--- policy: /ce/ca/aws/account/object-level-cloudtrail-logging-for-write-events-for-buckets logic: /ce/ca/aws/account/object-level-cloudtrail-logging-for-write-events-for-buckets/prod.logic.yaml executionTime: 2026-02-10T22:32:29.476772654Z generationMs: 120 executionMs: 1074 rows: - id: test1 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT) actual: CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT) runtimeError: {} - id: test2 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT) actual: CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT) runtimeError: {} - id: test3 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 200 actual: 200 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/account/object-level-cloudtrail-logging-for-write-events-for-buckets/policy.yaml md5Hash: 0CFDC9A5643A2758838084A80B7108B9 content: | --- names: full: AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled contextual: Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled description: "S3 object-level API operations such as GetObject, DeleteObject, and\ \ PutObject are called data events. By default, CloudTrail trails don't log data\ \ events and so it is recommended to enable Object-level logging for S3 buckets." type: COMPLIANCE_POLICY categories: - SECURITY - RELIABILITY frameworkMappings: - "/frameworks/cis-aws-v6.0.0/04/08" - "/frameworks/cloudaware/logging-and-monitoring/logging-and-monitoring-configuration" similarPolicies: internal: - dec-x-b443805a cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/data-events.html name: CloudTrail Data Events - path: /ce/ca/aws/account/object-level-cloudtrail-logging-for-write-events-for-buckets/prod.logic.yaml md5Hash: 6ED9892F694BC8233BF282B89C23D3B1 content: "---\ninputType: \"CA10__CaAwsAccount__c\"\ntestData:\n - file: \"test-data.json\"\ \nconditions:\n - status: \"COMPLIANT\"\n currentStateMessage: \"This AWS\ \ account has a CloudTrail with object-level logging for write events enabled\ \ for all S3 buckets.\"\n check:\n RELATED_LIST_HAS:\n status:\ \ \"COMPLIANT\"\n relationshipName: \"CA10__AWS_CloudTrail_Trails__r\"\ \notherwise:\n status: \"INCOMPLIANT\"\n currentStateMessage: \"This AWS account\ \ does not have a CloudTrail with object-level logging for write events enabled\ \ for all S3 buckets.\"\n remediationMessage: \"Create a new CloudTrail or\ \ update an existing one to enable object-level logging for write events for\ \ all S3 buckets.\"\nrelatedLists:\n - relationshipName: \"CA10__AWS_CloudTrail_Trails__r\"\ \n importExtracts:\n - file: \"/types/CA10__CaAwsCloudTrailTrail__c/object.extracts.yaml\"\ \n conditions:\n - status: \"COMPLIANT\"\n currentStateMessage:\ \ \"CloudTrail with object-level logging for write events enabled for all S3\ \ buckets.\"\n check:\n AND:\n args:\n \ \ - IS_EQUAL:\n left:\n EXTRACT: \"CA10__multiRegionTrail__c\"\ \n right:\n BOOLEAN: true\n \ \ - IS_EQUAL:\n left:\n JSON_QUERY_TEXT:\n\ \ arg: \n EXTRACT: \"caJsonFrom__eventSelectorsJson__c\"\ \n expression: \"[].dataResources[?type=='AWS::S3::Object'].type[]\ \ | [0]\"\n undeterminedIf:\n evaluationError:\ \ \"The JSON text query has failed.\"\n resultTypeMismatch:\ \ \"The JSON query did not return a text type.\"\n right:\n\ \ TEXT: \"AWS::S3::Object\"\n - IS_EQUAL:\n\ \ left:\n JSON_QUERY_BOOLEAN:\n \ \ arg: \n EXTRACT: \"caJsonFrom__eventSelectorsJson__c\"\ \n expression: \"contains([].dataResources[].values[],\ \ 'arn:aws:s3')\"\n undeterminedIf:\n \ \ evaluationError: \"The JSON boolean query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return a boolean\ \ type.