π§ AWS S3 Bucket Object Lock is not enabled - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml - Located in: π AWS S3 Bucket Object Lock is not enabled π π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π AWS S3 Bucket | CA10__CaAwsBucket__c | 16 | 1 | 7 |
Usesβ
Test Results π’β
Generated at: 2025-04-24T23:45:10.320631807Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('CA10__objectLockEnabled__c') == 'no' | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('CA10__objectLockEnabled__c') == 'yes' | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/s3/bucket-object-lock/policy.yaml | D21CCFCF50887507AA3961DD2B73ED25 |
| Open | /ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml | FAB00E74E5C97ECAB96496E0E6641989 |
| Open | /types/CA10__CaAwsBucket__c/object.extracts.yaml | D7F01723B629E0F1265F06B9CE2EDE1F |
| Open | /ce/ca/aws/s3/bucket-object-lock/test-data.json | 036F85403A754FBC3B76DC862E0D7241 |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/aws/s3/bucket-object-lock/prod.logic.yaml
Contentβ
---
# This policy is based on AWS Security Hub control [S3.15] S3 buckets should be configured to use Object Lock
# https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-15
# To determine if object lock is enabled we're checking CA10__objectLockEnabled__c field
# Possible values: "yes", "no", empty which indicates permissions issue
inputType: "CA10__CaAwsBucket__c"
importExtracts:
- file: /types/CA10__CaAwsBucket__c/object.extracts.yaml
testData:
- file: "test-data.json"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "S3 Object Lock is enabled"
remediationMessage: "Consider enabling Object Lock feature"
check:
IS_EQUAL:
left:
EXTRACT: "CA10__objectLockEnabled__c"
right:
TEXT: "no"
- status: "COMPLIANT"
currentStateMessage: "S3 Object Lock is enabled"
check:
IS_EQUAL:
left:
EXTRACT: "CA10__objectLockEnabled__c"
right:
TEXT: "yes"
otherwise:
status: "UNDETERMINED"
currentStateMessage: "Unexpected value in the field"