Using Amazon S3 Versioning to Protect Against Ransomware Attacks

Amazon S3 Versioning is a version control feature for S3 that enables you to revert to older versions of an S3 object, which helps provide protection against accidental or malicious deletion such as from a ransomware attack.

You can protect these versions from ransomware attacks in the following ways:

• You can define a bucket policy to grant permissions and ensure that only users with the necessary permissions will be able to permanently delete an object from a previous version. In this way you will be able to restore your data from a previous version, safeguarding your environment from ransomware attacks.
• When working with S3 Versioning in Amazon S3 buckets, you can optionally add another layer of security by configuring a bucket to enable MFA (multi-factor authentication) delete. When you do this, the bucket owner must include two forms of authentication in any request to delete a version or change the versioning state of the bucket. MFA delete requires additional authentication to change the versioning state of your bucket or to permanently deleting an object version. Both your security credentials and the concatenation of a valid serial number, a space, and the six-digit code displayed on an approved authentication device are required together to permanently delete an object version. MFA delete thus provides added security if, for example, your security credentials are compromised. MFA delete can help prevent accidental bucket deletions by requiring the user who initiates the delete action to prove physical possession of an MFA device with an MFA code. To use MFA delete, you can use either a hardware or virtual MFA device to generate an authentication code.

You can use either or both of these options to protect your data.

For details about setting up S3 versioning, see Configuring Amazon S3 Versioning.