\"\n right:\n BOOLEAN: true\n \ \ - OR:\n args:\n - IS_EQUAL:\n\ \ left:\n EXTRACT: \"caJsonText__eventSelectorsJsonReadWriteType__c\"\ \n right:\n TEXT: \"All\"\n\ \ - IS_EQUAL:\n left:\n \ \ EXTRACT: \"caJsonText__eventSelectorsJsonReadWriteType__c\"\ \n right:\n TEXT: \"WriteOnly\"\ \n otherwise:\n status: \"INAPPLICABLE\"\n currentStateMessage:\ \ \"Unrelated CloudTrail configuration.\"\n" - path: /ce/ca/aws/account/object-level-cloudtrail-logging-for-write-events-for-buckets/test-data.json md5Hash: BA7C8C7C86576D4B4A75A2D0708A1E5E content: |- [ { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "199", "conditionText": "CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-28T17:35:50Z" }, "Id": "test1", "CA10__AWS_CloudTrail_Trails__r": [ { "Id": "test1_1", "CA10__disappearanceTime__c": null, "CA10__multiRegionTrail__c": true, "CA10__eventSelectorsJson__c": "[{\"readWriteType\":\"All\",\"includeManagementEvents\":true,\"dataResources\":[{\"type\":\"AWS::S3::Object\",\"values\":[\"arn:aws:s3\"]}],\"excludeManagementEventSources\":[]}]", "CA10__account__c": "test1" } ] }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "199", "conditionText": "CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-28T17:35:50Z" }, "Id": "test2", "CA10__AWS_CloudTrail_Trails__r": [ { "Id": "test2_1", "CA10__disappearanceTime__c": null, "CA10__multiRegionTrail__c": true, "CA10__eventSelectorsJson__c": "[{\"readWriteType\":\"WriteOnly\",\"includeManagementEvents\":true,\"dataResources\":[{\"type\":\"AWS::S3::Object\",\"values\":[\"arn:aws:s3\"]}],\"excludeManagementEventSources\":[]}]", "CA10__account__c": "test2" } ] }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "200", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-05-28T17:35:50Z" }, "Id": "test3", "CA10__AWS_CloudTrail_Trails__r": [ { "Id": "test3_1", "CA10__disappearanceTime__c": null, "CA10__multiRegionTrail__c": true, "CA10__eventSelectorsJson__c": "[{\"readWriteType\":\"All\",\"includeManagementEvents\":true,\"dataResources\":[],\"excludeManagementEventSources\":[]}]", "CA10__account__c": "test3" } ] } ] - path: /types/CA10__CaAwsCloudTrailTrail__c/object.extracts.yaml md5Hash: E81F4D5C3A3DF3406D05985DF80BF9C5 content: "---\nextracts:\n# Checkbox. Can't have no access, retrieved via cloudtrail:DescribeTrails\n\ \ - name: \"CA10__multiRegionTrail__c\"\n value: \n FIELD:\n \ \ path: \"CA10__multiRegionTrail__c\"\n# Checkbox. \n - name: \"CA10__isLogging__c\"\ \n value: \n FIELD:\n path: \"CA10__isLogging__c\"\n undeterminedIf:\n\ \ noAccessDelegate:\n path: \"CA10__isLogging__c\"\n \ \ currentStateMessage: \"Unable to determine Logging status. Possible\ \ permission issue with cloudtrail:GetTrailStatus.\"\n# Checkbox. Can't have\ \ no access, retrieved via cloudtrail:DescribeTrails\n - name: \"CA10__logFileValidationEnabled__c\"\ \n value: \n FIELD:\n path: \"CA10__logFileValidationEnabled__c\"\ \n# Nullable\n - name: \"CA10__eventSelectorsJson__c\"\n value: \n \ \ FIELD:\n path: \"CA10__eventSelectorsJson__c\"\n returnType:\ \ BYTES\n undeterminedIf:\n noAccessDelegate:\n path:\ \ \"CA10__eventSelectorsJson__c\"\n currentStateMessage: \"Unable\ \ to determine Logging status. Possible permission issue with cloudtrail:GetEventSelectors.\"\ \n - name: \"caJsonFrom__eventSelectorsJson__c\"\n value: \n JSON_FROM:\n\ \ arg:\n EXTRACT: \"CA10__eventSelectorsJson__c\"\n undeterminedIf:\n\ \ isInvalid: \"Provided CloudTrail Event Selector has invalid JSON.