π§ AWS S3 Bucket Policy is not set to deny HTTP requests - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π AWS S3 Bucket
- π AWS S3 Bucket - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2026-02-10T22:33:18.279963646Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('CA10__policyDocument__c').isEmpty() | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') == number(0.0) && extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') == number(0.0) | βοΈ null |
| π’ | test4 | βοΈ 299 | βοΈ extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') == number(0.0) && extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') == number(0.0) | βοΈ null |
| π’ | test5 | βοΈ 299 | βοΈ extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') == number(0.0) && extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') == number(0.0) | βοΈ null |
| π’ | test6 | βοΈ 299 | βοΈ extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') == number(0.0) && extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') == number(0.0) | βοΈ null |
| π’ | test7 | βοΈ 399 | βοΈ extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') > number(0.0) || extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') > number(0.0) | βοΈ null |
| π’ | test8 | βοΈ 399 | βοΈ extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.Bool."aws:SecureTransport" == \'false\'])') > number(0.0) || extract('caJsonFrom__policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Deny\' && Condition.NumericLessThan."s3:TlsVersion" == \'1.2\'])') > number(0.0) | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/s3/bucket-policy-deny-http-requests/policy.yaml | 8093FEECFDB6C1D7B57D8E3F4D19820A |
| Open | /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml | 6DF478C5E640855235CC699C4C25D6F9 |
| Open | /ce/ca/aws/s3/bucket-policy-deny-http-requests/test-data.json | 31AD5B8DD97468C94B6DEB458D049CBD |
| Open | /types/CA10__CaAwsBucket__c/object.extracts.yaml | F56AFA293B0B19D4F39C1EBB70F4C56F |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/s3/bucket-policy-deny-http-requests/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsBucket__c"
testData:
- file: test-data.json
importExtracts:
- file: /types/CA10__CaAwsBucket__c/object.extracts.yaml
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "No bucket policy is configured, so both HTTP and HTTPS requests are allowed by default."
remediationMessage: "Configure a bucket policy that denies HTTP requests."
check:
IS_EMPTY:
arg:
EXTRACT: "CA10__policyDocument__c"
- status: "INCOMPLIANT"
currentStateMessage: "The bucket policy is not configured to deny HTTP requests."
remediationMessage: "Configure a bucket policy that denies HTTP requests."
check:
AND:
args:
- IS_EQUAL:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__policyDocument__c"
expression: "length(Statement[? Effect == 'Deny' && Condition.Bool.\"aws:SecureTransport\" == 'false'])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
- IS_EQUAL:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__policyDocument__c"
expression: "length(Statement[? Effect == 'Deny' && Condition.NumericLessThan.\"s3:TlsVersion\" == '1.2'])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
- status: "COMPLIANT"
currentStateMessage: "The bucket policy has been configured to deny HTTP requests."
check:
OR:
args:
- GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__policyDocument__c"
expression: "length(Statement[? Effect == 'Deny' && Condition.Bool.\"aws:SecureTransport\" == 'false'])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
- GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__policyDocument__c"
expression: "length(Statement[? Effect == 'Deny' && Condition.NumericLessThan.\"s3:TlsVersion\" == '1.2'])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
otherwise:
status: "UNDETERMINED"
currentStateMessage: "Unexpected values in the field."