π§ AWS S3 Bucket Server Access Logging is not enabled - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π AWS S3 Bucket
- π AWS S3 Bucket - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2026-02-10T22:33:18.485432802Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ CA10__loggingBucket__r.has(COMPLIANT) | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('CA10__loggingDestinationBucketName__c').isEmpty() | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ extract('CA10__arn__c') == extract('CA10__loggingDestinationBucketArn__c') | βοΈ null |
| π’ | test5 | βοΈ 499 | βοΈ isEmptyLookup('CA10__loggingDestinationBucket__r') | βοΈ null |
| π’ | test6 | βοΈ 599 | βοΈ notEmptyLookup('CA10__loggingDestinationBucket__r') | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/s3/bucket-server-access-logging/policy.yaml | 1FCA697C2423CB0C23D795B893AE2F5F |
| Open | /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml | EA58840BD87658A0D6A8389A097EBA3A |
| Open | /ce/ca/aws/s3/bucket-server-access-logging/test-data.json | A38D8C977CD202620BB4672CFD75AE7B |
| Open | /types/CA10__CaAwsBucket__c/object.extracts.yaml | F56AFA293B0B19D4F39C1EBB70F4C56F |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/s3/bucket-server-access-logging/prod.logic.yaml
Contentβ
---
# This policy is based on ce:ca:aws:s3:bucket-access-logging
# We're checking CA10__loggingDestinationBucketName__c field to ensure
# that server access logging is enabled.
# Also verifying that the destination bucket is not deleted or missing
inputType: "CA10__CaAwsBucket__c"
importExtracts:
- file: "/types/CA10__CaAwsBucket__c/object.extracts.yaml"
testData:
- file: "test-data.json"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is a destination bucket."
check:
RELATED_LIST_HAS:
relationshipName: "CA10__loggingBucket__r"
status: "COMPLIANT"
- status: "INCOMPLIANT"
currentStateMessage: "Server access logging is not enabled."
remediationMessage: "Enable server access logging."
check:
IS_EMPTY:
arg:
EXTRACT: "CA10__loggingDestinationBucketName__c"
# When source bucket is its own destination bucket,
# then ARNs will be the same but CA10__loggingDestinationBucket__c will be empty
- status: "COMPLIANT"
currentStateMessage: "Server access logging is enabled. The bucket uses itself as the logging destination."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__arn__c"
right:
EXTRACT: "CA10__loggingDestinationBucketArn__c"
- status: "INCOMPLIANT"
currentStateMessage: "The destination bucket is missing."
remediationMessage: "Verify that access logging references an active S3 bucket."
check:
IS_EMPTY_LOOKUP: "CA10__loggingDestinationBucket__r"
- status: "COMPLIANT"
currentStateMessage: "Server access logging is enabled."
check:
NOT_EMPTY_LOOKUP: "CA10__loggingDestinationBucket__r"
otherwise:
status: "UNDETERMINED"
currentStateMessage: "Unexpected values in the fields."
relatedLists:
- relationshipName: "CA10__loggingBucket__r"
conditions: []
otherwise:
status: "COMPLIANT"
currentStateMessage: "This is a source bucket."