\"\ \n# Returns TEXT. Values: All, WriteOnly, ReadOnly\n - name: \"caJsonText__eventSelectorsJsonReadWriteType__c\"\ \n value: \n JSON_QUERY_TEXT:\n arg: \n EXTRACT: \"\ caJsonFrom__eventSelectorsJson__c\"\n expression: \"[*].readWriteType\ \ | [0]\"\n undeterminedIf:\n evaluationError: \"The JSON text\ \ query has failed.\"\n resultTypeMismatch: \"The JSON query did not\ \ return a text type.\"\n# Returns BOOLEAN true or false\n - name: \"caJsonBoolean__eventSelectorsJsonIncludeManagementEvents__c\"\ \n value: \n JSON_QUERY_BOOLEAN:\n arg: \n EXTRACT:\ \ \"caJsonFrom__eventSelectorsJson__c\"\n expression: \"[*].includeManagementEvents\ \ | [0]\"\n undeterminedIf:\n evaluationError: \"The JSON boolean\ \ query has failed.\"\n resultTypeMismatch: \"The JSON query did not\ \ return a boolean type.\"\n# Nullable. Can't have no access, retrieved via\ \ cloudtrail:DescribeTrails\n - name: \"CA10__kmsKey__c\"\n value: \n \ \ FIELD:\n path: \"CA10__kmsKey__c\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT)", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "200", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsAccount__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-28T17:35:50Z") }, "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2024-05-28T17:35:50Z") }, "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2024-05-28T17:35:50Z") }, "Id" : "test3" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsCloudTrailTrail__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-28T17:35:50Z") }, "CA10__multiRegionTrail__c" : true, "CA10__eventSelectorsJson__c" : "[{\"readWriteType\":\"All\",\"includeManagementEvents\":true,\"dataResources\":[{\"type\":\"AWS::S3::Object\",\"values\":[\"arn:aws:s3\"]}],\"excludeManagementEventSources\":[]}]", "CA10__account__c" : "test1", "Id" : "test1_1" }, { "context" : { "snapshotTime" : new Date("2024-05-28T17:35:50Z") }, "CA10__multiRegionTrail__c" : true, "CA10__eventSelectorsJson__c" : "[{\"readWriteType\":\"WriteOnly\",\"includeManagementEvents\":true,\"dataResources\":[{\"type\":\"AWS::S3::Object\",\"values\":[\"arn:aws:s3\"]}],\"excludeManagementEventSources\":[]}]", "CA10__account__c" : "test2", "Id" : "test2_1" }, { "context" : { "snapshotTime" : new Date("2024-05-28T17:35:50Z") }, "CA10__multiRegionTrail__c" : true, "CA10__eventSelectorsJson__c" : "[{\"readWriteType\":\"All\",\"includeManagementEvents\":true,\"dataResources\":[],\"excludeManagementEventSources\":[]}]", "CA10__account__c" : "test3", "Id" : "test3_1" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsAccount__c( obj STRUCT< Id STRING, CA10__AWS_CloudTrail_Trails__r ARRAY >> >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] if (false) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared()", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__AWS_CloudTrail_Trails__r_COMPLIANT2 = 0; if (obj.CA10__AWS_CloudTrail_Trails__r != null) { for (var i3 = 0; i3 < obj.CA10__AWS_CloudTrail_Trails__r.length; i3++) { if (typeof(obj.CA10__AWS_CloudTrail_Trails__r[i3].status) !== 'undefined') { if (obj.CA10__AWS_CloudTrail_Trails__r[i3].status == 'COMPLIANT') { count_CA10__AWS_CloudTrail_Trails__r_COMPLIANT2 += obj.CA10__AWS_CloudTrail_Trails__r[i3].count; } } else { if (obj.CA10__AWS_CloudTrail_Trails__r[i3].result.status == 'COMPLIANT') { count_CA10__AWS_CloudTrail_Trails__r_COMPLIANT2 += 1; } } } } // condition[1], conditionIndex:[100..199] references1.push('Related list [CA10__AWS_CloudTrail_Trails__r] ' + (count_CA10__AWS_CloudTrail_Trails__r_COMPLIANT2 > 0 ? 