---
title: S3 bucket without versioning
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > S3 bucket without versioning
---

# S3 bucket without versioning

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `9232306a-f839-40aa-b3ef-b352001da9a5`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Backup

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-versioning)

### Description{% #description %}

S3 buckets must have versioning enabled to protect objects from accidental or malicious deletion and retain prior versions for recovery, forensics, and compliance. For Ansible tasks using the `amazon.aws.s3_bucket` or `s3_bucket` modules, the `versioning` property must be defined and set to `true`. When omitted, the module defaults to versioning disabled. This rule flags tasks where the `versioning` key is missing or explicitly set to `false`.

Secure configuration example:

```yaml
- name: Ensure S3 bucket with versioning enabled
  amazon.aws.s3_bucket:
    name: my-bucket
    versioning: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: foo
  amazon.aws.s3_bucket:
    name: mys3bucket
    policy: "{{ lookup('file','policy.json') }}"
    requester_pays: yes
    versioning: yes
    tags:
      example: tag1
      another: tag2
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: foo
  amazon.aws.s3_bucket:
    name: mys3bucket
    policy: "{{ lookup('file','policy.json') }}"
    requester_pays: yes
    tags:
      example: tag1
      another: tag2
- name: foo2
  amazon.aws.s3_bucket:
    name: mys3bucket
    policy: "{{ lookup('file','policy.json') }}"
    requester_pays: yes
    versioning: no
    tags:
      example: tag1
      another: tag2
```