--- policy: /ce/ca/aws/s3/bucket-object-lock logic: /ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml executionTime: 2026-06-06T12:03:23.524913295Z generationMs: 46 executionMs: 921 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__objectLockEnabled__c') == 'no' actual: extract('CA10__objectLockEnabled__c') == 'no' runtimeError: {} - id: test3 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__objectLockEnabled__c') == 'yes' actual: extract('CA10__objectLockEnabled__c') == 'yes' runtimeError: {} usedFiles: - path: /ce/ca/aws/s3/bucket-object-lock/policy.yaml md5Hash: F184C680EA2362FF622689C1B4F7CC5A content: | --- names: full: "AWS S3 Bucket Object Lock is not enabled" contextual: "Bucket Object Lock is not enabled" description: "S3 Object Lock can help prevent Amazon S3 objects from being deleted\ \ or overwritten for a fixed amount of time or indefinitely. Object Lock uses a\ \ write-once-read-many (WORM) model to store objects. You can use Object Lock to\ \ help meet regulatory requirements that require WORM storage, or to add another\ \ layer of protection against object changes or deletion." type: "BEST_PRACTICE" categories: - "SECURITY" - "RELIABILITY" frameworkMappings: - "/frameworks/cloudaware/resource-security/data-protection-and-recovery" - "/frameworks/cloudaware/resource-reliability/system-configuration" - "/frameworks/aws-well-architected/sec/08/04" - "/frameworks/nist-sp-800-53-r5/cp/06/02" - "/frameworks/pci-dss-v4.0.1/10/05/01" similarPolicies: internal: - "dec-x-b443805a" cloudConformity: - url: "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/S3/object-lock.html" name: "S3 Object Lock" - path: /ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml md5Hash: 88C980B69B3BCB7BD71B94741AEEB32D content: | --- # This policy is based on AWS Security Hub control [S3.15] S3 buckets should be configured to use Object Lock # https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-15 # To determine if object lock is enabled we're checking CA10__objectLockEnabled__c field # Possible values: "yes", "no", empty which indicates permissions issue inputType: "CA10__CaAwsBucket__c" importExtracts: - file: /types/CA10__CaAwsBucket__c/object.extracts.yaml testData: - file: "test-data.json" conditions: - status: "INCOMPLIANT" currentStateMessage: "S3 Object Lock is not enabled." remediationMessage: "Enable Object Lock for the bucket." check: IS_EQUAL: left: EXTRACT: "CA10__objectLockEnabled__c" right: TEXT: "no" - status: "COMPLIANT" currentStateMessage: "S3 Object Lock is enabled." check: IS_EQUAL: left: EXTRACT: "CA10__objectLockEnabled__c" right: TEXT: "yes" otherwise: status: "UNDETERMINED" currentStateMessage: "Unexpected value in the field." - path: /ce/ca/aws/s3/bucket-object-lock/test-data.json md5Hash: 036F85403A754FBC3B76DC862E0D7241 content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-07-29T06:25:44Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2024-07-24T14:37:26Z", "CA10__objectLockEnabled__c": "No" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "extract('CA10__objectLockEnabled__c') == 'no'", "runtimeError": null }, "context": { "snapshotTime": "2024-07-29T06:25:44Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__objectLockEnabled__c": "No" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10__objectLockEnabled__c') == 'yes'", "runtimeError": null }, "context": { "snapshotTime": "2024-07-29T06:25:44Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "CA10__objectLockEnabled__c": "Yes" } ] - path: /types/CA10__CaAwsBucket__c/object.extracts.yaml md5Hash: F56AFA293B0B19D4F39C1EBB70F4C56F content: "---\nextracts:\n# Values: yes, no. Not Nullable.