π§ AWS S3 Bucket is not encrypted with a KMS key - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/s3/bucket-encryption-with-kms/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π AWS S3 Bucket
- π AWS S3 Bucket - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2025-11-17T14:33:44.983064966Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 101 | βοΈ CA10__serverSideEncryptionAlgorithm__c.delegatedTo(CA10__serverSideEncryptionAlgorithm__c).isEmpty() | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('CA10__serverSideEncryptionAlgorithm__c') == 'AES256' | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ setOfText(['aws:kms', 'aws:kms:dsse', 'aws:fsx']).contains(extract('CA10__serverSideEncryptionAlgorithm__c')) | βοΈ null |
| π’ | test5 | βοΈ 199 | βοΈ extract('CA10__serverSideEncryptionAlgorithm__c') == 'None' | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/s3/bucket-encryption-with-kms/policy.yaml | 97923902BD2694002706025D42B84211 |
| Open | /ce/ca/aws/s3/bucket-encryption-with-kms/prod.logic.yaml | D2609030CA982603DD484B94867D1C2B |
| Open | /ce/ca/aws/s3/bucket-encryption-with-kms/test-data.json | 9A6DD93684DBF2599F1F46923F53E475 |
| Open | /types/CA10__CaAwsBucket__c/object.extracts.yaml | 735E25ECFC64FFE2D2C1E0F83B2D8FCA |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/s3/bucket-encryption-with-kms/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/s3/bucket-encryption-with-kms/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-encryption-with-kms/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/s3/bucket-encryption-with-kms/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/s3/bucket-encryption-with-kms/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsBucket__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsBucket__c/object.extracts.yaml"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "The S3 bucket is not encrypted."
remediationMessage: "Enable Server-Side Encryption with AWS KMS (SSE-KMS) for the bucket."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__serverSideEncryptionAlgorithm__c"
right:
TEXT: "None"
- status: "INCOMPLIANT"
currentStateMessage: "The S3 bucket is encrypted with Amazon S3 managed key."
remediationMessage: "Enable Server-Side Encryption with AWS KMS for the bucket."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__serverSideEncryptionAlgorithm__c"
right:
TEXT: "AES256"
- status: "COMPLIANT"
currentStateMessage: "The S3 Bucket is encrypted with a KMS key."
check:
CONTAINS:
arg:
SET:
itemType: "TEXT"
items:
- "aws:kms"
- "aws:kms:dsse"
- "aws:fsx"
search:
EXTRACT: "CA10__serverSideEncryptionAlgorithm__c"
otherwise:
status: "UNDETERMINED"
currentStateMessage: "Unexpected values in the field."