Json Yaml Bucket Versioning Disabled
Description
Detects AWS S3 buckets defined in CloudFormation templates that have versioning disabled or not explicitly enabled. Without versioning enabled, S3 buckets cannot recover from accidental deletions or overwrites of objects, which could lead to data loss.
Detection Strategy
• Scans CloudFormation template files for S3 bucket resource definitions
• Checks if the resource type is 'AWS::S3::Bucket'
• Analyzes the bucket configuration properties to determine if versioning is disabled or missing
• Reports a vulnerability when an S3 bucket is found without versioning enabled in its properties
Vulnerable code example
Resources:
MyS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: vulnerable-bucket
VersioningConfiguration:
Status: Suspended # Vulnerable: S3 versioning is explicitly disabled
...✅ Secure code example
Resources:
MyS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: vulnerable-bucket
VersioningConfiguration:
Status: Enabled # Secure: Enable versioning to protect against accidental/malicious deletions
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.