\n - name: \"CA10__objectLockEnabled__c\"\ \n value: \n FIELD:\n path: \"CA10__objectLockEnabled__c\"\n\ \ undeterminedIf:\n noAccessDelegate:\n path: \"\ CA10__objectLockEnabled__c\"\n currentStateMessage: \"Unable to determine\ \ Object Lock status. Possible permission issue with s3:GetObjectLockConfiguration\"\ \n isEmpty: \"Object Lock status is not populated yet\"\n# Nullable.\n\ \ - name: \"CA10__lifecycleRulesJson__c\"\n value: \n FIELD:\n \ \ path: \"CA10__lifecycleRulesJson__c\"\n returnType: BYTES\n \ \ # undeterminedIf:\n # noAccessDelegate:\n # path: \"\ CA10__lifecycleRulesJson__c\"\n # currentStateMessage: \"Unable to\ \ determine Lifecycle Configuration. Possible permission issue with s3:GetLifecycleConfiguration\"\ \n# Values: enabled, suspended, off. Not Nullable.\n - name: \"CA10__versioningStatus__c\"\ \n value: \n FIELD:\n path: \"CA10__versioningStatus__c\"\n \ \ undeterminedIf:\n noAccessDelegate:\n path: \"CA10__versioningStatus__c\"\ \n currentStateMessage: \"Unable to determine versioning status.\ \ Possible permission issue with s3:GetBucketVersioning\"\n isEmpty:\ \ \"Status is not populated yet\"\n# Checkbox.\n - name: \"CA10__versioningMfaDeleteEnabled__c\"\ \n value: \n FIELD:\n path: \"CA10__versioningMfaDeleteEnabled__c\"\ \n undeterminedIf:\n noAccessDelegate:\n path: \"\ CA10__versioningStatus__c\"\n currentStateMessage: \"Unable to determine\ \ versioning status. Possible permission issue with s3:GetBucketVersioning\"\ \n# The field can be empty if server access logging is not enabled\n - name:\ \ \"CA10__loggingDestinationBucketName__c\"\n value: \n FIELD:\n \ \ path: \"CA10__loggingDestinationBucketName__c\"\n # undeterminedIf:\n\ \ # noAccessDelegate:\n # path: \"CA10__loggingDestinationBucketName__c\"\ \n # currentStateMessage: \"Unable to determine if server access\ \ logging is enabled. Possible permission issue with s3:GetBucketLogging\"\n\ # Cloudaware derives this field from CA10__loggingDestinationBucketName__c\n\ \ - name: \"CA10__loggingDestinationBucketArn__c\"\n value: \n FIELD:\n\ \ path: \"CA10__loggingDestinationBucketArn__c\"\n undeterminedIf:\n\ \ noAccessDelegate:\n path: \"CA10__loggingDestinationBucketName__c\"\ \n currentStateMessage: \"Unable to determine if server access logging\ \ is enabled. Possible permission issue with s3:GetBucketLogging\"\n# This is\ \ a look up on CA10__CaAwsBucket__c derived from CA10__loggingDestinationBucketName__c\n\ \ - name: \"CA10__loggingDestinationBucket__c\"\n value: \n FIELD:\n\ \ path: \"CA10__loggingDestinationBucket__c\"\n undeterminedIf:\n\ \ noAccessDelegate:\n path: \"CA10__loggingDestinationBucketName__c\"\ \n currentStateMessage: \"Unable to determine if server access logging\ \ is enabled. Possible permission issue with s3:GetBucketLogging\"\n - name:\ \ \"CA10__arn__c\"\n value: \n FIELD:\n path: \"CA10__arn__c\"\ \n undeterminedIf:\n isEmpty: \"Bucket ARN cannot be empty.\ \ Potential data corruption\"\n - name: \"caJsonFrom__lifecycleRulesJson__c\"\ \n value: \n JSON_FROM:\n arg: \n EXTRACT: \"CA10__lifecycleRulesJson__c\"\ \n undeterminedIf:\n isInvalid: \"S3 Bucket Lifecycle Rules\ \ JSON is invalid.\"\n# Returns BOOLEAN true if number of enabled lifecycle\ \ rules more than 0 otherwise returns false\n - name: \"caJsonBoolean__lifecycleRulesJsonStatusEnabled__c\"\ \n value: \n JSON_QUERY_BOOLEAN:\n arg: \n EXTRACT:\ \ \"caJsonFrom__lifecycleRulesJson__c\"\n expression: \"length([?status=='Enabled'])\ \ > `0`\"\n undeterminedIf: \n evaluationError: \"The JSON query\ \ has failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ a boolean.