be the issue?' The answer might be that the lifecycle rule does not apply to delete markers, or that the object is in a storage class that does not support the transition, or that the bucket has Object Lock enabled which prevents deletion.
Another frequent question type is about the interaction between versioning and other features. For example: 'Can S3 Replication replicate all versions?' Yes, if you configure replication to replicate both current and previous versions. Or: 'What is the effect of using S3 Object Lock on a versioned bucket?' It adds a retention period and legal hold, preventing version deletion.
Multiple-choice questions often have two or three plausible answers. A distractor might be 'Enable S3 bucket logging' or 'Enable Amazon Macie.' The correct answer is always the one that directly prevents data loss from deletion or overwrite, which is versioning. Another common distractor is 'Enable S3 Transfer Acceleration,' which improves speed, not data protection. By recognizing the patterns, you can quickly eliminate wrong answers.
Finally, some questions test your understanding of billing implications: 'A company enables versioning on a bucket with a large file that is updated 1000 times a day. What is a major concern?' The answer is storage costs, because each version consumes space. The solution is to set a lifecycle policy to expire old versions or transition them to cheaper storage.
For higher-level exams like SAP, questions may involve multi-step troubleshooting: 'An administrator cannot delete a specific version of an object. What could be blocking the deletion?' Possible causes: MFA Delete is enabled, Object Lock has a retention period, the bucket policy denies s3:DeleteObjectVersion, or the version is protected by a legal hold. Correct diagnosis requires knowledge of all these features.
Overall, exam questions test your understanding of versioning's default behavior, its limitations (cannot be disabled, only suspended), its integration with lifecycle and MFA Delete, and its role as a foundation for other features like replication and Object Lock. Mastering these points will help you answer versioning questions confidently.
Practise S3 versioning Questions
Test your understanding with exam-style practice questions.
Example Scenario
Acme Corp is a small ecommerce company that stores product images in an S3 bucket called 'acme-product-images.' The bucket does not have versioning enabled. One day, a marketing intern, Sarah, is updating a product image for a best-selling widget. She accidentally uploads a blurry photo over the original high-resolution image. The original is gone. The ecommerce site now shows a blurry image, customers complain, and sales drop. The IT manager restores the image from a backup, but it takes two hours, because the backup was from the previous night and the restore process involves downloading and re-uploading.
After this incident, the IT manager enables versioning on the bucket. Now, every time an image is uploaded, a new version is created. Two weeks later, Sarah accidentally deletes the main product image for another popular item. With versioning, the object is not actually deleted. Instead, S3 adds a delete marker. The product page shows a 404 error. The IT manager sees the delete marker in the S3 console, removes it, and the original image is restored instantly. No backup needed, no downtime.
Later, a developer, John, writes a script to update prices on product images by overwriting the image metadata. The script has a bug that corrupts 50 images. Because versioning is enabled, John can go to the S3 console, select each corrupted object, and use the 'Show versions' toggle to see the previous correct version. He then copies the version ID and restores the good version by downloading it and re-uploading, or by deleting the current bad version. The entire recovery takes ten minutes instead of hours.
Acme Corp also wants to save money on storage. They configure a lifecycle rule that transitions versions older than 30 days to S3 Standard-IA, and deletes versions older than 180 days. This keeps costs low while providing a generous recovery window. The IT manager is happy because they never have to worry about losing product images again. This scenario shows how versioning solves real problems: accidental overwrites, accidental deletions, and data corruption, all while working with lifecycle policies to manage storage costs.
Common Mistakes
Thinking that enabling versioning protects all existing objects in the bucket.
Versioning only applies to objects uploaded after versioning is enabled. Objects that existed before versioning was turned on have a null version ID and are not automatically versioned. If you overwrite or delete those objects, the old version is not preserved unless you re-upload it after enabling versioning.
If you need version protection for existing data, re-upload it after enabling versioning. Or use a lifecycle rule to copy existing objects to a new versioned bucket.
Believing you can disable versioning completely after enabling it.
Versioning cannot be disabled. Once enabled, you can only suspend it. Existing versions remain, and new objects get a null version ID. This is a one-way operation designed to prevent accidental data loss. Many learners assume they can toggle it on and off freely.
Understand that suspending is not the same as disabling. If you want to stop new versions permanently, you must create a new bucket without versioning and migrate your data.
Assuming that deleting an object from a versioned bucket permanently removes it.
By default, a DELETE request on a versioned bucket only adds a delete marker. The object is hidden but not deleted. To permanently delete an object, you must specify the version ID in the DELETE request. Learners often think deletion is irreversible in versioned buckets.
Remember: without a version ID, DELETE creates a delete marker. With a version ID, DELETE permanently removes that specific version. Always check if you need to remove the delete marker to restore the object.
Confusing versioning with backup or snapshot features.
Versioning is not a backup tool itself. It preserves versions of objects within the same bucket, but it does not protect against bucket deletion or regional disasters. Backups typically copy data to a separate bucket or region. Versioning also does not replace the need for a separate backup strategy.
Use versioning for recoverability within a bucket, but combine it with cross-region replication or separate backups for full disaster recovery. Versioning is one layer of protection, not the only one.
Thinking that MFA Delete applies to all delete operations.
MFA Delete only applies to operations that permanently delete a version or suspend versioning. It does not apply to adding delete markers or reading objects. Learners often think MFA Delete protects against accidental deletion of the latest version, but a simple DELETE request (without version ID) still succeeds without MFA.
MFA Delete protects against permanent destruction (version deletion and versioning suspension). For accidental overwrites or deletes, versioning itself provides recovery via delete markers. MFA Delete is an extra security layer, not a requirement for normal versioning use.
Ignoring storage costs of multiple versions.
Each version consumes storage space. If an object is updated frequently and no lifecycle policy is set, costs can skyrocket. Learners often enable versioning and forget to manage old versions, leading to unexpectedly high bills.
Always configure lifecycle rules to transition or expire noncurrent versions after a reasonable period. Monitor storage costs using S3 analytics and adjust lifecycle rules accordingly.
Exam Trap — Don't Get Fooled
{"trap":"You are asked: 'A user wants to permanently delete an object from an S3 bucket that has versioning enabled. What should they do?' The answer choices include 'Send a DELETE request without a version ID' and 'Send a DELETE request with the version ID.'
Many learners choose 'without a version ID' because they think that is the normal delete operation.","why_learners_choose_it":"They confuse the behavior of regular S3 (non-versioned) with versioned S3. In a non-versioned bucket, a simple DELETE permanently removes the object.
They assume the same applies in a versioned bucket. They also forget that in a versioned bucket, a DELETE without a version ID only adds a delete marker, which hides but does not delete the object.","how_to_avoid_it":"Always remember the rule: In a versioned bucket, to permanently delete an object, you must specify the version ID in the DELETE request.
A DELETE without a version ID adds a delete marker. Practice this distinction: 'delete marker vs. permanent deletion.' Whenever you see a question about deleting from a versioned bucket, look for the explicit mention of version ID.
If the question says 'permanently delete,' the correct answer must include specifying the version ID."
Commonly Confused With
S3 versioning preserves every version of an object, while lifecycle policies automate the transition or expiration of those versions over time. Versioning is about keeping history; lifecycle is about managing that history. You need versioning to have multiple versions to act on, but lifecycle policies can work on both versioned and non-versioned objects to move them to cheaper storage or delete them.
Versioning is like keeping every draft of a book. A lifecycle policy is like a rule that says 'after one year, move old drafts to a basement shelf (Glacier), and after seven years, shred them.'
S3 replication automatically copies objects (and optionally versions) from one bucket to another. Versioning is a prerequisite for replication because it uses version IDs to track which objects have been copied. But replication is about copying data for redundancy or compliance, while versioning is about preserving history within the same bucket.
Versioning is like keeping copies of your homework in your own binder. Replication is like sending a copy of your binder to your friend's house so you have a backup in case yours is lost.
