Config rule s3-bucket-versioning-enabled doesn't report Compliant on some buckets

Question

I've turned on S3 bucket versioning and, as root user, turned on MFADelete on my S3 buckets.  In AWS Config, some S3 buckets show as Compliant for the rule s3-bucket-versioning-enabled, some show as Noncompliant.
When I run "aws s3api get-bucket-versioning" for the Compliant and Noncompliant S3 buckets, I get both enabled:
{
    "Status": "Enabled",
    "MFADelete": "Enabled"
}
In Config, in Resources, for the S3 bucket that are Noncompliant, under View Configuration Item (JSON), it shows this:
"BucketVersioningConfiguration": {
      "status": "Enabled",
      "isMfaDeleteEnabled": null
},
For S3 buckets that are Compliant, the JSON shows this:  
"BucketVersioningConfiguration": {
      "status": "Enabled",
      "isMfaDeleteEnabled": true
    },
For the Noncompliant S3 buckets, I have tried suspending S3 bucket versioning and disabling MFA Delete, then re-enabling both.  This did not change the Noncompliant status.

Answer

Thank you for the clear description.

It might take few minutes for Config to detect the configuration change and re-evaluate the resource. Please review the resource configuration as well as compliance timelines, and confirm that a configuration item generated to reflect the change does trigger, as documented in the sixth point from this article https://aws.amazon.com/premiumsupport/knowledge-center/config-rule-not-working/

All the other suggestions from the article might also be helpful.

Config rule s3-bucket-versioning-enabled doesn't report Compliant on some buckets

Relevanter Inhalt