'has' : 'does not have') + ' objects in COMPLIANT status'); if (count_CA10__AWS_CloudTrail_Trails__r_COMPLIANT2 > 0) { return {status: 'COMPLIANT', conditionIndex: 199, conditionText: "CA10__AWS_CloudTrail_Trails__r.has(COMPLIANT)", currentStateMessage: "This AWS account has a CloudTrail with object-level logging for write events enabled for all S3 buckets.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'INCOMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "This AWS account does not have a CloudTrail with object-level logging for write events enabled for all S3 buckets.", currentStateReferences: references1.join('\n'), remediation: "Create a new CloudTrail or update an existing one to enable object-level logging for write events for all S3 buckets.", runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__AWS_CloudTrail_Trails__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__multiRegionTrail__c BOOLEAN, CA10__eventSelectorsJson__c STRING, CA10__account__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js OPTIONS (library=['gs://compliance-platform-public/jmespath.min.js']) AS r""" var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__multiRegionTrail__c; } return this.out; }; function jsonQueryChecked5() { var input = extract7.call(extract7); var out; try { out = jmespath.search(input, '[].dataResources[?type==\'AWS::S3::Object\'].type[] | [0]'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:103", {cause: {status: 'UNDETERMINED', conditionIndex: 103, conditionText: "extract('caJsonFrom__eventSelectorsJson__c').jsonQueryText('[].dataResources[?type==\\'AWS::S3::Object\\'].type[] | [0]').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return a text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:104", {cause: {status: 'UNDETERMINED', conditionIndex: 104, conditionText: "extract('caJsonFrom__eventSelectorsJson__c').jsonQueryText('[].dataResources[?type==\\'AWS::S3::Object\\'].type[] | [0]').isEvaluationFailed()", currentStateMessage: "The JSON text query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked8() { var input = extract10.call(extract10); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:102", {cause: {status: 'UNDETERMINED', conditionIndex: 102, conditionText: "extract('CA10__eventSelectorsJson__c').asJson().isInvalid()", currentStateMessage: "Provided CloudTrail Event Selector has invalid JSON.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked11() { if (BytesLib.isEmpty(obj.CA10__eventSelectorsJson__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__eventSelectorsJson__c.delegatedTo(CA10__eventSelectorsJson__c).isEmpty()", currentStateMessage: "Unable to determine Logging status. Possible permission issue with cloudtrail:GetEventSelectors.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__eventSelectorsJson__c; } function extract10() { if (!this.out) { this.out = fieldChecked11(); } return this.out; }; function extract7() { if (!this.out) { this.out = jsonChecked8(); } return this.out; }; function jsonQueryChecked12() { var input = extract7.call(extract7); var out; try { out = jmespath.search(input, 'contains([].dataResources[].values[], \'arn:aws:s3\')'); if (out != null && typeof out != 'boolean') { throw new Error("UNDETERMINED condition:105", {cause: {status: 'UNDETERMINED', conditionIndex: 105, conditionText: "extract('caJsonFrom__eventSelectorsJson__c').jsonQueryText('contains([].dataResources[].values[], \\'arn:aws:s3\\')').