S3 bucket without versioning
This product is not supported for your selected
Datadog site. (
).
Id: a227ec01-f97a-4084-91a4-47b350c1db54
Cloud Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Backup
Learn More
Description
S3 buckets should have object versioning enabled to protect data from accidental or malicious deletion. Versioning also preserves prior object states for recovery and auditing.
In CloudFormation, AWS::S3::Bucket resources must include Properties.VersioningConfiguration.Status set to Enabled. Resources that omit VersioningConfiguration, or have VersioningConfiguration.Status set to Suspended, will be flagged.
Secure configuration example:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket
VersioningConfiguration:
Status: Enabled
Compliant Code Examples
Resources:
RecordServiceS3Bucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties:
ReplicationConfiguration:
Role:
'Fn::GetAtt':
- WorkItemBucketBackupRole
- Arn
Rules:
- Destination:
Bucket:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- 'Fn::Join':
- '-'
- - Ref: 'AWS::Region'
- Ref: 'AWS::StackName'
- replicationbucket
StorageClass: STANDARD
Id: Backup
Prefix: ''
Status: Enabled
VersioningConfiguration:
Status: Enabled
{
"Resources": {
"RecordServiceS3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"ReplicationConfiguration": {
"Rules": [
{
"Id": "Backup",
"Prefix": "",
"Status": "Enabled",
"Destination": {
"Bucket": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass": "STANDARD"
}
}
],
"Role": {
"Fn::GetAtt": [
"WorkItemBucketBackupRole",
"Arn"
]
}
},
"VersioningConfiguration": {
"Status": "Enabled"
}
}
}
}
}
Non-Compliant Code Examples
Resources:
RecordServiceS3Bucket2:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties:
ReplicationConfiguration:
Role:
'Fn::GetAtt':
- WorkItemBucketBackupRole
- Arn
Rules:
- Destination:
Bucket:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- 'Fn::Join':
- '-'
- - Ref: 'AWS::Region'
- Ref: 'AWS::StackName'
- replicationbucket
StorageClass: STANDARD
Id: Backup
Prefix: ''
Status: Enabled
VersioningConfiguration:
Status: Suspended
{
"Resources": {
"RecordServiceS3Bucket": {
"Properties": {
"ReplicationConfiguration": {
"Role": {
"Fn::GetAtt": [
"WorkItemBucketBackupRole",
"Arn"
]
},
"Rules": [
{
"Id": "Backup",
"Prefix": "",
"Status": "Enabled",
"Destination": {
"Bucket": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass": "STANDARD"
}
}
]
}
},
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
}
}
}
{
"Resources": {
"RecordServiceS3Bucket2": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"ReplicationConfiguration": {
"Rules": [
{
"Destination": {
"Bucket": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass": "STANDARD"
},
"Id": "Backup",
"Prefix": "",
"Status": "Enabled"
}
],
"Role": {
"Fn::GetAtt": [
"WorkItemBucketBackupRole",
"Arn"
]
}
},
"VersioningConfiguration": {
"Status": "Suspended"
}
}
}
}
}