\"\n - name: \"CA10__blockPublicAcls__c\"\n value: \n FIELD:\n\ \ path: \"CA10__blockPublicAcls__c\"\n undeterminedIf:\n \ \ noAccessDelegate:\n path: \"CA10__blockPublicAcls__c\"\n \ \ currentStateMessage: \"Unable to determine the bucket policy. Possible\ \ permission issue with s3:GetBucketPublicAccessBlock\"\n - name: \"CA10__blockPublicPolicy__c\"\ \n value: \n FIELD:\n path: \"CA10__blockPublicPolicy__c\"\n\ \ undeterminedIf:\n noAccessDelegate:\n path: \"\ CA10__blockPublicPolicy__c\"\n currentStateMessage: \"Unable to determine\ \ the bucket policy. Possible permission issue with s3:GetBucketPublicAccessBlock\"\ \n - name: \"CA10__ignorePublicAcls__c\"\n value: \n FIELD:\n \ \ path: \"CA10__ignorePublicAcls__c\"\n undeterminedIf:\n \ \ noAccessDelegate:\n path: \"CA10__ignorePublicAcls__c\"\n \ \ currentStateMessage: \"Unable to determine the bucket policy. Possible\ \ permission issue with s3:GetBucketPublicAccessBlock\"\n - name: \"CA10__restrictPublicBuckets__c\"\ \n value: \n FIELD:\n path: \"CA10__restrictPublicBuckets__c\"\ \n undeterminedIf:\n noAccessDelegate:\n path: \"\ CA10__restrictPublicBuckets__c\"\n currentStateMessage: \"Unable\ \ to determine the bucket policy. Possible permission issue with s3:GetBucketPublicAccessBlock\"\ \n# Nullable.\n - name: \"CA10__policyDocument__c\"\n value: \n FIELD:\n\ \ path: \"CA10__policyDocument__c\"\n returnType: BYTES\n \ \ # undeterminedIf:\n # noAccessDelegate:\n # path: \"\ CA10__policyDocument__c\"\n # currentStateMessage: \"Unable to determine\ \ the bucket policy. Possible permission issue with s3:GetBucketPolicy\"\n \ \ - name: \"caJsonFrom__policyDocument__c\"\n value: \n JSON_FROM:\n\ \ arg: \n EXTRACT: \"CA10__policyDocument__c\"\n undeterminedIf:\n\ \ isInvalid: \"S3 Bucket Policy Document JSON is invalid.\"\n# Nullable.\n\ \ - name: \"CA10__intelligentTieringConfigurationsJson__c\"\n value: \n\ \ FIELD:\n path: \"CA10__intelligentTieringConfigurationsJson__c\"\ \n returnType: BYTES\n - name: \"caJsonFrom__intelligentTieringConfigurationsJson__c\"\ \n value: \n JSON_FROM:\n arg: \n EXTRACT: \"CA10__intelligentTieringConfigurationsJson__c\"\ \n undeterminedIf:\n isInvalid: \"S3 Bucket Policy Document\ \ JSON is invalid.\"\n# Nullable.\n - name: \"CA10__regionName__c\"\n value:\n\ \ FIELD:\n path: \"CA10__regionName__c\"\n# Nullable.\n - name:\ \ \"CA10__intelligentTieringStorageGb__c\"\n value:\n FIELD:\n \ \ path: \"CA10__intelligentTieringStorageGb__c\"\n# Values: AES256 | aws:fsx\ \ | aws:kms | aws:kms:dsse | None. Not Nullable.\n - name: \"CA10__serverSideEncryptionAlgorithm__c\"\ \n value:\n FIELD:\n path: \"CA10__serverSideEncryptionAlgorithm__c\"\ \n undeterminedIf:\n noAccessDelegate:\n path: \"\ CA10__serverSideEncryptionAlgorithm__c\"\n currentStateMessage: \"\ Unable to determine Bucket Encryption Algorithm. Possible permissions issue\ \ with s3:GetEncryptionConfiguration\"\n - name: \"CA10__accessControlPolicy__c\"\ \n value: \n FIELD:\n path: \"CA10__accessControlPolicy__c\"\n\ \ undeterminedIf:\n noAccessDelegate:\n path: \"\ CA10__accessControlPolicy__c\"\n currentStateMessage: \"Unable to\ \ determine the bucket ACL. Possible permission issue with s3:GetBucketAcl\"\ \n - name: \"caJsonFrom__accessControlPolicy__c\"\n value: \n JSON_FROM:\n\ \ arg:\n EXTRACT: \"CA10__accessControlPolicy__c\"\n \ \ undeterminedIf:\n isInvalid: \"The Access Control Policy JSON is\ \ invalid.\"\n - name: \"CA10__accessControlGrants__c\"\n value: \n \ \ FIELD:\n path: \"CA10__accessControlGrants__c\"\n undeterminedIf:\n\ \ noAccessDelegate:\n path: \"CA10__accessControlGrants__c\"\ \n currentStateMessage: \"Unable to determine the bucket ACL. Possible\ \ permission issue with s3:GetBucketAcl\"\n - name: \"CA10__policyIsPublic__c\"\ \n value: \n FIELD:\n path: \"CA10__policyIsPublic__c\"\n \ \ undeterminedIf:\n noAccessDelegate:\n path: \"CA10__policyIsPublic__c\"\ \n currentStateMessage: \"Unable to determine the bucket policy status.