For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/gcp/cloud_storage_bucket_versioning_disabled.md. A documentation index is available at /llms.txt.

Cloud storage bucket versioning disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: 7814ddda-e758-4a56-8be3-289a81ded929

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

Cloud Storage buckets should have object versioning enabled to protect against accidental or malicious deletion and allow recovery of prior object states. In Ansible, tasks using the google.cloud.gcp_storage_bucket or gcp_storage_bucket modules must define the versioning parameter and set versioning.enabled to true. Resources missing the versioning parameter or with versioning.enabled set to false are flagged.

Secure configuration example:

- name: Create GCS bucket with versioning
  google.cloud.gcp_storage_bucket:
    name: my-bucket
    versioning:
      enabled: true

Compliant Code Examples

- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    versioning:
      enabled: yes

Non-Compliant Code Examples

---
- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a second bucket
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    versioning:
      enabled: no