52 lines
1.4 KiB
Plaintext
52 lines
1.4 KiB
Plaintext
|
S3 buckets can be versioned.
|
||
|
|
When the S3 bucket is unversioned it means that a new version of an object overwrites an existing one in the S3 bucket.
|
||
|
|
|
||
|
|
It can lead to unintentional or intentional information loss.
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
[source,python]
|
||
|
|
----
|
||
|
|
bucket = s3.Bucket(self, "bucket",
|
||
|
|
versioned=False # Sensitive
|
||
|
|
)
|
||
|
|
----
|
||
|
|
The default value of `versioned` is `False` so the absence of this parameter is also sensitive.
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
[source,python]
|
||
|
|
----
|
||
|
|
bucket = s3.Bucket(self, "bucket",
|
||
|
|
versioned=True
|
||
|
|
)
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|
||
|
|
|
||
|
|
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#versioned[AWS CDK version 2] - Using versioning in S3 buckets
|
||
|
|
|
||
|
|
ifdef::env-github,rspecator-view[]
|
||
|
|
|
||
|
|
'''
|
||
|
|
== Implementation Specification
|
||
|
|
(visible only on this page)
|
||
|
|
|
||
|
|
=== Highlighting
|
||
|
|
|
||
|
|
* If the argument is set to false: the argument assignment
|
||
|
|
* If the argument is a variable: primary the assignment of the argument, secondary the assignment of the value to the variable
|
||
|
|
* If the argument is missing: the constructor of the bucket
|
||
|
|
|
||
|
|
=== Message
|
||
|
|
|
||
|
|
* If primary: Make sure an unversioned S3 bucket is safe here.
|
||
|
|
* If secondary: Propagated setting
|
||
|
|
* If missing: Omitting the "versioned" argument disables S3 bucket versioning. Make sure it is safe here.
|
||
|
|
|
||
|
|
endif::env-github,rspecator-view[]
|