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return a boolean type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:106", {cause: {status: 'UNDETERMINED', conditionIndex: 106, conditionText: "extract('caJsonFrom__eventSelectorsJson__c').jsonQueryText('contains([].dataResources[].values[], \\'arn:aws:s3\\')').isEvaluationFailed()", currentStateMessage: "The JSON boolean query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonQueryChecked16() { var input = extract7.call(extract7); var out; try { out = jmespath.search(input, '[*].readWriteType | [0]'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:107", {cause: {status: 'UNDETERMINED', conditionIndex: 107, conditionText: "extract('caJsonFrom__eventSelectorsJson__c').jsonQueryText('[*].readWriteType | [0]').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return a text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:108", {cause: {status: 'UNDETERMINED', conditionIndex: 108, conditionText: "extract('caJsonFrom__eventSelectorsJson__c').jsonQueryText('[*].readWriteType | [0]').isEvaluationFailed()", currentStateMessage: "The JSON text query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract15() { if (!this.out) { this.out = jsonQueryChecked16(); } return this.out; }; references1.push('Multi Region Trail [obj.CA10__multiRegionTrail__c]: ' + obj.CA10__multiRegionTrail__c); references1.push('Event Selectors JSON [obj.CA10__eventSelectorsJson__c]: ' + obj.CA10__eventSelectorsJson__c); try { if (extract3.call(extract3) == true && TextLib.equal(jsonQueryChecked5(), 'AWS::S3::Object') && jsonQueryChecked12() == true && (TextLib.equal(extract15.call(extract15), 'All') || TextLib.equal(extract15.call(extract15), 'WriteOnly'))) { return {status: 'COMPLIANT', conditionIndex: 199, conditionText: "extract('CA10__multiRegionTrail__c') == true && extract('caJsonFrom__eventSelectorsJson__c').jsonQueryText('[].dataResources[?type==\\'AWS::S3::Object\\'].type[] | [0]') == 'AWS::S3::Object' && extract('caJsonFrom__eventSelectorsJson__c').jsonQueryText('contains([].dataResources[].values[], \\'arn:aws:s3\\')') == true && (extract('caJsonText__eventSelectorsJsonReadWriteType__c') == 'All' || extract('caJsonText__eventSelectorsJsonReadWriteType__c') == 'WriteOnly')", currentStateMessage: "CloudTrail with object-level logging for write events enabled for all S3 buckets.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'INAPPLICABLE', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "Unrelated CloudTrail configuration.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.Id AS Id, `CA10__AWS_CloudTrail_Trails__r`.arr AS CA10__AWS_CloudTrail_Trails__r, process_CA10__CaAwsAccount__c( STRUCT( sObject.Id AS Id, `CA10__AWS_CloudTrail_Trails__r`.arr AS CA10__AWS_CloudTrail_Trails__r ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsAccount__c()) AS sObject LEFT JOIN ( SELECT sObject.CA10__account__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__multiRegionTrail__c AS CA10__multiRegionTrail__c, sObject.CA10__eventSelectorsJson__c AS CA10__eventSelectorsJson__c, sObject.CA10__account__c AS CA10__account__c, sObject.Id AS Id, process_CA10__AWS_CloudTrail_Trails__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__multiRegionTrail__c AS CA10__multiRegionTrail__c, sObject.CA10__eventSelectorsJson__c AS CA10__eventSelectorsJson__c, sObject.CA10__account__c AS CA10__account__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsCloudTrailTrail__c()) AS sObject GROUP BY sObject.CA10__account__c ) AS `CA10__AWS_CloudTrail_Trails__r` ON sObject.Id = `CA10__AWS_CloudTrail_Trails__r`.CA10__account__c ) sObject ON sObject.Id = expectedResult.Id;