Disabled AWS S3 object versioning High

Disabled versioning is detected for AWS S3 object. Make sure that versioning is enabled for AWS S3 object.

Detector ID
terraform/disabled-s3-versioning-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_s3_bucket" "exampletest" {
2  bucket = "pike-680235478471"
3  expected_bucket_owner = "680235478471"
4  # Noncompliant: S3 bucket have versioning disabled.
5  versioning {
6    enabled = false
7  }
8  server_side_encryption_configuration {
9    rule {
10      apply_server_side_encryption_by_default {
11        kms_master_key_id = aws_kms_key.mykey.arn
12        sse_algorithm     = var.bla
13      }
14    }
15  }
16  replication_configuration {
17    role = aws_iam_role.replication.arn
18
19    rules {
20      id     = "foobar"
21      status = var.replication_enabled
22
23      filter {
24        tags = {}
25      }
26      destination {
27        bucket        = aws_s3_bucket.destination.arn
28        storage_class = "STANDARD"
29
30        replication_time {
31          status  = "Enabled"
32          minutes = 15
33        }
34
35        metrics {
36          status  = "Enabled"
37          minutes = 15
38        }
39      }
40    }
41  }
42}
43resource "aws_s3_bucket_logging" "example" {
44  bucket = aws_s3_bucket.exampletest.id
45  target_bucket = aws_s3_bucket.exampletest.id
46  target_prefix = "log/"
47}
48resource "aws_s3_bucket_public_access_block" "access_good_1" {
49  bucket = aws_s3_bucket.exampletest.id
50
51  block_public_acls   = true
52  block_public_policy = true
53  ignore_public_acls = true
54  restrict_public_buckets = true
55}
56resource "aws_s3_bucket_lifecycle_configuration" "pass" {
57  bucket = aws_s3_bucket.exampletest.id
58
59  rule {
60    abort_incomplete_multipart_upload {
61      days_after_initiation = 7
62    }
63    filter {}
64    id = "log"
65    status = "Enabled"
66  }
67}
68resource "aws_s3_bucket_notification" "bucket_notification" {
69  bucket = aws_s3_bucket.exampletest.id
70
71  topic {
72    topic_arn     = aws_sns_topic.topic.arn
73    events        = ["s3:ObjectCreated:*"]
74    filter_suffix = ".log"
75  }
76}

Compliant example

1resource "aws_s3_bucket" "exampletest" {
2  bucket = "pike-680235478471"
3  expected_bucket_owner = "680235478471"
4  # Compliant: S3 bucket have versioning enabled.
5  versioning {
6    enabled = true
7  }
8  server_side_encryption_configuration {
9    rule {
10      apply_server_side_encryption_by_default {
11        kms_master_key_id = aws_kms_key.mykey.arn
12        sse_algorithm     = var.bla
13      }
14    }
15  }
16  replication_configuration {
17    role = aws_iam_role.replication.arn
18
19    rules {
20      id     = "foobar"
21      status = var.replication_enabled
22
23      filter {
24        tags = {}
25      }
26      destination {
27        bucket        = aws_s3_bucket.destination.arn
28        storage_class = "STANDARD"
29
30        replication_time {
31          status  = "Enabled"
32          minutes = 15
33        }
34
35        metrics {
36          status  = "Enabled"
37          minutes = 15
38        }
39      }
40    }
41  }
42}
43resource "aws_s3_bucket_logging" "example" {
44  bucket = aws_s3_bucket.exampletest.id
45  target_bucket = aws_s3_bucket.exampletest.id
46  target_prefix = "log/"
47}
48resource "aws_s3_bucket_public_access_block" "access_good_1" {
49  bucket = aws_s3_bucket.exampletest.id
50
51  block_public_acls   = true
52  block_public_policy = true
53  ignore_public_acls = true
54  restrict_public_buckets = true
55}
56resource "aws_s3_bucket_lifecycle_configuration" "pass" {
57  bucket = aws_s3_bucket.exampletest.id
58
59  rule {
60    abort_incomplete_multipart_upload {
61      days_after_initiation = 7
62    }
63    filter {}
64    id = "log"
65    status = "Enabled"
66  }
67}
68resource "aws_s3_bucket_notification" "bucket_notification" {
69  bucket = aws_s3_bucket.exampletest.id
70
71  topic {
72    topic_arn     = aws_sns_topic.topic.arn
73    events        = ["s3:ObjectCreated:*"]
74    filter_suffix = ".log"
75  }
76}