--- policy: /ce/ca/aws/efs/mount-target-public-ip logic: /ce/ca/aws/efs/mount-target-public-ip/prod.logic.yaml executionTime: 2026-06-06T12:02:51.896257437Z generationMs: 51 executionMs: 1362 rows: - id: test1 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__subnet__r.CA10__mapPublicIpOnLaunch__c') == true actual: extract('CA10__subnet__r.CA10__mapPublicIpOnLaunch__c') == true runtimeError: {} - id: test2 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/efs/mount-target-public-ip/policy.yaml md5Hash: 3AA91E590612620382670CA42B1B45BA content: "---\nnames:\n full: AWS EFS Mount Target is in a subnet that assigns\ \ public IP addresses on launch\n contextual: Mount Target is in a subnet that\ \ assigns public IP addresses on launch\ndescription: >\n Ensure that Amazon\ \ EFS Mount Targets are not deployed in subnets configured \n to automatically\ \ assign public IPv4 addresses. EFS is designed to be accessed \n privately\ \ within the VPC, and placing mount targets in public subnets may \n violate\ \ network segmentation best practices.\ntype: COMPLIANCE_POLICY\ncategories:\n\ \ - SECURITY\nframeworkMappings:\n - \"/frameworks/cloudaware/resource-security/network-exposure\"\ \n - \"/frameworks/aws-fsbp-v1.0.0/efs/06\"\nsimilarPolicies:\n awsSecurityHub:\n\ \ - name: \"[EFS.6] EFS mount targets should not be associated with subnets\ \ that assign public IP addresses on launch\"\n url: \"https://docs.aws.amazon.com/securityhub/latest/userguide/efs-controls.html#efs-6\"\ \n" - path: /ce/ca/aws/efs/mount-target-public-ip/prod.logic.yaml md5Hash: B4ADCAAF0C5E0EDC4D95A05356D1385F content: | --- inputType: "CA10__CaAwsEfsMountTarget__c" importExtracts: - file: "/types/CA10__CaAwsSubnet__c/object.extracts.yaml" testData: - file: "test-data.json" conditions: - status: "UNDETERMINED" currentStateMessage: "Unable to determine the subnet configuration for the EFS mount target." check: IS_EMPTY_LOOKUP: CA10__subnet__r - status: "INCOMPLIANT" currentStateMessage: "The EFS mount target is in a subnet configured to automatically assign public IP addresses." remediationMessage: "Move the EFS mount target to a private subnet or disable the 'Auto-assign public IPv4 address' setting on the current subnet." check: IS_EQUAL: left: EXTRACT: "CA10__subnet__r.CA10__mapPublicIpOnLaunch__c" right: BOOLEAN: true otherwise: status: COMPLIANT currentStateMessage: "The EFS mount target is in a subnet that does not automatically assign public IP addresses." - path: /ce/ca/aws/efs/mount-target-public-ip/test-data.json md5Hash: 59FDE3E5EF5833F79451B38E56CE1B80 content: |- [ { "expectedResult": { "runtimeError": null, "conditionText": "extract('CA10__subnet__r.CA10__mapPublicIpOnLaunch__c') == true", "conditionIndex": 299, "status": "INCOMPLIANT" }, "CA10__subnetId__c": "subnet-ecdb1c8b", "context": { "snapshotTime": "2025-12-15T08:15:42Z" }, "Id": "test1", "CA10__disappearanceTime__c": null, "CA10__subnet__r": { "CA10__mapPublicIpOnLaunch__c": true, "Id": "test1_1", "CA10__disappearanceTime__c": null }, "CA10__subnet__c": "test1_1" }, { "expectedResult": { "runtimeError": null, "conditionText": "otherwise", "conditionIndex": 300, "status": "COMPLIANT" }, "CA10__subnetId__c": "subnet-0b58c43b8ee8b3816", "context": { "snapshotTime": "2025-12-15T08:15:42Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__subnet__r": { "CA10__mapPublicIpOnLaunch__c": false, "Id": "test2_2", "CA10__disappearanceTime__c": null }, "CA10__subnet__c": "test2_2" } ] - path: /types/CA10__CaAwsSubnet__c/object.extracts.yaml md5Hash: 393E30CD97C9DEE73FA18A1456EE4CBD content: "---\nextracts:\n# Checkbox. Can't have no access, retrieved via ec2:DescribeSubnets\n\ \ - name: CA10__defaultForAz__c\n value: \n FIELD:\n path: CA10__defaultForAz__c\n\ # Checkbox. Can't have no access, retrieved via ec2:DescribeSubnets\n - name:\ \ CA10__mapPublicIpOnLaunch__c\n value: \n FIELD:\n path: CA10__mapPublicIpOnLaunch__c\n\ # Checkbox. Can't have no access, retrieved via ec2:DescribeSubnets\n - name:\ \ CA10__assignIpv6AddressOnCreation__c\n value: \n FIELD:\n path:\ \ CA10__assignIpv6AddressOnCreation__c\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "runtimeError" : null, "conditionText" : "extract('CA10__subnet__r.CA10__mapPublicIpOnLaunch__c') == true", "conditionIndex" : 299, "status" : "INCOMPLIANT" } }, { "Id" : "test2", "expectedResult" : { "runtimeError" : null, "conditionText" : "otherwise", "conditionIndex" : 