\ \ Possible permission issue with s3:GetBucketPolicyStatus\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "extract('CA10__objectLockEnabled__c') == 'no'", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10__objectLockEnabled__c') == 'yes'", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsBucket__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-07-29T06:25:44Z") }, "CA10__disappearanceTime__c" : new Date("2024-07-24T14:37:26Z"), "CA10__objectLockEnabled__c" : "No", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2024-07-29T06:25:44Z") }, "CA10__objectLockEnabled__c" : "No", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2024-07-29T06:25:44Z") }, "CA10__objectLockEnabled__c" : "Yes", "Id" : "test3" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsBucket__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__objectLockEnabled__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.CA10__objectLockEnabled__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__objectLockEnabled__c.delegatedTo(CA10__objectLockEnabled__c).isEmpty()", currentStateMessage: "Unable to determine Object Lock status. Possible permission issue with s3:GetObjectLockConfiguration", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (TextLib.isEmpty(obj.CA10__objectLockEnabled__c)) { throw new Error("UNDETERMINED condition:102", {cause: {status: 'UNDETERMINED', conditionIndex: 102, conditionText: "CA10__objectLockEnabled__c.isEmpty()", currentStateMessage: "Object Lock status is not populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__objectLockEnabled__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('Object Lock Enabled [obj.CA10__objectLockEnabled__c]: ' + obj.CA10__objectLockEnabled__c); try { if (TextLib.equal(extract3.call(extract3), 'no')) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "extract('CA10__objectLockEnabled__c') == 'no'", currentStateMessage: "S3 Object Lock is not enabled.", currentStateReferences: references1.join('\n'), remediation: "Enable Object Lock for the bucket.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function fieldChecked7() { if (TextLib.isEmpty(obj.CA10__objectLockEnabled__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__objectLockEnabled__c.delegatedTo(CA10__objectLockEnabled__c).isEmpty()", currentStateMessage: "Unable to determine Object Lock status. Possible permission issue with s3:GetObjectLockConfiguration", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (TextLib.isEmpty(obj.CA10__objectLockEnabled__c)) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "CA10__objectLockEnabled__c.isEmpty()", currentStateMessage: "Object Lock status is not populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__objectLockEnabled__c; } function extract6() { if (!this.out) { this.out = fieldChecked7(); } return this.out; }; try { if (TextLib.equal(extract6.call(extract6), 'yes')) { return {status: 'COMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__objectLockEnabled__c') == 'yes'", currentStateMessage: "S3 Object Lock is enabled.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'UNDETERMINED', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "Unexpected value in the field.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__objectLockEnabled__c AS CA10__objectLockEnabled__c, sObject.Id AS Id, process_CA10__CaAwsBucket__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__objectLockEnabled__c AS CA10__objectLockEnabled__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsBucket__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;