--- policy: /ce/ca/aws/opensearch/domain-tls-policy logic: /ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml executionTime: 2026-06-06T12:03:10.854201951Z generationMs: 47 executionMs: 882 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__endpointOptionsEnforceHttps__c') == 'false' actual: extract('CA10__endpointOptionsEnforceHttps__c') == 'false' runtimeError: {} - id: test3 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: "setOfText(['Policy-Min-TLS-1-0-2019-07', 'Policy-Min-TLS-1-2-2019-07']).contains(extract('CA10__endpointOptionsTlsSecurityPolicy__c'))" actual: "setOfText(['Policy-Min-TLS-1-0-2019-07', 'Policy-Min-TLS-1-2-2019-07']).contains(extract('CA10__endpointOptionsTlsSecurityPolicy__c'))" runtimeError: {} - id: test4 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 499 actual: 499 conditionText: expected: extract('CA10__endpointOptionsEnforceHttps__c') == 'true' actual: extract('CA10__endpointOptionsEnforceHttps__c') == 'true' runtimeError: {} usedFiles: - path: /ce/ca/aws/opensearch/domain-tls-policy/policy.yaml md5Hash: AAD96558727ED8CDEA56BE2993A64A33 content: "---\nnames:\n full: \"AWS OpenSearch Domain is not encrypted with the\ \ latest TLS policy\"\n contextual: \"Domain is not encrypted with the latest\ \ TLS policy\"\ndescription: >\n Ensure that Amazon OpenSearch Service domains\ \ are configured to use the \n latest TLS security policy (Policy-Min-TLS-1-2-2019-07).\ \ This ensures that \n only clients using TLS 1.2 or higher can connect to\ \ the domain.\ntype: \"COMPLIANCE_POLICY\"\ncategories:\n - \"SECURITY\"\n\ frameworkMappings:\n - \"/frameworks/cloudaware/secret-and-certificate-governance/cryptographic-configuration\"\ \n - \"/frameworks/aws-fsbp-v1.0.0/es/08\"\n - \"/frameworks/aws-fsbp-v1.0.0/opensearch/08\"\ \nsimilarPolicies:\n awsSecurityHub:\n - name: \"[Opensearch.8] Connections\ \ to OpenSearch domains should be encrypted using the latest TLS security policy\"\ \n url: \"https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-8\"\ \n - name: \"[ES.8] Connections to Elasticsearch domains should be encrypted\ \ using the latest TLS security policy\"\n url: \"https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html#es-8\"\ \n" - path: /ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml md5Hash: AE64260F2B0E73DED749F72A82AC530F content: "---\ninputType: \"CA10__CaAwsElasticsearchDomain__c\"\ntestData:\n \ \ - file: \"test-data.json\"\nimportExtracts:\n - file: \"/types/CA10__CaAwsElasticsearchDomain__c/object.extracts.yaml\"\ \nconditions:\n - status: \"UNDETERMINED\"\n currentStateMessage: \"The\ \ enforce HTTPS endpoint option is not populated in the CMDB.\"\n check:\n\ \ IS_EMPTY:\n arg:\n EXTRACT: \"CA10__endpointOptionsEnforceHttps__c\"\ \n - status: \"INCOMPLIANT\"\n currentStateMessage: \"The enforce HTTPS\ \ endpoint option is not enabled.\"\n check:\n IS_EQUAL:\n left:\n\ \ EXTRACT: \"CA10__endpointOptionsEnforceHttps__c\"\n right:\n\ \ TEXT: \"false\" \n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"The OpenSearch domain is using an outdated TLS security policy.\"\n remediationMessage:\ \ \"Update the domain to the latest TLS security policy.\"\n check:\n \ \ CONTAINS:\n arg:\n SET:\n itemType: \"TEXT\"\n\ \ items:\n - \"Policy-Min-TLS-1-0-2019-07\"\n \ \ - \"Policy-Min-TLS-1-2-2019-07\"\n search:\n EXTRACT:\ \ \"CA10__endpointOptionsTlsSecurityPolicy__c\"\n - status: \"COMPLIANT\"\n\ \ currentStateMessage: \"The OpenSearch domain enforces HTTPS and uses the\ \ latest TLS 1.2 security policy.\"\n check:\n IS_EQUAL:\n left:\n\ \ EXTRACT: \"CA10__endpointOptionsEnforceHttps__c\"\n right:\n\ \ TEXT: \"true\" \notherwise:\n status: \"UNDETERMINED\"\n currentStateMessage:\ \ \"Unexpected values in the fields.