π§ AWS S3 Bucket Policy allows public read or write access - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/s3/bucket-public-policy/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π AWS S3 Bucket
- π AWS S3 Bucket - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2025-11-20T13:28:59.335004485Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('CA10__policyIsPublic__c') != 'Yes' | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('CA10__blockPublicPolicy__c') == 'Yes' | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ CA10__policyDocumentExt__c .allows(EXTERNAL_PRINCIPAL, [s3:PutObject, s3:DeleteObject, s3:DeleteObjectVersion, ... 3 elements]) | βοΈ null |
| π’ | test5 | βοΈ 399 | βοΈ CA10__policyDocumentExt__c .allows(EXTERNAL_PRINCIPAL, [s3:PutObject, s3:DeleteObject, s3:DeleteObjectVersion, ... 3 elements]) | βοΈ null |
| π’ | test6 | βοΈ 499 | βοΈ CA10__policyDocumentExt__c .allows(EXTERNAL_PRINCIPAL, [s3:ListBucket, s3:GetObject, s3:GetObjectVersion]) | βοΈ null |
| π’ | test7 | βοΈ 500 | βοΈ otherwise | βοΈ null |
| π’ | test8 | βοΈ 399 | βοΈ CA10__policyDocumentExt__c .allows(EXTERNAL_PRINCIPAL, [s3:PutObject, s3:DeleteObject, s3:DeleteObjectVersion, ... 3 elements]) | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/s3/bucket-public-policy/policy.yaml | B62FF81E400345859A590AA6997A1ABD |
| Open | /ce/ca/aws/s3/bucket-public-policy/prod.logic.yaml | BDEBE5D7D804919A894AB2E4D20DB9C2 |
| Open | /ce/ca/aws/s3/bucket-public-policy/test-data.json | BB67B151D64F1FE0A0DC4B70CCC95169 |
| Open | /types/CA10__CaAwsBucket__c/object.extracts.yaml | F56AFA293B0B19D4F39C1EBB70F4C56F |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/s3/bucket-public-policy/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/s3/bucket-public-policy/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-public-policy/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/s3/bucket-public-policy/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/s3/bucket-public-policy/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsBucket__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsBucket__c/object.extracts.yaml"
conditions:
- status: "COMPLIANT"
currentStateMessage: "The bucket policy is not public."
check:
NOT_EQUAL:
left:
EXTRACT: CA10__policyIsPublic__c
right:
TEXT: "Yes"
- status: "COMPLIANT"
currentStateMessage: "The Bucket policy is public but the block public policy configuration is enabled."
check:
IS_EQUAL:
left:
EXTRACT: CA10__blockPublicPolicy__c
right:
TEXT: "Yes"
- status: "INCOMPLIANT"
currentStateMessage: "The bucket policy grants public write access to the bucket data."
remediationMessage: "Consider removing the public write access from the bucket."
check:
AWS_POLICY_ALLOWS:
widestAcceptableAccessLevel: "EXTERNAL_PRINCIPAL"
policyExtField: "CA10__policyDocumentExt__c"
actions:
- "s3:PutObject"
- "s3:DeleteObject"
- "s3:DeleteObjectVersion"
- "s3:PutObjectAcl"
- "s3:PutBucketAcl"
- "s3:PutBucketPolicy"
- status: "INCOMPLIANT"
currentStateMessage: "The bucket policy grants public read access to the bucket data."
remediationMessage: "Consider removing the public read access from the bucket."
check:
AWS_POLICY_ALLOWS:
widestAcceptableAccessLevel: "EXTERNAL_PRINCIPAL"
policyExtField: "CA10__policyDocumentExt__c"
actions:
- "s3:ListBucket"
- "s3:GetObject"
- "s3:GetObjectVersion"
otherwise:
status: "COMPLIANT"
currentStateMessage: "The Bucket policy does not grant public read or write access to the bucket data."