Amazon S3 buckets can be unversioned, have versioning enabled, or have versioning suspended.

Why is this an issue?

When an S3 bucket is unversioned or has versioning suspended, uploading a new object overwrites the previous one instead of preserving prior versions. The rule flags buckets without versioning enabled, including when the versioning property is omitted and defaults to disabled.

What is the potential impact?

Data loss

Objects can be permanently overwritten or deleted without the ability to restore previous versions. This can result from accidental changes, misconfiguration, or malicious activity.

Reduced availability of historical data

Buckets that store information requiring long-term preservation become vulnerable to unintentional or intentional information loss when versioning is not enabled.

How to fix it

Code examples

Versioning is disabled when the property is omitted or explicitly set to disable versioning, so new object uploads overwrite existing ones.

Noncompliant code example

Versioning is disabled by default:

resource "aws_s3_bucket" "example" { # Noncompliant
  bucket = "example"
}

Compliant solution

Versioning is enabled for AWS provider version 4 or above:

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_versioning" "example-versioning" {
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status = "Enabled"
  }
}

For AWS provider version 3 or below, enable versioning inline on the bucket resource:

resource "aws_s3_bucket" "example" {
  bucket = "example"

  versioning {
    enabled = true
  }
}

Resources

Documentation

• AWS documentation - Using versioning in S3 buckets
• AWS CDK version 2 - Using versioning in S3 buckets

Standards

• CWE - CWE-16 - Configuration