terraform.aws.best-practice.aws-s3-object-lock-not-enabled.aws-s3-object-lock-not-enabled
semgrepAuthor
unknown
Download Count*
License
The AWS S3 object lock is not enabled. Consider using it if possible.
Run Locally
Run in CI
Defintion
rules:
- id: aws-s3-object-lock-not-enabled
patterns:
- pattern-either:
- pattern: |
resource "aws_s3_bucket" $ANYTHING {
...
object_lock_configuration = {
object_lock_enabled = "Disabled"
}
...
}
- pattern: |
resource "aws_s3_bucket" $ANYTHING {
...
object_lock_configuration {
object_lock_enabled = "Disabled"
}
...
}
message: The AWS S3 object lock is not enabled. Consider using it if possible.
languages:
- hcl
severity: WARNING
metadata:
category: best-practice
technology:
- terraform
- aws
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
aws-s3-object-lock-not-enabled.tf
# pass
resource "aws_s3_bucket" "enabled_via_object" {
bucket = "test-bucket"
acl = "private"
object_lock_configuration = {
object_lock_enabled = "Enabled"
}
}
resource "aws_s3_bucket" "enabled_via_block" {
bucket = "test-bucket"
acl = "private"
object_lock_configuration {
object_lock_enabled = "Enabled"
}
}
# failure
# ruleid: aws-s3-object-lock-not-enabled
resource "aws_s3_bucket" "disabled_via_object" {
bucket = "test-bucket"
acl = "private"
object_lock_configuration = {
object_lock_enabled = "Disabled"
}
}
# ruleid: aws-s3-object-lock-not-enabled
resource "aws_s3_bucket" "disabled_via_block" {
bucket = "test-bucket"
acl = "private"
object_lock_configuration {
object_lock_enabled = "Disabled"
}
}
# unknown
resource "aws_s3_bucket" "default" {
bucket = "test-bucket"
acl = "private"
}
Short Link: https://sg.run/nr5X