🧠 AWS S3 Bucket Policy is not set to deny HTTP requests - prod.logic.yaml 🟢

Contextual name: 🧠 prod.logic.yaml 🟢
ID: /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml
Located in: 📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢

Flags

Input Type

	Type	API Name	Extracts	Extract Files	Logic Files
🔒	📕 AWS S3 Bucket	`CA10__CaAwsBucket__c`	16	1	7

Uses

🔌 AWS S3 Bucket - object.extracts.yaml
🧪 test-data.json

Test Results 🟢

Generated at: 2025-04-24T23:45:11.066914511Z Open

Result	Id	Condition Index	Condition Text	Runtime Error
🟢	test1	✔️ `99`	✔️ `isDisappeared(CA10__disappearanceTime__c)`	✔️ `null`
🟢	test2	✔️ `199`	✔️ `extract('CA10__policyDocument__c').isEmpty()`	✔️ `null`
🟢	test3	✔️ `299`	✔️ `extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') == number(0.0) && extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') == number(0.0)`	✔️ `null`
🟢	test4	✔️ `299`	✔️ `extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') == number(0.0) && extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') == number(0.0)`	✔️ `null`
🟢	test5	✔️ `299`	✔️ `extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') == number(0.0) && extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') == number(0.0)`	✔️ `null`
🟢	test6	✔️ `299`	✔️ `extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') == number(0.0) && extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') == number(0.0)`	✔️ `null`
🟢	test7	✔️ `399`	✔️ `extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') > number(0.0) \|\| extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') > number(0.0)`	✔️ `null`
🟢	test8	✔️ `399`	✔️ `extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') > number(0.0) \|\| extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') > number(0.0)`	✔️ `null`

Generation

	File	MD5
Open	`/ce/ca/aws/s3/bucket-policy-deny-http-requests/policy.yaml`	`2BD1484D9DD5B93C00AAB474F49042C7`
Open	`/ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml`	`1763984FE618A6CD9AE7A8A107CC8A7C`
Open	`/types/CA10__CaAwsBucket__c/object.extracts.yaml`	`D7F01723B629E0F1265F06B9CE2EDE1F`
Open	`/ce/ca/aws/s3/bucket-policy-deny-http-requests/test-data.json`	`31AD5B8DD97468C94B6DEB458D049CBD`

Generate FULL script

java -jar repo-manager.jar policies generate FULL /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml

Generate DEBUG script

java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml

Generate CAPTURE_TEST_DATA script

java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml

Generate TESTS script

java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml

Execute tests

java -jar repo-manager.jar policies test /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml

Content

Open File

---
inputType: "CA10__CaAwsBucket__c"
testData:
 - file: test-data.json
importExtracts:
 - file: /types/CA10__CaAwsBucket__c/object.extracts.yaml
conditions:
  - status: "INCOMPLIANT"
    currentStateMessage: "The bucket policy hasn't been configured for this bucket and by default it's allowing both HTTP and HTTPS requests."
    remediationMessage: "Consider configuring the bucket policy that will deny HTTP requests."
    check:
      IS_EMPTY:
        arg:
          EXTRACT: "CA10__policyDocument__c"
  - status: "INCOMPLIANT"
    currentStateMessage: "The bucket policy hasn't been configured to deny HTTP requests."
    remediationMessage: "Consider configuring the bucket policy that will deny HTTP requests."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                JSON_QUERY_NUMBER:
                  arg:
                    EXTRACT: "caJsonFrom__policyDocument__c"
                  expression: "length(Statement[? Effect == 'Deny' && Condition.Bool.\"aws:SecureTransport\" == 'false'])"
                  undeterminedIf: 
                    evaluationError: "The JSON query has failed."
                    resultTypeMismatch: "The JSON query did not return a number type."
              right:
                NUMBER: 0.0
          - IS_EQUAL:
              left:
                JSON_QUERY_NUMBER:
                  arg:
                    EXTRACT: "caJsonFrom__policyDocument__c"
                  expression: "length(Statement[? Effect == 'Deny' && Condition.NumericLessThan.\"s3:TlsVersion\" == '1.2'])"
                  undeterminedIf: 
                    evaluationError: "The JSON query has failed."
                    resultTypeMismatch: "The JSON query did not return a number type."
              right:
                NUMBER: 0.0
  - status: "COMPLIANT"
    currentStateMessage: "The bucket policy has been configured to deny HTTP requests."
    check:
      OR: 
        args:
          - GREATER_THAN:
              left:
                JSON_QUERY_NUMBER:
                  arg:
                    EXTRACT: "caJsonFrom__policyDocument__c"
                  expression: "length(Statement[? Effect == 'Deny' && Condition.Bool.\"aws:SecureTransport\" == 'false'])"
                  undeterminedIf: 
                    evaluationError: "The JSON query has failed."
                    resultTypeMismatch: "The JSON query did not return a number type."
              right:
                NUMBER: 0.0
          - GREATER_THAN:
              left:
                JSON_QUERY_NUMBER:
                  arg:
                    EXTRACT: "caJsonFrom__policyDocument__c"
                  expression: "length(Statement[? Effect == 'Deny' && Condition.NumericLessThan.\"s3:TlsVersion\" == '1.2'])"
                  undeterminedIf: 
                    evaluationError: "The JSON query has failed."
                    resultTypeMismatch: "The JSON query did not return a number type."
              right:
                NUMBER: 0.0
otherwise:
  status: "UNDETERMINED"
  currentStateMessage: "Unexpected values in the field."

Flags​

Input Type​

Uses​

Test Results 🟢​

Generation​

Generate FULL script​

Generate DEBUG script​

Generate CAPTURE_TEST_DATA script​

Generate TESTS script​

Execute tests​

Content​

Flags

Input Type

Uses

Test Results 🟢

Generation

Generate FULL script

Generate DEBUG script

Generate CAPTURE_TEST_DATA script

Generate TESTS script

Execute tests

Content