58 lines
1.5 KiB
Plaintext
58 lines
1.5 KiB
Plaintext
S3 buckets can be versioned.
|
|
When the S3 bucket is unversioned it means that a new version of an object overwrites an existing one in the S3 bucket.
|
|
|
|
It can lead to unintentional or intentional information loss.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,javascript]
|
|
----
|
|
const s3 = require('aws-cdk-lib/aws-s3');
|
|
|
|
new s3.Bucket(this, 'id', {
|
|
bucketName: 'bucket',
|
|
versioned: false // Sensitive
|
|
});
|
|
----
|
|
The default value of `versioned` is `false` so the absence of this parameter is also sensitive.
|
|
|
|
== Compliant Solution
|
|
|
|
[source,javascript]
|
|
----
|
|
const s3 = require('aws-cdk-lib/aws-s3');
|
|
|
|
new s3.Bucket(this, 'id', {
|
|
bucketName: 'bucket',
|
|
versioned: true
|
|
});
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#versioned[AWS CDK version 2] - Using versioning in S3 buckets
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Highlighting
|
|
|
|
* If the argument is set to false: the argument assignment
|
|
* If the argument is a variable: primary the assignment of the argument, secondary the assignment of the value to the variable
|
|
* If the argument is missing: the constructor of the bucket
|
|
|
|
=== Message
|
|
|
|
* If primary: Make sure an unversioned S3 bucket is safe here.
|
|
* If secondary: Propagated setting
|
|
* If missing: Omitting the "versioned" argument disables S3 bucket versioning. Make sure it is safe here.
|
|
|
|
endif::env-github,rspecator-view[]
|