---
# This policy is based on ce:ca:aws:s3:bucket-access-logging
# We're checking CA10__loggingDestinationBucketName__c field to ensure
# that server access logging is enabled.
# Also verifying that the destination bucket is not deleted or missing
inputType: "CA10__CaAwsBucket__c"
importExtracts:
  - file: "/types/CA10__CaAwsBucket__c/object.extracts.yaml"
testData:
  - file: "test-data.json"
conditions:
  - status: "INAPPLICABLE"
    currentStateMessage: "This is a destination bucket."
    check:
      RELATED_LIST_HAS:
        relationshipName: "CA10__loggingBucket__r"
        status: "COMPLIANT"
  - status: "INCOMPLIANT"
    currentStateMessage: "Server access logging is not enabled."
    remediationMessage: "Enable server access logging."
    check:
      IS_EMPTY:
        arg:
          EXTRACT: "CA10__loggingDestinationBucketName__c"
# When source bucket is its own destination bucket,
# then ARNs will be the same but CA10__loggingDestinationBucket__c will be empty
  - status: "COMPLIANT"
    currentStateMessage: "Server access logging is enabled. The bucket uses itself as the logging destination."
    check:
      IS_EQUAL:
        left:
          EXTRACT: "CA10__arn__c"
        right:
          EXTRACT: "CA10__loggingDestinationBucketArn__c"
  - status: "INCOMPLIANT"
    currentStateMessage: "The destination bucket is missing."
    remediationMessage: "Verify that access logging references an active S3 bucket."
    check:
      IS_EMPTY_LOOKUP: "CA10__loggingDestinationBucket__r"
  - status: "COMPLIANT"
    currentStateMessage: "Server access logging is enabled."
    check:
      NOT_EMPTY_LOOKUP: "CA10__loggingDestinationBucket__r"
otherwise:
  status: "UNDETERMINED"
  currentStateMessage: "Unexpected values in the fields."
relatedLists:
  - relationshipName: "CA10__loggingBucket__r"
    conditions: []
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "This is a source bucket."