Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Data/ Lifecycle
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-AWSCIS-ControlsCSA-CCMSOC-2
- Snyk IDSNYK-CC-00234
- creditSnyk Research Team
Description
S3 bucket will not enforce MFA login on delete requests.
How to fix?
Set the aws_s3_bucket versioning block mfa_delete field to true.
- For AWS provider < v4.0.0 ensure that the
versioningblock of anaws_s3_bucketsets the fieldmfa_deletetotrue. - For AWS provider >= v4.0.0 ensure that the
versioning_configurationblock of anaws_s3_bucket_versioningresource sets the fieldmfa_deletetoEnabled.
Example Configuration
# For AWS provider < v4.0.0
resource "aws_s3_bucket" "example" {
versioning {
enabled = true
mfa_delete = true
}
}
# For AWS provider >= v4.0.0
resource "aws_s3_bucket" "example" {
bucket_prefix = "example-"
}
resource "aws_s3_bucket_versioning" "example" {
bucket = aws_s3_bucket.example.id
mfa = "arn:aws:iam::0000000000:mfa/my-mfa-device 123456"
versioning_configuration {
status = "Enabled"
mfa_delete = "Enabled"
}
}