logo

Database

Terraform Versioning Status Set Disabled

Description

Detects when AWS S3 bucket versioning is explicitly disabled or suspended in Terraform configurations. Disabled versioning removes protection against accidental or malicious object deletions, making it impossible to recover previous versions of objects.

Weakness:

335 - Insecure service configuration - Bucket

Category: Functionality Abuse

Detection Strategy

    Identifies 'aws_s3_bucket_versioning' resource blocks in Terraform code

    Examines the 'versioning_configuration' block within the resource

    Checks if the 'status' parameter is set to either 'disabled' or 'suspended' (case insensitive)

    Reports a vulnerability when versioning is explicitly turned off through these configurations

Vulnerable code example

# Creates an S3 bucket without versioning enabled
resource "aws_s3_bucket" "example" {
  bucket = "my-bucket"
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  ...

✅ Secure code example

resource "aws_s3_bucket" "example" {
  bucket = "my-bucket"
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  
  versioning_configuration {...