π§ AWS S3 Bucket MFA Delete is not enabled - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/aws/s3/bucket-mfa-delete/prod.logic.yaml - Located in: π AWS S3 Bucket MFA Delete is not enabled π π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π AWS S3 Bucket | CA10__CaAwsBucket__c | 16 | 1 | 7 |
Usesβ
Test Results π’β
Generated at: 2025-04-24T23:45:09.639788690Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('CA10__lifecycleRulesJson__c').isNotEmpty() | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('CA10__versioningMfaDeleteEnabled__c') == false | βοΈ null |
| π’ | test4 | βοΈ 299 | βοΈ extract('CA10__versioningMfaDeleteEnabled__c') == false | βοΈ null |
| π’ | test5 | βοΈ 300 | βοΈ otherwise | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/s3/bucket-mfa-delete/policy.yaml | 1738BB4FE38FB7E45100DB5430471AB3 |
| Open | /ce/ca/aws/s3/bucket-mfa-delete/prod.logic.yaml | 1A18A56ADFE1D74BD70CFCED3FBFC66C |
| Open | /types/CA10__CaAwsBucket__c/object.extracts.yaml | D7F01723B629E0F1265F06B9CE2EDE1F |
| Open | /ce/ca/aws/s3/bucket-mfa-delete/test.data.json | 8ADBF035F13C26CACEB4563FBFA299B2 |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/aws/s3/bucket-mfa-delete/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/s3/bucket-mfa-delete/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-mfa-delete/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/s3/bucket-mfa-delete/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/aws/s3/bucket-mfa-delete/prod.logic.yaml
Contentβ
---
# This policy is based on CE policy ce:ca:aws:s3:bucket-mfa-delete-enabled
# We're checking the boolean field CA10__versioningMfaDeleteEnabled__c
# If the CA10__versioningStatus__c field is empty we, likely, don't have permissions
# If CA10__lifecycleRulesJson__c field has values than MFA Delete is not applicable
# It doesn't matter if versioning is enabled because remediation will enable it anyway
inputType: "CA10__CaAwsBucket__c"
testData:
- file: "test.data.json"
importExtracts:
- file: "/types/CA10__CaAwsBucket__c/object.extracts.yaml"
conditions:
# You cannot activate MFA if you have lifecycle configuration in place.
# It doesn't matter if it's enabled or not.
- status: "INAPPLICABLE"
currentStateMessage: "It's not possible to use MFA Delete with existing Lifecycle configurations."
check:
NOT_EMPTY:
arg:
EXTRACT: "CA10__lifecycleRulesJson__c"
# It doesn't matter if versioning is active or not because remediation checks
# if versioning is active and activates it if it's not
- status: "INCOMPLIANT"
currentStateMessage: "MFA delete is not enabled."
remediationMessage: "Consider enabling MFA delete on the bucket."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__versioningMfaDeleteEnabled__c"
right:
BOOLEAN: false
otherwise:
status: "COMPLIANT"
currentStateMessage: "The Bucket has MFA Delete."