Insecure service configuration

Insecure service configuration - Bucket

Need

Enabling secure service configuration for S3 buckets

Context

• Usage of CloudFormation for Infrastructure as Code (IaC)

• Usage of AWS native service to manage infrastructure as code

Description

1. Non compliant code

Resources:
  InsecureBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-insecure-bucket
      AccessControl: Private
      Tags:
          Value: My bucket...

This CloudFormation template creates a private S3 bucket but does not enable versioning. Without versioning, deleted or overwritten objects cannot be recovered, making the bucket vulnerable to accidental or malicious data loss.

2. Steps

• Enable versioning for the S3 bucket

• Add the `VersioningConfiguration` block to the bucket definition

• Set the `Status` attribute to `Enabled`

3. Secure code example

Resources:
  SecureBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-secure-bucket
      AccessControl: Private
      VersioningConfiguration:
      Tags:...

This CloudFormation template creates the same S3 bucket but includes the VersioningConfiguration block with Status set to Enabled. This helps protect against data loss by preserving previous object versions.

References

• 335. Insecure service configuration - Bucket

On this page