Insecure service configuration - Bucket
Need
Enabling secure service configuration for S3 buckets
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with Amazon Web Services (AWS) services
Description
Non compliant code
resource "aws_s3_bucket" "bucket" {
bucket = "bucket-name"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
The above Terraform code creates an S3 bucket on AWS with the name "bucket-name". The bucket is configured to be private, meaning only the AWS account that created the bucket and users that have been explicitly granted permissions can access it.
However, the code is vulnerable due to the lack of versioning configuration. The S3 bucket versioning feature is not enabled. This feature allows you to preserve, retrieve, and restore every version of every object in your bucket. This is useful in protecting against both unintended user actions and application failures.
Without versioning, if an object is deleted or overwritten, there's no way to recover the previous state. This could lead to data loss in case of accidental deletion or overwriting, or malicious actions from users.
Therefore, this code is considered insecure as it does not enable the VersioningConfiguration resource for the S3 bucket.
Steps
- Enable versioning for the S3 bucket
- Update the 'aws_s3_bucket' resource configuration to include the 'versioning' block
- Set the 'status' attribute in the 'versioning' block to 'Enabled'
Compliant code
resource "aws_s3_bucket" "bucket" {
bucket = "bucket-name"
acl = "private"
versioning {
status = "Enabled"
}
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
The updated code includes a versioning
block within the aws_s3_bucket
resource. This block is used to enable versioning for the S3 bucket. The status
attribute within the versioning
block is set to Enabled
, which turns on versioning for the bucket.
Versioning allows you to preserve, retrieve, and restore every version of every object in your Amazon S3 bucket. This makes it easier to recover from both unintended user actions and application failures. You can use versioning to preserve, retrieve, and restore every version of every object in your bucket. With versioning, you can easily recover from both unintended user actions and application failures.