logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure service configuration - Bucket - Cloudformation

Need

Enabling secure service configuration for S3 buckets

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS native service to manage infrastructure as code

Description

Insecure Code Example

Resources:
  InsecureBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-insecure-bucket
      AccessControl: Private
      Tags:
        - Key: Name
          Value: My bucket
        - Key: Environment
          Value: Dev

This CloudFormation template creates a private S3 bucket but does not enable versioning. Without versioning, deleted or overwritten objects cannot be recovered, making the bucket vulnerable to accidental or malicious data loss.

Steps

  1. Enable versioning for the S3 bucket
  2. Add the `VersioningConfiguration` block to the bucket definition
  3. Set the `Status` attribute to `Enabled`

Secure Code Example

Resources:
  SecureBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-secure-bucket
      AccessControl: Private
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: Name
          Value: My bucket
        - Key: Environment
          Value: Dev

This CloudFormation template creates the same S3 bucket but includes the VersioningConfiguration block with Status set to Enabled. This helps protect against data loss by preserving previous object versions.

References

  • 335 - Insecure service configuration - Bucket

    • Last updated

    2025/04/04