Ensure AWS S3 object versioning is enabled

Error: AWS S3 object versioning is disabled

Bridgecrew Policy ID: BC_AWS_S3_16
Checkov Check ID: CKV_AWS_21
Severity: HIGH

AWS S3 object versioning is disabled

Description

S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.

S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon S3 console.
  3. Select the bucket that you want to configure.
  4. Select the Properties tab.
  5. Navigate to the Permissions section.
  6. Select Edit bucket policy. If the selected bucket does not have an access policy, click Add bucket policy.
  7. Select the Versioning tab from the Properties panel, and expand the feature configuration section.
  8. To activate object versioning for the selected bucket, click Enable Versioning, then click OK. The feature status should change to versioning is currently enabled on this bucket.

Fix - Buildtime

Terraform

Resource: aws_s3_bucket
Attribute: version/enabled

resource "aws_s3_bucket" "state_bucket" {
  bucket        = "${data.aws_caller_identity.current.account_id}-terraform-state"
  acl           = var.acl
  force_destroy = var.force_destroy

+  versioning {
+    enabled    = true
+  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = var.sse_algorithm
      }
    }
  }

  tags = var.common_tags
}

Did this page help you?