AWS S3 Object Versioning Is Disabled

This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3.

Policy Details

Policy Subtype
Run, Build
Template Type
Terraform, CloudFormation

Build Rules

AWS S3 Object Versioning is disabled.
JSON Queries:
$.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration does not exist or ($.Resources[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration exists and $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration.Status contains Suspended)
$.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled does not exist or $.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled anyFalse)
  • CloudFormation
    Recommended solution to enable Object versioning on S3 buckets.
    It is recommended that S3 buckets have Object versioning enabled. Please make sure that "VersioningConfiguration" exists and "Status" in set to "Enabled".
    For example:
    "RecordServiceS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "VersioningConfiguration": { "Status": "Enabled" } } }
  • Terraform
    Recommended solution for enabling S3 Object Versioning.
    Ensure that versioning is enabled for S3 object. Please make sure "enabled" is set to true under versioning attribute.
    For example:
    "aws_s3_bucket": [ { "<s3_bucket_name>": [ { "bucket": "tf-test-bucket-a", "region": "eu-west-1", "versioning": [ { "enabled": true } ] } ] } ]

Run Rule Recommendation

  1. Log into your AWS Console and select the S3 service.
  2. Choose the reported S3 bucket and click the Properties tab in the upper right frame.
  3. Expand the Versioning option.
  4. Click Enable Versioning.
  5. Click Save.


There is 1 standard that is applicable to this policy:
  • MITRE ATT&CK [Beta]

Recommended For You