s3

Documentation

Index

• Variables

Variables

var CheckBucketsHavePublicAccessBlocks = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0094",
		Provider:    providers.AWSProvider,
		Service:     "s3",
		ShortCode:   "specify-public-access-block",
		Summary:     "S3 buckets should each define an aws_s3_bucket_public_access_block",
		Explanation: `The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.`,
		Impact:      "Public access policies may be applied to sensitive data buckets",
		Resolution:  "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformSpecifyPublicAccessBlockGoodExamples,
			BadExamples:         terraformSpecifyPublicAccessBlockBadExamples,
			Links:               terraformSpecifyPublicAccessBlockLinks,
			RemediationMarkdown: terraformSpecifyPublicAccessBlockRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationSpecifyPublicAccessBlockGoodExamples,
			BadExamples:         cloudFormationSpecifyPublicAccessBlockBadExamples,
			Links:               cloudFormationSpecifyPublicAccessBlockLinks,
			RemediationMarkdown: cloudFormationSpecifyPublicAccessBlockRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if bucket.PublicAccessBlock == nil {
				results.Add(
					"Bucket does not have a corresponding public access block.",
					&bucket,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckEnableObjectReadLogging = rules.Register(
	scan.Rule{
		AVDID:     "AVD-AWS-0172",
		Provider:  providers.AWSProvider,
		Service:   "s3",
		ShortCode: "enable-object-read-logging",
		Frameworks: map[framework.Framework][]string{
			framework.CIS_AWS_1_4: {"3.11"},
		},
		Summary:    "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
		Impact:     "Difficult/impossible to audit bucket object/data changes.",
		Resolution: "Enable Object-level logging for S3 buckets.",
		Explanation: `
Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html",
		},
		Severity: severity.Low,
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableObjectReadLoggingGoodExamples,
			BadExamples:         terraformEnableObjectReadLoggingBadExamples,
			Links:               terraformEnableObjectReadLoggingLinks,
			RemediationMarkdown: terraformEnableObjectReadLoggingRemediationMarkdown,
		},
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if !bucket.Name.GetMetadata().IsResolvable() {
				continue
			}
			bucketName := bucket.Name.Value()
			var hasReadLogging bool
			for _, trail := range s.AWS.CloudTrail.Trails {
				for _, selector := range trail.EventSelectors {
					if selector.ReadWriteType.EqualTo("WriteOnly") {
						continue
					}
					for _, dataResource := range selector.DataResources {
						if dataResource.Type.NotEqualTo("AWS::S3::Object") {
							continue
						}
						for _, partialARN := range dataResource.Values {
							partial := partialARN.Value()
							if partial == "arn:aws:s3" {
								hasReadLogging = true
								break
							}

							if partial == fmt.Sprintf("arn:aws:s3:::%s/", bucketName) {
								hasReadLogging = true
								break
							}
						}
					}
				}
				if hasReadLogging {
					break
				}
			}
			if !hasReadLogging {
				results.Add(
					"Bucket does not have object-level read logging enabled",
					&bucket,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckEnableObjectWriteLogging = rules.Register(
	scan.Rule{
		AVDID:     "AVD-AWS-0171",
		Provider:  providers.AWSProvider,
		Service:   "s3",
		ShortCode: "enable-object-write-logging",
		Frameworks: map[framework.Framework][]string{
			framework.CIS_AWS_1_4: {"3.10"},
		},
		Summary:    "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
		Impact:     "Difficult/impossible to audit bucket object/data changes.",
		Resolution: "Enable Object-level logging for S3 buckets.",
		Explanation: `
Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html",
		},
		Severity: severity.Low,
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableObjectWriteLoggingGoodExamples,
			BadExamples:         terraformEnableObjectWriteLoggingBadExamples,
			Links:               terraformEnableObjectWriteLoggingLinks,
			RemediationMarkdown: terraformEnableObjectWriteLoggingRemediationMarkdown,
		},
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if !bucket.Name.GetMetadata().IsResolvable() {
				continue
			}
			bucketName := bucket.Name.Value()
			var hasWriteLogging bool
			for _, trail := range s.AWS.CloudTrail.Trails {
				for _, selector := range trail.EventSelectors {
					if selector.ReadWriteType.EqualTo("ReadOnly") {
						continue
					}
					for _, dataResource := range selector.DataResources {
						if dataResource.Type.NotEqualTo("AWS::S3::Object") {
							continue
						}
						for _, partialARN := range dataResource.Values {
							partial := partialARN.Value()
							if partial == "arn:aws:s3" {
								hasWriteLogging = true
								break
							}