S3 Object Lock prevents objects from being deleted or overwritten for a fixed retention period. Versioning is required for Object Lock to work, but Object Lock adds a WORM (write-once-read-many) guarantee. Versioning alone does not prevent deletion; it just makes deletion reversible. Object Lock makes deletion impossible until the retention period expires.
Versioning is like a safe that keeps every version of a document. Object Lock is like putting a padlock on the safe that only opens after a specific date, ensuring no one can alter or remove the document before then.
AWS Backup is a managed service that creates snapshots and backups of entire buckets, including versioned data, for disaster recovery. Versioning protects against accidental deletion or overwrite within the bucket, but it does not protect against bucket deletion or account-level issues. AWS Backup provides off-site, point-in-time recovery outside of the bucket.
Versioning is like a revision history in a document. AWS Backup is like storing a copy of the entire document in a fireproof safe across town.
S3 event notifications can be triggered when objects are created, deleted, or restored in a bucket. Versioning affects notifications: in a versioned bucket, events include the version ID. But event notifications are about alerts, not data preservation. Versioning is about data history.
Versioning saves every draft. Event notifications send you a text message every time a draft is saved. They work together but serve different purposes.
Step-by-Step Breakdown
Create an S3 bucket
Before you can use versioning, you need an S3 bucket. In the AWS Management Console, you choose a unique name, select a Region, and configure settings. At this point, versioning is disabled by default. You must explicitly enable it. Note that if you create a bucket via AWS CLI, versioning is also off initially.
Enable versioning on the bucket
In the bucket properties, under 'Bucket Versioning,' you select 'Enable.' This action is irreversible; once enabled, you cannot fully disable versioning, only suspend it. After enabling, every object uploaded will receive a unique version ID. Existing objects in the bucket do not get version IDs; they have a null version ID. This step is the critical moment that activates the feature.
Upload an object to the bucket
When you upload a file, S3 assigns a new version ID. The first upload after enabling versioning might get a version ID like 'null' or a generated ID depending on settings. Each subsequent upload of the same object key generates a new version. The latest version is the one that is returned by default when you access the object without specifying a version ID.
Upload a second version of the same object
If you upload the same file again (same key) with different content, S3 creates a second version. Both versions exist side by side. In the console, you can toggle 'Show versions' to see both. The latest version is on top. This step demonstrates how versioning preserves history: the old version is not overwritten; it is stored as a previous version.
Delete the object (without version ID)
If you delete the object using a standard DELETE request (no version ID), S3 does not remove any version. Instead, it adds a delete marker as the latest version. The object appears deleted when listed normally, but it still exists. The delete marker is a special marker with no data. You can see it when you list versions. Removing the delete marker restores the object.
Permanently delete a specific version
To completely remove a version-including the original data or a delete marker-you must specify the version ID in the DELETE request. In the console, you can select a specific version and click 'Delete' with the version ID checkbox. This action is permanent. Data cannot be recovered once a version is permanently deleted (unless you have backups).
Suspend versioning
If you no longer want new versions created, you can suspend versioning in the bucket properties. This does not remove existing versions. After suspension, any new uploads get a null version ID. If you upload an object with the same key as an existing null version, it overwrites that null version. Suspension is reversible (you can enable again), but existing versions remain unchanged.
Configure a lifecycle policy for old versions
To manage storage costs, you create lifecycle rules. One common rule is 'Expire noncurrent versions after 30 days.' This tells S3 to automatically delete versions that are not the latest version after 30 days. You can also transition noncurrent versions to S3 Standard-IA or S3 Glacier after a certain number of days. This step is essential for production buckets to avoid runaway costs.
Enable MFA Delete (optional)
For extra security, you can enable MFA Delete. This requires a multi-factor authentication code to permanently delete a version or suspend versioning. You must enable this via the AWS CLI or API; it is not available in the console. Once enabled, any operation that would permanently destroy data must include the MFA token. This protects against accidental or malicious permanent deletion.
Test recovery by removing a delete marker
To verify that versioning works, you can delete an object (creating a delete marker), then remove that delete marker. After removal, the object should reappear in normal listing. This confirms that versioning provides recoverability. Testing this in a non-production environment is a best practice to ensure you understand the process before relying on it in production.
