ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6412/terraform/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

60 lines
1.7 KiB
Plaintext
Raw Blame History

When object versioning for Google Cloud Storage (GCS) buckets is enabled, different versions of an object are stored in the bucket, preventing accidental deletion. A specific version can always be deleted when the generation number of an object version is specified in the request.
Object versioning cannot be enabled on a bucket with a retention policy. A retention policy ensures that an object is retained for a specific period of time even if a request is made to delete or replace it. Thus, a retention policy locks the single current version of an object in the bucket, which differs from object versioning where different versions of an object are retained.
== Ask Yourself Whether
* The bucket stores information that require high availability.
There is a risk if you answered yes to this question.
== Recommended Secure Coding Practices
It's recommended to enable GCS bucket versioning and thus to have the possibility to retrieve and restore different versions of an object.
== Sensitive Code Example
Versioning is disabled by default:
[source,terraform]
----
resource "google_storage_bucket" "example" { # Sensitive
name = "example"
location = "US"
}
----
== Compliant Solution
Versioning is enabled:
[source,terraform]
----
resource "google_storage_bucket" "example" {
name = "example"
location = "US"
versioning {
enabled = "true"
}
}
----
== See
* https://cloud.google.com/storage/docs/object-versioning?hl=en[GCP documentation] - Object Versioning
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure using an unversioned GCS bucket is safe here.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink