--- policy: /ce/ca/aws/rds/snapshot-publicly-accessible logic: /ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml executionTime: 2026-02-10T22:33:14.434439983Z generationMs: 57 executionMs: 785 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__encrypted__c') == true actual: extract('CA10__encrypted__c') == true runtimeError: {} - id: test3 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__snapshotType__c') == 'automated' || extract('CA10__snapshotType__c') == 'awsbackup' actual: extract('CA10__snapshotType__c') == 'automated' || extract('CA10__snapshotType__c') == 'awsbackup' runtimeError: {} - id: test4 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: extract('CA10__snapshotType__c') == 'public' actual: extract('CA10__snapshotType__c') == 'public' runtimeError: {} - id: test5 match: true status: expected: UNDETERMINED actual: UNDETERMINED conditionIndex: expected: 401 actual: 401 conditionText: expected: CA10__attributesJson__c.delegatedTo(CA10__attributesJson__c).isEmpty() actual: CA10__attributesJson__c.delegatedTo(CA10__attributesJson__c).isEmpty() runtimeError: {} - id: test6 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 499 actual: 499 conditionText: expected: "extract('caJsonFrom__attributesJson__c').jsonQueryText('to_string(restore[0])')\ \ == 'all'" actual: "extract('caJsonFrom__attributesJson__c').jsonQueryText('to_string(restore[0])')\ \ == 'all'" runtimeError: {} - id: test7 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 500 actual: 500 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test8 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 500 actual: 500 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/rds/snapshot-publicly-accessible/policy.yaml md5Hash: BFCEB675F8AF97966D14960558EDBF00 content: | --- names: full: AWS RDS Snapshot is publicly accessible contextual: Snapshot is publicly accessible description: Ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible (i.e. shared with all AWS accounts and users) in order to avoid exposing your private data. type: COMPLIANCE_POLICY categories: - SECURITY frameworkMappings: - "/frameworks/cloudaware/resource-security/public-and-anonymous-access" - "/frameworks/aws-fsbp-v1.0.0/rds/01" similarPolicies: awsSecurityHub: - name: "[RDS.1] RDS snapshot should be private" url: https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-1 internal: - dec-x-b3342905 cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/public-snapshots.html name: Amazon RDS Public Snapshots - path: /ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml md5Hash: 371AE704DF40F0BECEE3A66732C1E955 content: | --- inputType: CA10__CaAwsDbSnapshot__c importExtracts: - file: "/types/CA10__CaAwsDbSnapshot__c/object.extracts.yaml" testData: - file: "test-data.json" conditions: - status: INAPPLICABLE currentStateMessage: "Encrypted RDS snapshots cannot be public." # cannot be set to restore:all check: IS_EQUAL: left: EXTRACT: CA10__encrypted__c right: BOOLEAN: true - status: INAPPLICABLE currentStateMessage: "RDS snapshots created automatically or via AWS Backup cannot be public." check: OR: args: - IS_EQUAL: left: EXTRACT: CA10__snapshotType__c right: TEXT: automated - IS_EQUAL: left: EXTRACT: CA10__snapshotType__c right: TEXT: awsbackup - status: INCOMPLIANT currentStateMessage: "The RDS snapshot is publicly accessible." remediationMessage: "Make the snapshot private or restrict access to specific AWS accounts." check: IS_EQUAL: left: EXTRACT: CA10__snapshotType__c right: TEXT: public # TODO: modify the INCOMPLIANT status logic to use map ops when released. - status: INCOMPLIANT currentStateMessage: "The RDS snapshot is publicly accessible." remediationMessage: "Make the snapshot private or restrict access to specific AWS accounts." check: IS_EQUAL: left: JSON_QUERY_TEXT: arg: EXTRACT: caJsonFrom__attributesJson__c expression: "to_string(restore[0])" undeterminedIf: evaluationError: "The JSON query has failed." resultTypeMismatch: "The JSON query did not return text type." right: TEXT: "all" otherwise: status: COMPLIANT currentStateMessage: "The RDS snapshot is not publicly accessible." - path: /ce/ca/aws/rds/snapshot-publicly-accessible/test-data.json md5Hash: F925F0C16F8C3C8D5244C998646C0A4E content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-07-31T10:27:44Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2024-07-01T22:14:15Z", "CA10__encrypted__c": false, "CA10__snapshotType__c": "manual", "CA10__attributesJson__c": "" }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('CA10__encrypted__c') == true", "runtimeError": null }, "context": { "snapshotTime": "2024-07-31T10:27:44Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__encrypted__c": true, "CA10__snapshotType__c": "manual", "CA10__attributesJson__c": "{\"restore\":[]}" }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "299", "conditionText": "extract('CA10__snapshotType__c') == 'automated' || extract('CA10__snapshotType__c') == 'awsbackup'", "runtimeError": null }, "context": { "snapshotTime": "2024-07-31T10:27:44Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "CA10__encrypted__c": false, "CA10__snapshotType__c": "automated", "CA10__attributesJson__c": "{\"restore\":[]}" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "399", "conditionText": "extract('CA10__snapshotType__c') == 'public'", "runtimeError": null }, "context": { "snapshotTime": "2024-07-31T10:27:44Z" }, "Id": "test4", "CA10__disappearanceTime__c": null, "CA10__encrypted__c": false, "CA10__snapshotType__c": "public", "CA10__attributesJson__c": "{\"restore\":[]}" }, { "expectedResult": { "status": "UNDETERMINED", "conditionIndex": "401", "conditionText": "CA10__attributesJson__c.delegatedTo(CA10__attributesJson__c).isEmpty()", "runtimeError": null }, "context": { "snapshotTime": "2024-07-31T10:27:44Z" }, "Id": "test5", "CA10__disappearanceTime__c": null, "CA10__encrypted__c": false, "CA10__snapshotType__c": "manual", "CA10__attributesJson__c": "" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "499", "conditionText": "extract('caJsonFrom__attributesJson__c').jsonQueryText('to_string(restore[0])') == 'all'", "runtimeError": null }, "context": { "snapshotTime": "2024-07-31T10:27:44Z" }, "Id": "test6", "CA10__disappearanceTime__c": null, "CA10__encrypted__c": false, "CA10__snapshotType__c": "manual", "CA10__attributesJson__c": "{\"restore\":[\"all\"]}" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "500", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-07-31T10:27:44Z" }, "Id": "test7", "CA10__disappearanceTime__c": null, "CA10__encrypted__c": false, "CA10__snapshotType__c": "manual", "CA10__attributesJson__c": "{\"restore\":[]}" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "500", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-07-31T10:27:44Z" }, "Id": "test8", "CA10__disappearanceTime__c": null, "CA10__encrypted__c": false, "CA10__snapshotType__c": "manual", "CA10__attributesJson__c": "{\"restore\":[\"241189877026\"]}" } ] - path: /types/CA10__CaAwsDbSnapshot__c/object.extracts.yaml md5Hash: 76C7D71A88222DC213DE94D7293929A3 content: "---\nextracts:\n# Checkbox\n - name: \"CA10__encrypted__c\"\n value:\n\ \ FIELD:\n path: CA10__encrypted__c\n# Values: automated, manual,\ \ shared, public, awsbackup. Not nullable. Can't have no access retrieved via\ \ rds:DescribeDBSnapshots\n - name: \"CA10__snapshotType__c\"\n value:\n\ \ FIELD:\n path: \"CA10__snapshotType__c\"\n undeterminedIf:\n\ \ isEmpty: \"Corrupted data. Snapshot Type cannot be empty.\"\n# Not\ \ Nullable.\n - name: \"CA10__attributesJson__c\"\n value: \n FIELD:\n\ \ path: \"CA10__attributesJson__c\"\n returnType: BYTES\n \ \ undeterminedIf:\n noAccessDelegate:\n path: \"CA10__attributesJson__c\"\ \n currentStateMessage: \"Unable to determine Snapshot Attributes.\ \ Possible permission issue with rds:DescribeDBSnapshotAttributes.\"\n \ \ isEmpty: \"Snapshot Attributes are not populated yet.\"\n - name: \"\ caJsonFrom__attributesJson__c\"\n value: \n JSON_FROM:\n arg:\n\ \ EXTRACT: \"CA10__attributesJson__c\"\n undeterminedIf:\n \ \ isInvalid: \"Snapshot attributes JSON is invalid\"\n# Not Nullable.\n\ \ - name: \"CA10__snapshotCreateTime__c\"\n value:\n FIELD:\n \ \ path: \"CA10__snapshotCreateTime__c\"\n undeterminedIf:\n \ \ isEmpty: \"Corrupted data. Snapshot Create Time cannot be empty.\"\n# Not\ \ nullable. Can't have no access retrieved via rds:DescribeDBSnapshots\n -\ \ name: \"CA10__status__c\"\n value:\n FIELD:\n path: \"CA10__status__c\"\ \n undeterminedIf:\n isEmpty: \"Corrupted data. Snapshot Status\ \ cannot be empty.\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('CA10__encrypted__c') == true", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "299", "conditionText" : "extract('CA10__snapshotType__c') == 'automated' || extract('CA10__snapshotType__c') == 'awsbackup'", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "399", "conditionText" : "extract('CA10__snapshotType__c') == 'public'", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "UNDETERMINED", "conditionIndex" : "401", "conditionText" : "CA10__attributesJson__c.delegatedTo(CA10__attributesJson__c).isEmpty()", "runtimeError" : null } }, { "Id" : "test6", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "499", "conditionText" : "extract('caJsonFrom__attributesJson__c').jsonQueryText('to_string(restore[0])') == 'all'", "runtimeError" : null } }, { "Id" : "test7", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "500", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "test8", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "500", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsDbSnapshot__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-07-31T10:27:44Z") }, "CA10__disappearanceTime__c" : new Date("2024-07-01T22:14:15Z"), "CA10__encrypted__c" : false, "CA10__snapshotType__c" : "manual", "CA10__attributesJson__c" : "", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2024-07-31T10:27:44Z") }, "CA10__encrypted__c" : true, "CA10__snapshotType__c" : "manual", "CA10__attributesJson__c" : "{\"restore\":[]}", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2024-07-31T10:27:44Z") }, "CA10__encrypted__c" : false, "CA10__snapshotType__c" : "automated", "CA10__attributesJson__c" : "{\"restore\":[]}", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2024-07-31T10:27:44Z") }, "CA10__encrypted__c" : false, "CA10__snapshotType__c" : "public", "CA10__attributesJson__c" : "{\"restore\":[]}", "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2024-07-31T10:27:44Z") }, "CA10__encrypted__c" : false, "CA10__snapshotType__c" : "manual", "CA10__attributesJson__c" : "", "Id" : "test5" }, { "context" : { "snapshotTime" : new Date("2024-07-31T10:27:44Z") }, "CA10__encrypted__c" : false, "CA10__snapshotType__c" : "manual", "CA10__attributesJson__c" : "{\"restore\":[\"all\"]}", "Id" : "test6" }, { "context" : { "snapshotTime" : new Date("2024-07-31T10:27:44Z") }, "CA10__encrypted__c" : false, "CA10__snapshotType__c" : "manual", "CA10__attributesJson__c" : "{\"restore\":[]}", "Id" : "test7" }, { "context" : { "snapshotTime" : new Date("2024-07-31T10:27:44Z") }, "CA10__encrypted__c" : false, "CA10__snapshotType__c" : "manual", "CA10__attributesJson__c" : "{\"restore\":[\"241189877026\"]}", "Id" : "test8" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsDbSnapshot__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__encrypted__c BOOLEAN, CA10__snapshotType__c STRING, CA10__attributesJson__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js OPTIONS (library=['gs://compliance-platform-public/jmespath.min.js']) AS r""" var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__encrypted__c; } return this.out; }; references1.push('Encrypted [obj.CA10__encrypted__c]: ' + obj.CA10__encrypted__c); if (extract3.call(extract3) == true) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__encrypted__c') == true", currentStateMessage: "Encrypted RDS snapshots cannot be public.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function fieldChecked7() { if (TextLib.isEmpty(obj.CA10__snapshotType__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__snapshotType__c.isEmpty()", currentStateMessage: "Corrupted data. Snapshot Type cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__snapshotType__c; } function extract6() { if (!this.out) { this.out = fieldChecked7(); } return this.out; }; references1.push('Snapshot Type [obj.CA10__snapshotType__c]: ' + obj.CA10__snapshotType__c); try { if (TextLib.equal(extract6.call(extract6), 'automated') || TextLib.equal(extract6.call(extract6), 'awsbackup')) { return {status: 'INAPPLICABLE', conditionIndex: 299, conditionText: "extract('CA10__snapshotType__c') == 'automated' || extract('CA10__snapshotType__c') == 'awsbackup'", currentStateMessage: "RDS snapshots created automatically or via AWS Backup cannot be public.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[3], conditionIndex:[300..399] function fieldChecked11() { if (TextLib.isEmpty(obj.CA10__snapshotType__c)) { throw new Error("UNDETERMINED condition:301", {cause: {status: 'UNDETERMINED', conditionIndex: 301, conditionText: "CA10__snapshotType__c.isEmpty()", currentStateMessage: "Corrupted data. Snapshot Type cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__snapshotType__c; } function extract10() { if (!this.out) { this.out = fieldChecked11(); } return this.out; }; try { if (TextLib.equal(extract10.call(extract10), 'public')) { return {status: 'INCOMPLIANT', conditionIndex: 399, conditionText: "extract('CA10__snapshotType__c') == 'public'", currentStateMessage: "The RDS snapshot is publicly accessible.", currentStateReferences: references1.join('\n'), remediation: "Make the snapshot private or restrict access to specific AWS accounts.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[4], conditionIndex:[400..499] function jsonQueryChecked12() { var input = extract14.call(extract14); var out; try { out = jmespath.search(input, 'to_string(restore[0])'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:404", {cause: {status: 'UNDETERMINED', conditionIndex: 404, conditionText: "extract('caJsonFrom__attributesJson__c').jsonQueryText('to_string(restore[0])').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:405", {cause: {status: 'UNDETERMINED', conditionIndex: 405, conditionText: "extract('caJsonFrom__attributesJson__c').jsonQueryText('to_string(restore[0])').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked15() { var input = extract17.call(extract17); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:403", {cause: {status: 'UNDETERMINED', conditionIndex: 403, conditionText: "extract('CA10__attributesJson__c').asJson().isInvalid()", currentStateMessage: "Snapshot attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked18() { if (BytesLib.isEmpty(obj.CA10__attributesJson__c)) { throw new Error("UNDETERMINED condition:401", {cause: {status: 'UNDETERMINED', conditionIndex: 401, conditionText: "CA10__attributesJson__c.delegatedTo(CA10__attributesJson__c).isEmpty()", currentStateMessage: "Unable to determine Snapshot Attributes. Possible permission issue with rds:DescribeDBSnapshotAttributes.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (BytesLib.isEmpty(obj.CA10__attributesJson__c)) { throw new Error("UNDETERMINED condition:402", {cause: {status: 'UNDETERMINED', conditionIndex: 402, conditionText: "CA10__attributesJson__c.isEmpty()", currentStateMessage: "Snapshot Attributes are not populated yet.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__attributesJson__c; } function extract17() { if (!this.out) { this.out = fieldChecked18(); } return this.out; }; function extract14() { if (!this.out) { this.out = jsonChecked15(); } return this.out; }; references1.push('Attributes JSON [obj.CA10__attributesJson__c]: ' + obj.CA10__attributesJson__c); try { if (TextLib.equal(jsonQueryChecked12(), 'all')) { return {status: 'INCOMPLIANT', conditionIndex: 499, conditionText: "extract('caJsonFrom__attributesJson__c').jsonQueryText('to_string(restore[0])') == 'all'", currentStateMessage: "The RDS snapshot is publicly accessible.", currentStateReferences: references1.join('\n'), remediation: "Make the snapshot private or restrict access to specific AWS accounts.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'COMPLIANT', conditionIndex: 500, conditionText: "otherwise", currentStateMessage: "The RDS snapshot is not publicly accessible.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__encrypted__c AS CA10__encrypted__c, sObject.CA10__snapshotType__c AS CA10__snapshotType__c, sObject.CA10__attributesJson__c AS CA10__attributesJson__c, sObject.Id AS Id, process_CA10__CaAwsDbSnapshot__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__encrypted__c AS CA10__encrypted__c, sObject.CA10__snapshotType__c AS CA10__snapshotType__c, sObject.CA10__attributesJson__c AS CA10__attributesJson__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsDbSnapshot__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;