How S3 Versioning Works: Core Concepts
Amazon S3 versioning is a feature that allows you to preserve, retrieve, and restore every version of every object stored in an S3 bucket. When you enable versioning on a bucket, S3 automatically assigns a unique version ID to each new object upload, and each subsequent update or deletion operation creates a new version rather than overwriting or destroying the previous one. This provides a powerful safeguard against accidental data loss, unintended overwrites, and malicious deletions.
Once versioning is enabled, every object operation, PUT, POST, COPY, or DELETE, generates a new version. The key distinction is that DELETE operations no longer remove the object entirely; instead, they insert a delete marker (a special version) that hides the current object from default listing operations. The underlying versions remain intact and recoverable by removing the delete marker. This is a critical concept for cloud practitioners and developers to understand because it fundamentally changes how data integrity and backup strategies are implemented in S3.
Versioning operates at the bucket level. You can toggle it on, but you cannot turn it off once it has been enabled, you can only suspend versioning. Suspending versioning means that future uploads will have a null version ID, and existing versions remain accessible. This irreversibility (from on to off) is a common exam trap. Buckets can be in one of three states: unversioned (default, never enabled), versioning-enabled, or versioning-suspended. These states are frequently tested across AWS certifications including the Cloud Practitioner, Developer Associate, and Solutions Architect Associate exams.
From a technical perspective, S3 stores each version as a full copy of the object, not as a delta. This means versioning incurs storage costs for every version retained. Versioning does not replicate data across regions unless you also enable Cross-Region Replication. It also integrates with S3 Lifecycle policies, enabling automatic transitions of older versions to cheaper storage classes (e.g., S3 Standard-IA, S3 Glacier) or permanent deletion. This combination of versioning and lifecycle management is a core pattern for cost-effective data retention.
Versioning is a prerequisite for other S3 features like S3 Object Lock, S3 Replication, and bucket-level access logging for object-level events. For example, if you want to enforce a write-once-read-many (WORM) policy using S3 Object Lock, versioning must be enabled first. Similarly, S3 Replication requires versioning to be turned on in both source and destination buckets. Understanding these dependencies is essential for passing AWS certification exams and for designing resilient storage solutions.
One common misconception is that versioning backs up your data automatically. While versioning does preserve previous versions, it is not a complete backup solution because it does not protect against bucket-level deletion or regional disasters. For comprehensive protection, you should use versioning in combination with cross-region replication, lifecycle policies, and external backups. In exams, you will often be asked to choose the best solution for data protection, and versioning is frequently the correct answer for preventing accidental object deletion or overwrite.
How S3 Versioning Affects Storage and Cost
Enabling versioning on an S3 bucket directly impacts your storage costs because every version of an object consumes storage space. Unlike some version control systems that store only diffs, S3 stores each version as a complete copy of the object. This means if you have a 1 GB file and you update it 10 times, you will pay for 10 GB of storage (plus any additional metadata overhead). This can lead to unexpected cost spikes if not managed carefully, a scenario that certification exams often present as a cost-related gotcha.
Costs are incurred for both current and noncurrent (old) versions. The bill includes storage fees, request fees (PUT, COPY, POST, and LIST requests for each version), and data transfer fees if applicable. If you use versioning with lifecycle policies to transition older versions to colder storage classes, you will pay per-object transition fees. For example, moving a noncurrent version from S3 Standard to S3 Glacier Instant Retrieval incurs a lifecycle transition cost per object. This is a common exam topic, especially in the AWS Solutions Architect Associate (SAA-C03) and Developer Associate exams.
The cost management strategy revolves around versioning lifecycle rules. You can configure lifecycle policies to automatically expire (delete) noncurrent versions after a specified number of days. For instance, you might keep the last 5 versions and automatically delete any version older than 30 days. This balances retention for safety against cost accumulation. The exam frequently tests your ability to write or interpret a lifecycle policy that minimizes cost while meeting compliance or recovery requirements.
