terraform.aws.best-practice.aws-s3-bucket-versioning-not-enabled.aws-s3-bucket-versioning-not-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that Amazon S3 bucket versioning is not enabled. Consider using versioning if you don't have alternative backup mechanism.

Run Locally

Run in CI

Defintion

rules:
  - id: aws-s3-bucket-versioning-not-enabled
    patterns:
      - pattern: |
          resource "aws_s3_bucket" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_s3_bucket" $ANYTHING {
            ...
            versioning {
              ...
              enabled = true
              ...
            }
            ...
          }
      - pattern-not-inside: |
          resource "aws_s3_bucket" $ANYTHING {
            ...
            versioning {
              ...
              enabled = var.$X
              ...
            }
            ...
          }
    message: Ensure that Amazon S3 bucket versioning is not enabled. Consider using
      versioning if you don't have alternative backup mechanism.
    metadata:
      category: best-practice
      technology:
        - terraform
        - aws
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

aws-s3-bucket-versioning-not-enabled.tf

# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "fail4" {
  region        = "us-west-2"
  bucket        = "my_bucket"
  acl           = "public-read"
  force_destroy = true
  tags {
    Name = "my-bucket"
  }
}
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "fail3" {
  region        = "us-west-2"
  bucket        = "my_bucket"
  acl           = "public-read"
  force_destroy = true
  tags          = { Name = "my-bucket" }
  enabled       = True
}
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "fail2" {
  region        = "us-west-2"
  bucket        = "my_bucket"
  acl           = "public-read"
  force_destroy = true
  tags = {
    Name = "my-bucket"
    wrong_field = {
    enabled = true }
  }
}
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "fail" {
  region        = "us-west-2"
  bucket        = "my_bucket"
  acl           = "public-read"
  force_destroy = true
  tags          = { Name = "my-bucket" }
  wrong_field   = { versioning = { enabled = true } }
}


resource "aws_s3_bucket" "pass" {
  region        = "us-west-2"
  bucket        = "my_bucket"
  acl           = "public-read"
  force_destroy = true

  tags = { Name = "my-bucket" }

  logging {
    target_bucket = "logging-bucket"
    target_prefix = "log/"
  }
  versioning {
    enabled = true
  }
}
# ruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "failcomplex" {
  acl    = "public-read-write"
  bucket = "superfail"

  versioning {
    enabled    = false
    mfa_delete = false
  }

  policy = <<POLICY
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddCannedAcl",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:PutObject","s3:PutObjectAcl"],
      "Resource":"arn:aws:s3:::superfail/*"
    },
    {
        "Principal": {
            "AWS": ["*"],
            "Effect": "Deny",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "*"
            ]
        }
    }
  ]
}
POLICY
}

# todoruleid: aws-s3-bucket-versioning-not-enabled
resource "aws_s3_bucket" "this" {
  bucket = var.bucket
  acl    = "private"
  versioning {
    enabled = var.enabled
  }
}

variable "enabled" {
  default=true
}