\"\n" - path: /ce/ca/aws/opensearch/domain-tls-policy/test-data.json md5Hash: 839C9C9C9905C167169D704417BDF836 content: |- [ { "expectedResult": { "runtimeError": null, "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "conditionIndex": 99, "status": "DISAPPEARED" }, "context": { "snapshotTime": "2025-12-23T10:29:21Z" }, "CA10__endpointOptionsEnforceHttps__c": "false", "CA10__endpointOptionsTlsSecurityPolicy__c": "Policy-Min-TLS-1-0-2019-07", "Id": "test1", "CA10__disappearanceTime__c": "2025-08-17T07:38:43Z" }, { "expectedResult": { "runtimeError": null, "conditionText": "extract('CA10__endpointOptionsEnforceHttps__c') == 'false'", "conditionIndex": 299, "status": "INCOMPLIANT" }, "context": { "snapshotTime": "2025-12-23T10:29:21Z" }, "CA10__endpointOptionsEnforceHttps__c": "false", "CA10__endpointOptionsTlsSecurityPolicy__c": "Policy-Min-TLS-1-2-2019-07", "Id": "test2", "CA10__disappearanceTime__c": null }, { "expectedResult": { "runtimeError": null, "conditionText": "setOfText(['Policy-Min-TLS-1-0-2019-07', 'Policy-Min-TLS-1-2-2019-07']).contains(extract('CA10__endpointOptionsTlsSecurityPolicy__c'))", "conditionIndex": 399, "status": "INCOMPLIANT" }, "context": { "snapshotTime": "2025-12-23T10:29:21Z" }, "CA10__endpointOptionsEnforceHttps__c": "true", "CA10__endpointOptionsTlsSecurityPolicy__c": "Policy-Min-TLS-1-2-2019-07", "Id": "test3", "CA10__disappearanceTime__c": null }, { "expectedResult": { "runtimeError": null, "conditionText": "extract('CA10__endpointOptionsEnforceHttps__c') == 'true'", "conditionIndex": 499, "status": "COMPLIANT" }, "context": { "snapshotTime": "2025-12-23T10:29:21Z" }, "CA10__endpointOptionsEnforceHttps__c": "true", "CA10__endpointOptionsTlsSecurityPolicy__c": "Policy-Min-TLS-1-2-PFS-2023-10", "Id": "test4", "CA10__disappearanceTime__c": null } ] - path: /types/CA10__CaAwsElasticsearchDomain__c/object.extracts.yaml md5Hash: C9B19E0A5971D32C19DFC4DEEA0D39EC content: | --- extracts: # Values: true | false (TEXT). Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__created__c" value: FIELD: path: "CA10__created__c" # Values: true | false (TEXT). Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__serviceSoftwareUpdateAvailable__c" value: FIELD: path: "CA10__serviceSoftwareUpdateAvailable__c" undeterminedIf: isEmpty: "The service software update status is not populated in the CMDB." # Values: true | false (TEXT). Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__advancedSecurityEnabled__c" value: FIELD: path: "CA10__advancedSecurityEnabled__c" undeterminedIf: isEmpty: "The fine-grained access control setting is not populated in the CMDB." # Checkbox - name: "CA10__encryptionAtRestEnabled__c" value: FIELD: path: "CA10__encryptionAtRestEnabled__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__endpoint__c" value: FIELD: path: "CA10__endpoint__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__vpcEndpoints__c" value: FIELD: path: "CA10__vpcEndpoints__c" # Checkbox - name: "CA10__nodeToNodeEncryptionEnabled__c" value: FIELD: path: "CA10__nodeToNodeEncryptionEnabled__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__logPublishingOptionsJson__c" value: FIELD: returnType: "BYTES" path: "CA10__logPublishingOptionsJson__c" - name: "caJsonFrom__logPublishingOptionsJson__c" value: JSON_FROM: arg: EXTRACT: "CA10__logPublishingOptionsJson__c" undeterminedIf: isInvalid: "Log Publishing Options JSON is invalid." # Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__clusterConfigInstanceCount__c" value: FIELD: path: "CA10__clusterConfigInstanceCount__c" # Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__clusterConfigZoneAwarenessEnabled__c" value: FIELD: path: "CA10__clusterConfigZoneAwarenessEnabled__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__clusterConfigDedicatedMasterEnabled__c" value: FIELD: path: "CA10__clusterConfigDedicatedMasterEnabled__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__clusterConfigDedicatedMasterCount__c" value: FIELD: path: "CA10__clusterConfigDedicatedMasterCount__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__endpointOptionsEnforceHttps__c" value: FIELD: path: "CA10__endpointOptionsEnforceHttps__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__endpointOptionsTlsSecurityPolicy__c" value: FIELD: path: "CA10__endpointOptionsTlsSecurityPolicy__c" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "runtimeError" : null, "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "conditionIndex" : 99, "status" : "DISAPPEARED" } }, { "Id" : "test2", "expectedResult" : { "runtimeError" : null, "conditionText" : "extract('CA10__endpointOptionsEnforceHttps__c') == 'false'", "conditionIndex" : 299, "status" : "INCOMPLIANT" } }, { "Id" : "test3", "expectedResult" : { "runtimeError" : null, "conditionText" : "setOfText(['Policy-Min-TLS-1-0-2019-07', 'Policy-Min-TLS-1-2-2019-07']).contains(extract('CA10__endpointOptionsTlsSecurityPolicy__c'))", "conditionIndex" : 399, "status" : "INCOMPLIANT" } }, { "Id" : "test4", "expectedResult" : { "runtimeError" : null, "conditionText" : "extract('CA10__endpointOptionsEnforceHttps__c') == 'true'", "conditionIndex" : 499, "status" : "COMPLIANT" } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsElasticsearchDomain__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-12-23T10:29:21Z") }, "CA10__disappearanceTime__c" : new Date("2025-08-17T07:38:43Z"), "CA10__endpointOptionsEnforceHttps__c" : "false", "CA10__endpointOptionsTlsSecurityPolicy__c" : "Policy-Min-TLS-1-0-2019-07", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2025-12-23T10:29:21Z") }, "CA10__endpointOptionsEnforceHttps__c" : "false", "CA10__endpointOptionsTlsSecurityPolicy__c" : "Policy-Min-TLS-1-2-2019-07", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2025-12-23T10:29:21Z") }, "CA10__endpointOptionsEnforceHttps__c" : "true", "CA10__endpointOptionsTlsSecurityPolicy__c" : "Policy-Min-TLS-1-2-2019-07", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2025-12-23T10:29:21Z") }, "CA10__endpointOptionsEnforceHttps__c" : "true", "CA10__endpointOptionsTlsSecurityPolicy__c" : "Policy-Min-TLS-1-2-PFS-2023-10", "Id" : "test4" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsElasticsearchDomain__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__endpointOptionsEnforceHttps__c STRING, CA10__endpointOptionsTlsSecurityPolicy__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var CollectionLib = new function () { this.parse = function(arg, separator, skipEmpty, skipDuplicates, sort, normalize) { if (arg == null) return []; let parts = arg.split(separator); return this.fromArray(parts, skipEmpty, skipDuplicates, sort, normalize); }; this.fromArray = function(arr, skipEmpty, skipDuplicates, sort, normalize) { if (arr == null) return []; let result = []; let seen = new Set(); arr.forEach(el => { let normalized = normalize ? TextLib.normalize(el) : BytesLib.normalize(el); if (!skipEmpty || (normalize ? TextLib.isNotEmpty(el) : BytesLib.isNotEmpty(el))) { if (!skipDuplicates || !seen.has(normalized)) { if (skipDuplicates) seen.add(normalized); result.push(normalized); } } }); if (sort) result.sort(); return result; }; this.equal = function(left, right) { left = left == null ? [] : left; right = right == null ? [] : right; if (left.length !== right.length) return false; for (let i = 0; i < left.length; i++) { if (left[i] !== right[i]) return false; } return true; }; this.notEqual = function(left, right) { return !this.equal(left, right); }; this.size = function(collection) { return collection == null ? 