Skip to main content

🧠 AWS S3 Bucket Server Access Logging is not enabled - prod.logic.yaml 🟒

Flags​

Input Type​

TypeAPI NameExtractsExtract FilesLogic Files
πŸ”’πŸ“• AWS S3 BucketCA10__CaAwsBucket__c1617

Uses​

Test Results πŸŸ’β€‹

Generated at: 2025-04-24T23:45:11.914832847Z Open

ResultIdCondition IndexCondition TextRuntime Error
🟒test1βœ”οΈ 99βœ”οΈ isDisappeared(CA10__disappearanceTime__c)βœ”οΈ null
🟒test2βœ”οΈ 199βœ”οΈ CA10__loggingBucket__r.has(COMPLIANT)βœ”οΈ null
🟒test3βœ”οΈ 299βœ”οΈ extract('CA10__loggingDestinationBucketName__c').isEmpty()βœ”οΈ null
🟒test4βœ”οΈ 399βœ”οΈ extract('CA10__arn__c') == extract('CA10__loggingDestinationBucketArn__c')βœ”οΈ null
🟒test5βœ”οΈ 499βœ”οΈ isEmptyLookup('CA10__loggingDestinationBucket__r')βœ”οΈ null
🟒test6βœ”οΈ 599βœ”οΈ notEmptyLookup('CA10__loggingDestinationBucket__r')βœ”οΈ null

Generation​

FileMD5
Open/ce/ca/aws/s3/bucket-server-access-logging/policy.yaml1FCA697C2423CB0C23D795B893AE2F5F
Open/ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yamlF1629AF339E60DFF42E2CBF285F4A607
Open/types/CA10__CaAwsBucket__c/object.extracts.yamlD7F01723B629E0F1265F06B9CE2EDE1F
Open/ce/ca/aws/s3/bucket-server-access-logging/test-data.jsonA38D8C977CD202620BB4672CFD75AE7B

Generate FULL script​

java -jar repo-manager.jar policies generate FULL /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml

Generate DEBUG script​

java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml

Generate CAPTURE_TEST_DATA script​

java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml

Generate TESTS script​

java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml

Execute tests​

java -jar repo-manager.jar policies test /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml

Content​

Open File

---
# This policy is based on ce:ca:aws:s3:bucket-access-logging
# We're checking CA10__loggingDestinationBucketName__c field to ensure
# that server access logging is enabled.
# Also verifying that the destination bucket is not deleted or missing
inputType: "CA10__CaAwsBucket__c"
importExtracts:
  - file: "/types/CA10__CaAwsBucket__c/object.extracts.yaml"
testData:
  - file: "test-data.json"
conditions:
  - status: "INAPPLICABLE"
    currentStateMessage: "This is a destination bucket."
    check:
      RELATED_LIST_HAS:
        relationshipName: "CA10__loggingBucket__r"
        status: "COMPLIANT"
  - status: "INCOMPLIANT"
    currentStateMessage: "Server access logging is not enabled."
    remediationMessage: "Consider enabling server access logging."
    check:
      IS_EMPTY:
        arg:
          EXTRACT: "CA10__loggingDestinationBucketName__c"
# When source bucket is its own destination bucket,
# then ARNs will be the same but CA10__loggingDestinationBucket__c will be empty
  - status: "COMPLIANT"
    currentStateMessage: "Server access logging is enabled. The bucket uses itself as the logging destination."
    check:
      IS_EQUAL:
        left:
          EXTRACT: "CA10__arn__c"
        right:
          EXTRACT: "CA10__loggingDestinationBucketArn__c"
  - status: "INCOMPLIANT"
    currentStateMessage: "The destination bucket is missing."
    remediationMessage: "Ensure that bucket access logging is referencing an active S3 bucket."
    check:
      IS_EMPTY_LOOKUP: "CA10__loggingDestinationBucket__r"
  - status: "COMPLIANT"
    currentStateMessage: "Server access logging is enabled."
    check:
      NOT_EMPTY_LOOKUP: "CA10__loggingDestinationBucket__r"
otherwise:
  status: "UNDETERMINED"
  currentStateMessage: "Unexpected values in the fields."
relatedLists:
  - relationshipName: "CA10__loggingBucket__r"
    conditions: []
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "The is a source bucket."