							if partial == fmt.Sprintf("arn:aws:s3:::%s/", bucketName) {
								hasWriteLogging = true
								break
							}
						}
					}
				}
				if hasWriteLogging {
					break
				}
			}
			if !hasWriteLogging {
				results.Add(
					"Bucket does not have object-level write logging enabled",
					&bucket,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckEncryptionCustomerKey = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0132",
		Provider:    providers.AWSProvider,
		Service:     "s3",
		ShortCode:   "encryption-customer-key",
		Summary:     "S3 encryption should use Customer Managed Keys",
		Impact:      "Using AWS managed keys does not allow for fine grained control",
		Resolution:  "Enable encryption using customer managed keys",
		Explanation: `Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformCheckEncryptionCustomerKeyGoodExamples,
			BadExamples:         terraformCheckEncryptionCustomerKeyBadExamples,
			Links:               terraformCheckEncryptionCustomerKeyLinks,
			RemediationMarkdown: terraformCheckEncryptionCustomerKeyRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationCheckEncryptionCustomerKeyGoodExamples,
			BadExamples:         cloudFormationCheckEncryptionCustomerKeyBadExamples,
			Links:               cloudFormationCheckEncryptionCustomerKeyLinks,
			RemediationMarkdown: cloudFormationCheckEncryptionCustomerKeyRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {

			if bucket.ACL.EqualTo("log-delivery-write", types.IgnoreCase) {

				continue
			}
			if bucket.Encryption.KMSKeyId.IsEmpty() {
				results.Add(
					"Bucket does not encrypt data with a customer managed key.",
					&bucket.Encryption,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return
	},
)

var CheckEncryptionIsEnabled = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0088",
		Provider:    providers.AWSProvider,
		Service:     "s3",
		ShortCode:   "enable-bucket-encryption",
		Summary:     "Unencrypted S3 bucket.",
		Impact:      "The bucket objects could be read if compromised",
		Resolution:  "Configure bucket encryption",
		Explanation: `S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
		},

		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableBucketEncryptionGoodExamples,
			BadExamples:         terraformEnableBucketEncryptionBadExamples,
			Links:               terraformEnableBucketEncryptionLinks,
			RemediationMarkdown: terraformEnableBucketEncryptionRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnableBucketEncryptionGoodExamples,
			BadExamples:         cloudFormationEnableBucketEncryptionBadExamples,
			Links:               cloudFormationEnableBucketEncryptionLinks,
			RemediationMarkdown: cloudFormationEnableBucketEncryptionRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if bucket.Encryption.Enabled.IsFalse() {
				results.Add(
					"Bucket does not have encryption enabled",
					bucket.Encryption.Enabled,
				)
			} else {
				results.AddPassed(&bucket, "Bucket encryption correctly configured")
			}
		}
		return results
	},
)

var CheckForPublicACL = rules.Register(
	scan.Rule{
		AVDID:     "AVD-AWS-0092",
		Provider:  providers.AWSProvider,
		Service:   "s3",
		ShortCode: "no-public-access-with-acl",
		Summary:   "S3 Buckets not publicly accessible through ACL.",
		Explanation: `
Buckets should not have ACLs that allow public access
`,
		Impact:     "Public access to the bucket can lead to data leakage",
		Resolution: "Don't use canned ACLs or switch to private acl",