0 : collection.length; }; this.startsWith = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; let normalizedSearch = normalize ? TextLib.normalize(search) : BytesLib.normalize(search); return collection[0] === normalizedSearch; }; this.endsWith = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; let normalizedSearch = normalize ? TextLib.normalize(search) : BytesLib.normalize(search); return collection[collection.length - 1] === normalizedSearch; }; this.contains = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; return collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search)); }; this.containsAll = function(collection, searchArray, normalize) { if (collection == null || collection.length === 0 || searchArray == null || searchArray.length === 0) return false; return searchArray.every(search => collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search))); }; this.containsAny = function(collection, searchArray, normalize) { if (collection == null || collection.length === 0 || searchArray == null || searchArray.length === 0) return false; return searchArray.some(search => collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search))); }; }(); var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__endpointOptionsEnforceHttps__c; } return this.out; }; references1.push('Endpoint Options: Enforce HTTPS [obj.CA10__endpointOptionsEnforceHttps__c]: ' + obj.CA10__endpointOptionsEnforceHttps__c); if (TextLib.isEmpty(extract3.call(extract3))) { return {status: 'UNDETERMINED', conditionIndex: 199, conditionText: "extract('CA10__endpointOptionsEnforceHttps__c').isEmpty()", currentStateMessage: "The enforce HTTPS endpoint option is not populated in the CMDB.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function extract6() { if (!this.out) { this.out = obj.CA10__endpointOptionsEnforceHttps__c; } return this.out; }; if (TextLib.equal(extract6.call(extract6), 'false')) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__endpointOptionsEnforceHttps__c') == 'false'", currentStateMessage: "The enforce HTTPS endpoint option is not enabled.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[3], conditionIndex:[300..399] function extract9() { if (!this.out) { this.out = obj.CA10__endpointOptionsTlsSecurityPolicy__c; } return this.out; }; references1.push('Endpoint Options: TLS Security Policy [obj.CA10__endpointOptionsTlsSecurityPolicy__c]: ' + obj.CA10__endpointOptionsTlsSecurityPolicy__c); if (CollectionLib.contains(CollectionLib.fromArray(['Policy-Min-TLS-1-0-2019-07', 'Policy-Min-TLS-1-2-2019-07'], true, true, true, true), extract9.call(extract9), true)) { return {status: 'INCOMPLIANT', conditionIndex: 399, conditionText: "setOfText(['Policy-Min-TLS-1-0-2019-07', 'Policy-Min-TLS-1-2-2019-07']).contains(extract('CA10__endpointOptionsTlsSecurityPolicy__c'))", currentStateMessage: "The OpenSearch domain is using an outdated TLS security policy.", currentStateReferences: references1.join('\n'), remediation: "Update the domain to the latest TLS security policy.", runtimeError: null}; } // condition[4], conditionIndex:[400..499] function extract12() { if (!this.out) { this.out = obj.CA10__endpointOptionsEnforceHttps__c; } return this.out; }; if (TextLib.equal(extract12.call(extract12), 'true')) { return {status: 'COMPLIANT', conditionIndex: 499, conditionText: "extract('CA10__endpointOptionsEnforceHttps__c') == 'true'", currentStateMessage: "The OpenSearch domain enforces HTTPS and uses the latest TLS 1.2 security policy.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'UNDETERMINED', conditionIndex: 500, conditionText: "otherwise", currentStateMessage: "Unexpected values in the fields.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__endpointOptionsEnforceHttps__c AS CA10__endpointOptionsEnforceHttps__c, sObject.CA10__endpointOptionsTlsSecurityPolicy__c AS CA10__endpointOptionsTlsSecurityPolicy__c, sObject.Id AS Id, process_CA10__CaAwsElasticsearchDomain__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__endpointOptionsEnforceHttps__c AS CA10__endpointOptionsEnforceHttps__c, sObject.CA10__endpointOptionsTlsSecurityPolicy__c AS CA10__endpointOptionsTlsSecurityPolicy__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsElasticsearchDomain__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;