Skip to main content

Insecure service configuration - Bucket

Need

Enabling secure service configuration for S3 buckets

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

Non compliant code

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket-name"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

The above Terraform code creates an S3 bucket on AWS with the name "bucket-name". The bucket is configured to be private, meaning only the AWS account that created the bucket and users that have been explicitly granted permissions can access it.

However, the code is vulnerable due to the lack of versioning configuration. The S3 bucket versioning feature is not enabled. This feature allows you to preserve, retrieve, and restore every version of every object in your bucket. This is useful in protecting against both unintended user actions and application failures.

Without versioning, if an object is deleted or overwritten, there's no way to recover the previous state. This could lead to data loss in case of accidental deletion or overwriting, or malicious actions from users.

Therefore, this code is considered insecure as it does not enable the VersioningConfiguration resource for the S3 bucket.

Steps

  • Enable versioning for the S3 bucket
  • Update the 'aws_s3_bucket' resource configuration to include the 'versioning' block
  • Set the 'status' attribute in the 'versioning' block to 'Enabled'

Compliant code

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket-name"
  acl    = "private"

  versioning {
    status = "Enabled"
  }

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

The updated code includes a versioning block within the aws_s3_bucket resource. This block is used to enable versioning for the S3 bucket. The status attribute within the versioning block is set to Enabled, which turns on versioning for the bucket.

Versioning allows you to preserve, retrieve, and restore every version of every object in your Amazon S3 bucket. This makes it easier to recover from both unintended user actions and application failures. You can use versioning to preserve, retrieve, and restore every version of every object in your bucket. With versioning, you can easily recover from both unintended user actions and application failures.

References

Last updated on