Insecure service configuration - Bucket - cloudformation

Need

Enabling secure service configuration for S3 buckets

Context

Usage of CloudFormation for Infrastructure as Code (IaC)
Usage of AWS native service to manage infrastructure as code

Description

Non compliant code

        Resources:
  InsecureBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-insecure-bucket
      AccessControl: Private
      Tags:
        - Key: Name
          Value: My bucket
        - Key: Environment
          Value: Dev

This CloudFormation template creates a private S3 bucket but does not enable versioning. Without versioning, deleted or overwritten objects cannot be recovered, making the bucket vulnerable to accidental or malicious data loss.

Steps

Compliant code

        Resources:
  SecureBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-secure-bucket
      AccessControl: Private
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: Name
          Value: My bucket
        - Key: Environment
          Value: Dev

This CloudFormation template creates the same S3 bucket but includes the VersioningConfiguration block with Status set to Enabled. This helps protect against data loss by preserving previous object versions.

References

335. Insecure service configuration - Bucket