π§ AWS S3 Bucket ACL allows public read or write access - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/s3/bucket-public-acl/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π AWS S3 Bucket
- π AWS S3 Bucket - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2025-11-20T13:28:59.082769870Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('CA10__blockPublicAcls__c') == 'Yes' | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('CA10__accessControlGrants__c') == number(0.0) | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ extract('caJsonFrom__accessControlPolicy__c').jsonQueryText('length(grants[?permission==\'FULL_CONTROL\' && (grantee.identifier==\'http://acs.amazonaws.com/groups/global/AllUsers\' || grantee.identifier==\'http://acs.amazonaws.com/groups/global/AuthenticatedUsers\')])') > number(0.0) | βοΈ null |
| π’ | test5 | βοΈ 499 | βοΈ extract('caJsonFrom__accessControlPolicy__c').jsonQueryText('length(grants[?(permission==\'READ\' || permission==\'READ_ACP\') && (grantee.identifier==\'http://acs.amazonaws.com/groups/global/AllUsers\' || grantee.identifier==\'http://acs.amazonaws.com/groups/global/AuthenticatedUsers\')])') > number(0.0) && extract('caJsonFrom__accessControlPolicy__c').jsonQueryText('length(grants[?(permission==\'WRITE\' || permission==\'WRITE_ACP\') && (grantee.identifier==\'http://acs.amazonaws.com/groups/global/AllUsers\' || grantee.identifier==\'http://acs.amazonaws.com/groups/global/AuthenticatedUsers\')])') > number(0.0) | βοΈ null |
| π’ | test6 | βοΈ 599 | βοΈ extract('caJsonFrom__accessControlPolicy__c').jsonQueryText('length(grants[?(permission==\'READ\' || permission==\'READ_ACP\') && (grantee.identifier==\'http://acs.amazonaws.com/groups/global/AllUsers\' || grantee.identifier==\'http://acs.amazonaws.com/groups/global/AuthenticatedUsers\')])') > number(0.0) | βοΈ null |
| π’ | test7 | βοΈ 700 | βοΈ otherwise | βοΈ null |
| π’ | test8 | βοΈ 301 | βοΈ CA10__accessControlPolicy__c.delegatedTo(CA10__accessControlPolicy__c).isEmpty() | βοΈ null |
| π’ | test9 | βοΈ 700 | βοΈ otherwise | βοΈ null |
| π’ | test10 | βοΈ 304 | βοΈ extract('caJsonFrom__accessControlPolicy__c').jsonQueryText('length(grants[?permission==\'FULL_CONTROL\' && (grantee.identifier==\'http://acs.amazonaws.com/groups/global/AllUsers\' || grantee.identifier==\'http://acs.amazonaws.com/groups/global/AuthenticatedUsers\')])').isEvaluationFailed() | βοΈ TypeError: length() expected argument 1 to be type 2,3,4 but received type 7 instead. |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/s3/bucket-public-acl/policy.yaml | C6AFA22C41AF4DC7DB82BC21082DF822 |
| Open | /ce/ca/aws/s3/bucket-public-acl/prod.logic.yaml | 88F6B3E1B3EED363C3A1C5CF1C420F67 |
| Open | /ce/ca/aws/s3/bucket-public-acl/test-data.json | 8570F95BB625296F1FE5E34E3B3E54CD |
| Open | /types/CA10__CaAwsBucket__c/object.extracts.yaml | F56AFA293B0B19D4F39C1EBB70F4C56F |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/s3/bucket-public-acl/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/s3/bucket-public-acl/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-public-acl/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/s3/bucket-public-acl/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/s3/bucket-public-acl/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsBucket__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsBucket__c/object.extracts.yaml"
conditions:
- status: "COMPLIANT"
currentStateMessage: "The Bucket is configured to block public ACLs."
check:
IS_EQUAL:
left:
EXTRACT: CA10__blockPublicAcls__c
right:
TEXT: "Yes"
- status: "COMPLIANT"
currentStateMessage: "The Bucket ACL is configured with any grants."
check:
IS_EQUAL:
left:
EXTRACT: CA10__accessControlGrants__c
right:
NUMBER: 0.0
- status: "INCOMPLIANT"
currentStateMessage: "The bucket ACL grants public full control access."
remediationMessage: "Modify the bucket ACL to remove grants for 'Everyone' or\
\ 'Any authenticated AWS user'. It is strongly recommended to enable\
\ 'Block all public access' and use IAM policies for access control."
check:
# Full control for Everyone or Any authenticated AWS user
GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__accessControlPolicy__c"
expression: "length(grants[?permission=='FULL_CONTROL' && (grantee.identifier=='http://acs.amazonaws.com/groups/global/AllUsers' || grantee.identifier=='http://acs.amazonaws.com/groups/global/AuthenticatedUsers')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
- status: "INCOMPLIANT"
currentStateMessage: "The bucket ACL grants both public read and public write access."
remediationMessage: "Modify the bucket ACL to remove grants for 'Everyone' or\
\ 'Any authenticated AWS user'. It is strongly recommended to enable\
\ 'Block all public access' and use IAM policies for access control."
check:
AND:
args:
# Read permissions for Everyone or Any authenticated AWS user
- GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__accessControlPolicy__c"
expression: "length(grants[?(permission=='READ' || permission=='READ_ACP') && (grantee.identifier=='http://acs.amazonaws.com/groups/global/AllUsers' || grantee.identifier=='http://acs.amazonaws.com/groups/global/AuthenticatedUsers')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
# Write permissions for Everyone or Any authenticated AWS user
- GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__accessControlPolicy__c"
expression: "length(grants[?(permission=='WRITE' || permission=='WRITE_ACP') && (grantee.identifier=='http://acs.amazonaws.com/groups/global/AllUsers' || grantee.identifier=='http://acs.amazonaws.com/groups/global/AuthenticatedUsers')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
- status: "INCOMPLIANT"
currentStateMessage: "The bucket ACL grants public read access."
remediationMessage: "Modify the bucket ACL to remove grants for 'Everyone' or\
\ 'Any authenticated AWS user'. It is strongly recommended to enable\
\ 'Block all public access' and use IAM policies for access control."
check:
# Read permissions for Everyone or Any authenticated AWS user
GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__accessControlPolicy__c"
expression: "length(grants[?(permission=='READ' || permission=='READ_ACP') && (grantee.identifier=='http://acs.amazonaws.com/groups/global/AllUsers' || grantee.identifier=='http://acs.amazonaws.com/groups/global/AuthenticatedUsers')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
- status: "INCOMPLIANT"
currentStateMessage: "The bucket ACL grants public write access."
remediationMessage: "Modify the bucket ACL to remove grants for 'Everyone' or\
\ 'Any authenticated AWS user'. It is strongly recommended to enable\
\ 'Block all public access' and use IAM policies for access control."
check:
# Read permissions for Everyone or Any authenticated AWS user
GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__accessControlPolicy__c"
expression: "length(grants[?(permission=='WRITE' || permission=='WRITE_ACP') && (grantee.identifier=='http://acs.amazonaws.com/groups/global/AllUsers' || grantee.identifier=='http://acs.amazonaws.com/groups/global/AuthenticatedUsers')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return a number type."
right:
NUMBER: 0.0
otherwise:
status: "COMPLIANT"
currentStateMessage: "The Bucket ACL does not grant public read or write access."