		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoPublicAccessWithAclGoodExamples,
			BadExamples:         terraformNoPublicAccessWithAclBadExamples,
			Links:               terraformNoPublicAccessWithAclLinks,
			RemediationMarkdown: terraformNoPublicAccessWithAclRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationNoPublicAccessWithAclGoodExamples,
			BadExamples:         cloudFormationNoPublicAccessWithAclBadExamples,
			Links:               cloudFormationNoPublicAccessWithAclLinks,
			RemediationMarkdown: cloudFormationNoPublicAccessWithAclRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if bucket.HasPublicExposureACL() {
				if bucket.ACL.EqualTo("authenticated-read") {
					results.Add(
						"Bucket is exposed to all AWS accounts via ACL.",
						bucket.ACL,
					)
				} else {
					results.Add(
						fmt.Sprintf("Bucket has a public ACL: '%s'.", bucket.ACL.Value()),
						bucket.ACL,
					)
				}
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckLoggingIsEnabled = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0089",
		Provider:    providers.AWSProvider,
		Service:     "s3",
		ShortCode:   "enable-bucket-logging",
		Summary:     "S3 Bucket does not have logging enabled.",
		Explanation: "Buckets should have logging enabled so that access can be audited.",
		Impact:      "There is no way to determine the access to this bucket",
		Resolution:  "Add a logging block to the resource to enable access logging",
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableBucketLoggingGoodExamples,
			BadExamples:         terraformEnableBucketLoggingBadExamples,
			Links:               terraformEnableBucketLoggingLinks,
			RemediationMarkdown: terraformEnableBucketLoggingRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnableBucketLoggingGoodExamples,
			BadExamples:         cloudFormationEnableBucketLoggingBadExamples,
			Links:               cloudFormationEnableBucketLoggingLinks,
			RemediationMarkdown: cloudFormationEnableBucketLoggingRemediationMarkdown,
		},
		Severity: severity.Medium,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if !bucket.Logging.Enabled.IsTrue() && bucket.ACL.NotEqualTo("log-delivery-write") {
				results.Add(
					"Bucket does not have logging enabled",
					bucket.Logging.Enabled,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckPublicACLsAreBlocked = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0086",
		Provider:   providers.AWSProvider,
		Service:    "s3",
		ShortCode:  "block-public-acls",
		Summary:    "S3 Access block should block public ACL",
		Impact:     "PUT calls with public ACLs specified can make objects public",
		Resolution: "Enable blocking any PUT calls with a public ACL specified",
		Explanation: `
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformBlockPublicAclsGoodExamples,
			BadExamples:         terraformBlockPublicAclsBadExamples,
			Links:               terraformBlockPublicAclsLinks,
			RemediationMarkdown: terraformBlockPublicAclsRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationBlockPublicAclsGoodExamples,
			BadExamples:         cloudFormationBlockPublicAclsBadExamples,
			Links:               cloudFormationBlockPublicAclsLinks,
			RemediationMarkdown: cloudFormationBlockPublicAclsRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if bucket.PublicAccessBlock == nil {
				results.Add("No public access block so not blocking public acls", &bucket)
			} else if bucket.PublicAccessBlock.BlockPublicACLs.IsFalse() {
				results.Add(
					"Public access block does not block public ACLs",
					bucket.PublicAccessBlock.BlockPublicACLs,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckPublicACLsAreIgnored = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0091",
		Provider:   providers.AWSProvider,
		Service:    "s3",
		ShortCode:  "ignore-public-acls",
		Summary:    "S3 Access Block should Ignore Public Acl",
		Impact:     "PUT calls with public ACLs specified can make objects public",
		Resolution: "Enable ignoring the application of public ACLs in PUT calls",
		Explanation: `
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformIgnorePublicAclsGoodExamples,
			BadExamples:         terraformIgnorePublicAclsBadExamples,
			Links:               terraformIgnorePublicAclsLinks,
			RemediationMarkdown: terraformIgnorePublicAclsRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationIgnorePublicAclsGoodExamples,
			BadExamples:         cloudFormationIgnorePublicAclsBadExamples,
			Links:               cloudFormationIgnorePublicAclsLinks,
			RemediationMarkdown: cloudFormationIgnorePublicAclsRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if bucket.PublicAccessBlock == nil {
				results.Add("No public access block so not ignoring public acls", &bucket)
			} else if bucket.PublicAccessBlock.IgnorePublicACLs.IsFalse() {
				results.Add(
					"Public access block does not ignore public ACLs",
					bucket.PublicAccessBlock.IgnorePublicACLs,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckPublicBucketsAreRestricted = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0093",
		Provider:    providers.AWSProvider,
		Service:     "s3",
		ShortCode:   "no-public-buckets",
		Summary:     "S3 Access block should restrict public bucket to limit access",
		Impact:      "Public buckets can be accessed by anyone",
		Resolution:  "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
		Explanation: `S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoPublicBucketsGoodExamples,
			BadExamples:         terraformNoPublicBucketsBadExamples,
			Links:               terraformNoPublicBucketsLinks,
			RemediationMarkdown: terraformNoPublicBucketsRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationNoPublicBucketsGoodExamples,
			BadExamples:         cloudFormationNoPublicBucketsBadExamples,
			Links:               cloudFormationNoPublicBucketsLinks,
			RemediationMarkdown: cloudFormationNoPublicBucketsRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if bucket.PublicAccessBlock == nil {
				results.Add("No public access block so not restricting public buckets", &bucket)
			} else if bucket.PublicAccessBlock.RestrictPublicBuckets.IsFalse() {
				results.Add(
					"Public access block does not restrict public buckets",
					bucket.PublicAccessBlock.RestrictPublicBuckets,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckPublicPoliciesAreBlocked = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0087",
		Provider:   providers.AWSProvider,
		Service:    "s3",
		ShortCode:  "block-public-policy",
		Summary:    "S3 Access block should block public policy",
		Impact:     "Users could put a policy that allows public access",
		Resolution: "Prevent policies that allow public access being PUT",
		Explanation: `
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
`,

