S3 bucket without versioning

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 9232306a-f839-40aa-b3ef-b352001da9a5

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Backup

Learn More

Description

S3 buckets must have versioning enabled to protect objects from accidental or malicious deletion and retain prior versions for recovery, forensics, and compliance. For Ansible tasks using the amazon.aws.s3_bucket or s3_bucket modules, the versioning property must be defined and set to true. When omitted, the module defaults to versioning disabled. This rule flags tasks where the versioning key is missing or explicitly set to false.

Secure configuration example:

- name: Ensure S3 bucket with versioning enabled
  amazon.aws.s3_bucket:
    name: my-bucket
    versioning: true

Compliant Code Examples

- name: foo
  amazon.aws.s3_bucket:
    name: mys3bucket
    policy: "{{ lookup('file','policy.json') }}"
    requester_pays: yes
    versioning: yes
    tags:
      example: tag1
      another: tag2

Non-Compliant Code Examples

---
- name: foo
  amazon.aws.s3_bucket:
    name: mys3bucket
    policy: "{{ lookup('file','policy.json') }}"
    requester_pays: yes
    tags:
      example: tag1
      another: tag2
- name: foo2
  amazon.aws.s3_bucket:
    name: mys3bucket
    policy: "{{ lookup('file','policy.json') }}"
    requester_pays: yes
    versioning: no
    tags:
      example: tag1
      another: tag2