terraform.aws.best-practice.aws-s3-bucket-versioning-not-enabled.aws-s3-bucket-versioning-not-enabled
semgrep
Author
unknown
Download Count*
License
Ensure that Amazon S3 bucket versioning is not enabled. Consider using versioning if you don't have alternative backup mechanism.
Run Locally
Run in CI
Defintion
rules:
- id: aws-s3-bucket-versioning-not-enabled
patterns:
- pattern: |
resource "aws_s3_bucket" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_s3_bucket" $ANYTHING {
...
versioning {
...
enabled = true
...
}
...
}
- pattern-not-inside: |
resource "aws_s3_bucket" $ANYTHING {
...
versioning {
...
enabled = var.$X
...
}
...
}
message: Ensure that Amazon S3 bucket versioning is not enabled. Consider using
versioning if you don't have alternative backup mechanism.
metadata:
category: best-practice
technology:
- terraform
- aws
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- hcl
severity: WARNING
Examples
aws-s3-bucket-versioning-not-enabled.tf
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "fail4" {
region = "us-west-2"
bucket = "my_bucket"
acl = "public-read"
force_destroy = true
tags {
Name = "my-bucket"
}
}
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "fail3" {
region = "us-west-2"
bucket = "my_bucket"
acl = "public-read"
force_destroy = true
tags = { Name = "my-bucket" }
enabled = True
}
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "fail2" {
region = "us-west-2"
bucket = "my_bucket"
acl = "public-read"
force_destroy = true
tags = {
Name = "my-bucket"
wrong_field = {
enabled = true }
}
}
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "fail" {
region = "us-west-2"
bucket = "my_bucket"
acl = "public-read"
force_destroy = true
tags = { Name = "my-bucket" }
wrong_field = { versioning = { enabled = true } }
}
resource "aws_s3_bucket" "pass" {
region = "us-west-2"
bucket = "my_bucket"
acl = "public-read"
force_destroy = true
tags = { Name = "my-bucket" }
logging {
target_bucket = "logging-bucket"
target_prefix = "log/"
}
versioning {
enabled = true
}
}
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "failcomplex" {
acl = "public-read-write"
bucket = "superfail"
versioning {
enabled = false
mfa_delete = false
}
policy = <<POLICY
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:PutObject","s3:PutObjectAcl"],
"Resource":"arn:aws:s3:::superfail/*"
},
{
"Principal": {
"AWS": ["*"],
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
}
]
}
POLICY
}
# todoruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "this" {
bucket = var.bucket
acl = "private"
versioning {
enabled = var.enabled
}
}
variable "enabled" {
default=true
}
Short Link: https://sg.run/Zj2D