S3 buckets can be in three states related to versioning:
- unversioned (default one)
When the S3 bucket is unversioned or has versioning suspended it means that a new version of an object overwrites an existing one in the S3
It can lead to unintentional or intentional information loss.
Ask Yourself Whether
- The S3 bucket stores sensitive information that is required to be preserved on the long term.
- The S3 bucket grants write permission to many users.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to enable S3 versioning and thus to have the possibility to retrieve and restore different versions of an object.
Sensitive Code Example
Versioning is disabled by default:
Type: 'AWS::S3::Bucket' # Sensitive
Versioning is enabled:
Type: 'AWS::S3::Bucket' # Compliant