300, "status" : "COMPLIANT" } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsEfsMountTarget__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-12-15T08:15:42Z") }, "CA10__subnet__c" : "test1_1", "CA10__subnetId__c" : "subnet-ecdb1c8b", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2025-12-15T08:15:42Z") }, "CA10__subnet__c" : "test2_2", "CA10__subnetId__c" : "subnet-0b58c43b8ee8b3816", "Id" : "test2" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsSubnet__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-12-15T08:15:42Z") }, "Id" : "test1_1", "CA10__mapPublicIpOnLaunch__c" : true }, { "context" : { "snapshotTime" : new Date("2025-12-15T08:15:42Z") }, "Id" : "test2_2", "CA10__mapPublicIpOnLaunch__c" : false } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsEfsMountTarget__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__subnet__r STRUCT< Id STRING, CA10__disappearanceTime__c TIMESTAMP, CA10__mapPublicIpOnLaunch__c BOOLEAN >, CA10__subnet__c STRING, CA10__subnetId__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] if (TextLib.isEmpty(obj.CA10__subnetId__c) || TextLib.isEmpty(obj.CA10__subnet__c) || obj.CA10__subnet__r.CA10__disappearanceTime__c != null) { return {status: 'UNDETERMINED', conditionIndex: 199, conditionText: "isEmptyLookup('CA10__subnet__r')", currentStateMessage: "Unable to determine the subnet configuration for the EFS mount target.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function extractChecked2() { if (TextLib.isEmpty(obj.CA10__subnetId__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "extractCheck(obj.CA10__subnetId__c)", currentStateMessage: "Related object via CA10__subnetId__c has empty ID", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (TextLib.isEmpty(obj.CA10__subnet__c)) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "extractCheck(obj.CA10__subnet__c)", currentStateMessage: "Related object via CA10__subnet__c is not present", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (obj.CA10__subnet__r.CA10__disappearanceTime__c != null) { throw new Error("UNDETERMINED condition:203", {cause: {status: 'UNDETERMINED', conditionIndex: 203, conditionText: "extractCheck(obj.CA10__subnet__r.CA10__disappearanceTime__c)", currentStateMessage: "Related object via CA10__subnet__c is present, but deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return extract3.call(extract3); } function extract3() { if (!this.out) { this.out = obj.CA10__subnet__r.CA10__mapPublicIpOnLaunch__c; } return this.out; }; references1.push('Map Public IP On Launch [obj.CA10__subnet__r.CA10__mapPublicIpOnLaunch__c]: ' + obj.CA10__subnet__r.CA10__mapPublicIpOnLaunch__c); try { if (extractChecked2() == true) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__subnet__r.CA10__mapPublicIpOnLaunch__c') == true", currentStateMessage: "The EFS mount target is in a subnet configured to automatically assign public IP addresses.", currentStateReferences: references1.join('\n'), remediation: "Move the EFS mount target to a private subnet or disable the 'Auto-assign public IPv4 address' setting on the current subnet.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'COMPLIANT', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "The EFS mount target is in a subnet that does not automatically assign public IP addresses.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, STRUCT ( `CA10__subnet__r`.Id AS Id, `CA10__subnet__r`.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, `CA10__subnet__r`.CA10__mapPublicIpOnLaunch__c AS CA10__mapPublicIpOnLaunch__c ) AS CA10__subnet__r, sObject.CA10__subnet__c AS CA10__subnet__c, sObject.CA10__subnetId__c AS CA10__subnetId__c, sObject.Id AS Id, process_CA10__CaAwsEfsMountTarget__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, STRUCT ( `CA10__subnet__r`.Id AS Id, `CA10__subnet__r`.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, `CA10__subnet__r`.CA10__mapPublicIpOnLaunch__c AS CA10__mapPublicIpOnLaunch__c ) AS CA10__subnet__r, sObject.CA10__subnet__c AS CA10__subnet__c, sObject.CA10__subnetId__c AS CA10__subnetId__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsEfsMountTarget__c()) AS sObject LEFT JOIN UNNEST(mock_CA10__CaAwsSubnet__c()) AS `CA10__subnet__r` ON sObject.CA10__subnet__c = `CA10__subnet__r`.Id ) sObject ON sObject.Id = expectedResult.Id;