Another cost consideration is the delete marker. Delete markers themselves are tiny and incur negligible storage charges, but the versions they hide remain billable. If an admin deletes an object and assumes it is gone, they may continue paying for the underlying versions. This is a classic exam trap: a question will describe an admin who observes storage costs continuing after deletion, and the correct answer involves understanding that versioning was enabled and the delete markers are hiding the versions. The solution is to delete the object versions explicitly.
S3 also charges for list requests when you use the ListObjectVersions API to enumerate versions. If you frequently list all versions, this can add to API costs. For large-scale applications, using S3 Inventory reports can help you audit version counts and sizes without incurring per-request listing charges. This distinction between ListObjectVersions and S3 Inventory is a subtle but important exam point.
Finally, note that storage costs for versioning are not retroactively calculated. If you enable versioning on an existing bucket, pre-existing objects will have a null version ID and will not be versioned. Only new uploads after enabling versioning get unique version IDs. This means the cost impact starts only after you turn on versioning. Suspending versioning stops new versions from being created but does not delete or change existing versions, they remain billable. Understanding this timeline of cost implications helps you answer scenario-based questions about cost optimization.
S3 Versioning Interplay with Replication, Lifecycle, and Object Lock
S3 versioning is not an isolated feature; it serves as a foundational capability for several advanced S3 services. Understanding these interrelationships is crucial for cloud architects and is heavily tested in AWS certification exams, particularly the SAA-C03 and DVA-C02. The most important integrations are with S3 Replication, S3 Lifecycle policies, and S3 Object Lock.
S3 Replication (both same-region and cross-region) requires versioning to be enabled on both the source and destination buckets. Without versioning, replication cannot track object changes. When versioning is enabled, each new object version created in the source bucket is automatically replicated to the destination bucket, including delete markers if you choose to replicate deletions. This is a common pattern for disaster recovery and compliance. In exams, you might be asked why replication failed, and the answer often involves checking that versioning is enabled on both buckets. A subtler point: if you enable replication after some versions exist, only new version create events are replicated, pre-existing versions are not retroactively copied.
Lifecycle policies can act directly on versioned objects. You can create rules that apply to current versions (using the "CurrentVersion" filter) and noncurrent versions (using "NoncurrentVersion"). For example, you can transition current versions to S3 Standard-IA after 30 days, and noncurrent versions to S3 Glacier Deep Archive after 90 days, then expire (permanently delete) noncurrent versions after 365 days. The lifecycle action for noncurrent versions is especially useful for controlling versioning costs. A common exam question presents a lifecycle JSON and asks which objects are affected at each stage.
S3 Object Lock, which enforces write-once-read-many (WORM) protection, requires versioning to be enabled on the bucket. Object Lock works by applying a retention period (either governance or compliance mode) or a legal hold to individual object versions. Once applied, the object version cannot be overwritten or deleted until the retention period expires. This is critical for financial records, medical data, or any scenario requiring immutable storage. In exams, you will see questions about how to make objects non-deletable, the correct answer usually involves enabling versioning and then using Object Lock with a retention mode.
versioning integrates with S3 Event Notifications. You can configure events to trigger on specific versioning actions such as s3:ObjectCreated:* or s3:ObjectRemoved:* (which includes delete marker creation). This allows you to build serverless workflows that process new versions for indexing, virus scanning, or backup validation. The exam may test your understanding of which event type fires for versioned deletes.
Another less obvious integration is with S3 Access Points and bucket policies. Versioning adds another dimension to access control. For example, you can create a bucket policy that denies deletion of object versions unless the user has the s3:DeleteObjectVersion permission. This granular control is often examined in scenarios where an organization wants to prevent accidental permanent deletion while allowing normal deletes (which create delete markers). The policy key s3:VersionId is used to specify a particular version.
Finally, versioning is required when using S3 Batch Operations to perform actions on a large number of objects, such as restoring archived objects or copying objects across buckets. Batch Operations can target specific version IDs, which is only possible if versioning is enabled. Understanding these connections helps you answer complex multi-service scenario questions in the Solutions Architect exam.
