S3 bucket without versioning This product is not supported for your selected
Datadog site . (
).
Id: cloudformation-aws-s3-bucket-without-versioning
Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Backup
Learn More Description S3 buckets should have object versioning enabled to protect data from accidental or malicious deletion. Versioning also preserves prior object states for recovery and auditing.
In CloudFormation, AWS::S3::Bucket resources must include Properties.VersioningConfiguration.Status set to Enabled. Resources that omit VersioningConfiguration, or have VersioningConfiguration.Status set to Suspended, will be flagged.
Secure configuration example:
MyBucket :
Type : AWS::S3::Bucket
Properties :
BucketName : my-bucket
VersioningConfiguration :
Status : Enabled
Compliant Code Examples Resources :
RecordServiceS3Bucket :
Type : 'AWS::S3::Bucket'
DeletionPolicy : Retain
Properties :
ReplicationConfiguration :
Role :
'Fn::GetAtt' :
- WorkItemBucketBackupRole
- Arn
Rules :
- Destination :
Bucket :
'Fn::Join' :
- ''
- - 'arn:aws:s3:::'
- 'Fn::Join' :
- '-'
- - Ref : 'AWS::Region'
- Ref : 'AWS::StackName'
- replicationbucket
StorageClass : STANDARD
Id : Backup
Prefix : ''
Status : Enabled
VersioningConfiguration :
Status : Enabled
{
"Resources" : {
"RecordServiceS3Bucket" : {
"Type" : "AWS::S3::Bucket" ,
"DeletionPolicy" : "Retain" ,
"Properties" : {
"ReplicationConfiguration" : {
"Rules" : [
{
"Id" : "Backup" ,
"Prefix" : "" ,
"Status" : "Enabled" ,
"Destination" : {
"Bucket" : {
"Fn::Join" : [
"" ,
[
"arn:aws:s3:::" ,
{
"Fn::Join" : [
"-" ,
[
{
"Ref" : "AWS::Region"
},
{
"Ref" : "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass" : "STANDARD"
}
}
],
"Role" : {
"Fn::GetAtt" : [
"WorkItemBucketBackupRole" ,
"Arn"
]
}
},
"VersioningConfiguration" : {
"Status" : "Enabled"
}
}
}
}
}
Non-Compliant Code Examples Resources :
RecordServiceS3Bucket :
Type : 'AWS::S3::Bucket'
DeletionPolicy : Retain
Properties :
ReplicationConfiguration :
Role :
'Fn::GetAtt' :
- WorkItemBucketBackupRole
- Arn
Rules :
- Destination :
Bucket :
'Fn::Join' :
- ''
- - 'arn:aws:s3:::'
- 'Fn::Join' :
- '-'
- - Ref : 'AWS::Region'
- Ref : 'AWS::StackName'
- replicationbucket
StorageClass : STANDARD
Id : Backup
Prefix : ''
Status : Enabled
Resources :
RecordServiceS3Bucket2 :
Type : 'AWS::S3::Bucket'
DeletionPolicy : Retain
Properties :
ReplicationConfiguration :
Role :
'Fn::GetAtt' :
- WorkItemBucketBackupRole
- Arn
Rules :
- Destination :
Bucket :
'Fn::Join' :
- ''
- - 'arn:aws:s3:::'
- 'Fn::Join' :
- '-'
- - Ref : 'AWS::Region'
- Ref : 'AWS::StackName'
- replicationbucket
StorageClass : STANDARD
Id : Backup
Prefix : ''
Status : Enabled
VersioningConfiguration :
Status : Suspended
{
"Resources" : {
"RecordServiceS3Bucket" : {
"Properties" : {
"ReplicationConfiguration" : {
"Role" : {
"Fn::GetAtt" : [
"WorkItemBucketBackupRole" ,
"Arn"
]
},
"Rules" : [
{
"Id" : "Backup" ,
"Prefix" : "" ,
"Status" : "Enabled" ,
"Destination" : {
"Bucket" : {
"Fn::Join" : [
"" ,
[
"arn:aws:s3:::" ,
{
"Fn::Join" : [
"-" ,
[
{
"Ref" : "AWS::Region"
},
{
"Ref" : "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass" : "STANDARD"
}
}
]
}
},
"Type" : "AWS::S3::Bucket" ,
"DeletionPolicy" : "Retain"
}
}
}