		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformBlockPublicPolicyGoodExamples,
			BadExamples:         terraformBlockPublicPolicyBadExamples,
			Links:               terraformBlockPublicPolicyLinks,
			RemediationMarkdown: terraformBlockPublicPolicyRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationBlockPublicPolicyGoodExamples,
			BadExamples:         cloudFormationBlockPublicPolicyBadExamples,
			Links:               cloudFormationBlockPublicPolicyLinks,
			RemediationMarkdown: cloudFormationBlockPublicPolicyRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if bucket.PublicAccessBlock == nil {
				results.Add("No public access block so not blocking public policies", &bucket)
			} else if bucket.PublicAccessBlock.BlockPublicPolicy.IsFalse() {
				results.Add(
					"Public access block does not block public policies",
					bucket.PublicAccessBlock.BlockPublicPolicy,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckRequireMFADelete = rules.Register(
	scan.Rule{
		AVDID:     "AVD-AWS-0170",
		Provider:  providers.AWSProvider,
		Service:   "s3",
		ShortCode: "require-mfa-delete",
		Frameworks: map[framework.Framework][]string{
			framework.CIS_AWS_1_4: {"2.1.3"},
		},
		Summary:    "Buckets should have MFA deletion protection enabled.",
		Impact:     "Lessened protection against accidental/malicious deletion of data",
		Resolution: "Enable MFA deletion protection on the bucket",
		Explanation: `
Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete an object version, adding another layer of security in the event your security credentials are compromised or unauthorized access is obtained.
`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html",
		},
		Severity: severity.Low,
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformRequireMFADeleteGoodExamples,
			BadExamples:         terraformRequireMFADeleteBadExamples,
			Links:               terraformRequireMFADeleteLinks,
			RemediationMarkdown: terraformRequireMFADeleteRemediationMarkdown,
		},
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if bucket.Versioning.MFADelete.IsFalse() {
				results.Add(
					"Bucket does not have MFA deletion protection enabled",
					bucket.Versioning.MFADelete,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)

var CheckVersioningIsEnabled = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0090",
		Provider:   providers.AWSProvider,
		Service:    "s3",
		ShortCode:  "enable-versioning",
		Summary:    "S3 Data should be versioned",
		Impact:     "Deleted or modified data would not be recoverable",
		Resolution: "Enable versioning to protect against accidental/malicious removal or modification",
		Explanation: `
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. 
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. 
With versioning you can recover more easily from both unintended user actions and application failures.
`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableVersioningGoodExamples,
			BadExamples:         terraformEnableVersioningBadExamples,
			Links:               terraformEnableVersioningLinks,
			RemediationMarkdown: terraformEnableVersioningRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnableVersioningGoodExamples,
			BadExamples:         cloudFormationEnableVersioningBadExamples,
			Links:               cloudFormationEnableVersioningLinks,
			RemediationMarkdown: cloudFormationEnableVersioningRemediationMarkdown,
		},
		Severity: severity.Medium,
	},
	func(s *state.State) (results scan.Results) {
		for _, bucket := range s.AWS.S3.Buckets {
			if !bucket.Versioning.Enabled.IsTrue() {
				results.Add(
					"Bucket does not have versioning enabled",
					bucket.Versioning.Enabled,
				)
			} else {
				results.AddPassed(&bucket)
			}
		}
		return results
	},
)