S3 Versioning States: Unversioned, Enabled, and Suspended
Amazon S3 versioning has three distinct states: unversioned, versioning-enabled, and versioning-suspended. Each state has different behaviors, implications for data management, and exam pitfalls. Mastering the differences between these states is essential for both the AWS Cloud Practitioner and the more advanced Associate-level certifications.
An unversioned bucket is the default state when you first create an S3 bucket. In this state, every upload of an object with the same key overwrites the existing object, and the previous object is permanently lost. There is no version ID, the object is simply replaced. This is fine for transient or non-critical data but is dangerous for production workloads. Unversioned buckets cannot use S3 Object Lock or S3 Replication. The exam often asks: "What is the state of a new S3 bucket?" The correct answer is unversioned (or versioning disabled).
When you enable versioning on a bucket, it transitions to the versioning-enabled state. This is a one-way operation, you cannot disable versioning once enabled; you can only suspend it. In this state, every object operation creates a new version with a unique version ID. The most important behavioral change is with deletions. A DELETE request does not remove the object; instead, S3 inserts a delete marker as the current version. The underlying object versions remain intact and are hidden from normal listing (GET / ListObjects). You can retrieve them only by using the ListObjectVersions API with the specific version ID. This is the single most tested concept about versioning in AWS exams.
When you suspend versioning, the bucket enters the versioning-suspended state. This means that future uploads will have a null version ID (the same behavior as an unversioned bucket) but all previous versions remain stored and accessible. Existing version IDs are not modified. Critically, if you upload an object with the same key after suspending versioning, it overwrites the current version (which might be a delete marker or an actual version) and creates a new null version. The old versions remain in the bucket and can be retrieved. Suspending versioning is often used to stop the accumulation of new versions without losing existing ones. The exam may present a scenario where an admin suspends versioning and then asks what happens to older versions, they are preserved.
A common exam trap involves the interaction between versioning-suspended and delete markers. If a bucket has versioning enabled, and then you delete an object (creating a delete marker), and then you suspend versioning, that delete marker persists and still hides the underlying versions. Uploading a new object after suspension will create a null version that becomes the current version, but it will not remove the delete marker. The delete marker must be explicitly deleted by specifying its version ID. This nuanced sequence appears in scenario-based questions.
Another important nuance: when you enable versioning, existing objects in the bucket receive a null version ID and are not automatically versioned. They remain as they were, no new version IDs are assigned. Only subsequent uploads receive unique version IDs. This means that if you need to protect existing objects with versioning, you must first enable versioning and then re-upload those objects, or use a lifecycle policy to handle them. The exam tests this by asking: "An admin enables versioning on an existing bucket with 100 objects. How many versions exist immediately?" The answer is 100 versions with null IDs.
Finally, remember that versioning state changes are eventually consistent across all S3 endpoints. This rarely causes issues but can lead to a short delay before the new state is fully active. The exam generally does not test this delay, but it is good to know for real-world troubleshooting.
To summarize: unversioned is the default with no protection; versioning-enabled provides full version history and delete markers; versioning-suspended stops new versions but retains existing history. Understanding these states and their transitions is critical for correct answers on AWS certification exams.
Troubleshooting Clues
Unable to enable versioning on a bucket
Symptom: AWS CLI returns an AccessDenied error when running put-bucket-versioning.
The IAM user or role lacks the s3:PutBucketVersioning permission. This permission must be explicitly granted in an IAM policy. Root user always has it but best practice is to use least privilege.
Exam clue: The exam tests IAM permissions for versioning actions. Look for missing s3:PutBucketVersioning in policy statements.
Versions accumulating unexpectedly and increasing costs
Symptom: Monthly S3 bill shows high storage costs despite infrequent updates to objects.
Every update creates a new version, and no lifecycle policy is configured to expire older versions. Without a rule to delete or transition noncurrent versions, all versions remain in S3 Standard tier indefinitely.
Exam clue: The exam presents a cost optimization scenario where the correct answer is to add a lifecycle policy with NoncurrentVersionExpiration or NoncurrentVersionTransition.
Objects still appear after deletion
Symptom: After running `aws s3 rm s3://my-bucket/file.txt`, the object still appears when listing versions.
When versioning is enabled, the rm command creates a delete marker instead of permanently deleting the object. The object is hidden from normal listing but still present and billable.
Exam clue: Classic exam scenario: admin deletes objects but storage costs continue. Solution: explicitly delete object versions or configure lifecycle to remove delete markers.
Unable to revert to a previous object version
Symptom: User wants to restore an older version of an object but cannot see it in the S3 console.
By default, the console shows only the current version (latest). To see older versions, the user must navigate to the object's properties and click "Show versions" or use the ListObjectVersions API.
Exam clue: The exam tests the recovery workflow: use ListObjectVersions to identify the desired version ID, then copy that version to the same key (or use copy-object with version ID).
S3 Replication is not replicating object versions
Symptom: Objects uploaded to the source bucket do not appear in the destination bucket.
Replication requires versioning to be enabled on both source and destination buckets. Without versioning, replication cannot track changes. Pre-existing versions are not replicated unless you enable replication after they exist.
Exam clue: Exam questions about replication failures often point to missing versioning. Check that both buckets have versioning Enabled.
Bucket cannot be deleted because it contains noncurrent versions
Symptom: When attempting to delete a bucket, the console or CLI reports that the bucket is not empty.
Versioned buckets store versions even if they appear empty in normal listing. The bucket cannot be deleted until all versions and delete markers are permanently removed. You must delete every version ID.
Exam clue: The exam asks: "How do you delete a versioned bucket?" The answer is to list all object versions and delete each one, or use a lifecycle policy to expire everything first.
Incorrect cost estimation for versioning
Symptom: User expects versioning to cost little but sees high charges.
They forgot that each version is a full copy, not a delta. Also, they may not have configured lifecycle policies to transition older versions to cheaper storage classes like Glacier.
Exam clue: The exam includes cost calculation questions. The key insight: versioning multiplies storage by the number of versions retained.
Delete marker prevents access to object
Symptom: Users receive 403 or 404 errors when trying to access an object that was previously accessible.
A delete marker was created, making the object hidden. Accessing that key without specifying a version ID returns a 404. To restore, you must delete the delete marker using its version ID.
Exam clue: Scenario: a user accidentally deleted an object and cannot access it. Solution: remove the delete marker. The exam tests the distinction between soft delete (delete marker) and hard delete.
Learn This Topic Fully
This glossary page explains what S3 versioning means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
ACEGoogle ACE →CDLGoogle CDL →AZ-104AZ-104 →AZ-900AZ-900 →CLF-C02CLF-C02 →SAA-C03SAA-C03 →DVA-C02DVA-C02 →220-1101CompTIA A+ Core 1 →DP-900DP-900 →PCAGoogle PCA →Related Glossary Terms
AlloyDB is a fully managed, PostgreSQL-compatible database service from Google Cloud designed for high performance, scalability, and reliability for transactional and analytical workloads.
Amazon Aurora is a fully managed relational database engine from AWS that combines the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open-source databases like MySQL and PostgreSQL.
Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora that automatically starts, scales, and stops database capacity based on your application's needs.
BigQuery is a fully managed, serverless data warehouse on Google Cloud that lets you run fast SQL queries on massive datasets without managing any infrastructure.
BigQuery slots are units of computational capacity that determine how much processing power your queries can use in Google BigQuery.
Bigtable is Google's fully managed, scalable NoSQL database service designed for large analytical and operational workloads, handling petabytes of data with low latency.
Quick Knowledge Check
1.An engineer enables versioning on an existing S3 bucket that contains 50 objects. What happens to the existing objects?
2.A user runs `aws s3 rm s3://my-bucket/file.txt` on a versioned bucket. What is the result?
3.Which AWS feature requires S3 versioning to be enabled as a prerequisite?
4.A bucket has versioning enabled. An admin wants to permanently delete a specific old version of an object. Which AWS CLI command should be used?
5.An organization wants to keep the last 5 versions of each object and automatically delete any version older than 60 days. Which lifecycle policy configuration should be used?