Skip to main content

🔌 AWS S3 Bucket - object.extracts.yaml

  • Contextual name: 🔌 object.extracts.yaml
  • ID: /types/CA10__CaAwsBucket__c/object.extracts.yaml

Used In

LogicPolicyFlags
🧠 prod.logic.yaml🟢🛡️ AWS CloudTrail S3 Bucket Access Logging is not enabled.🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket ACL allows public read or write access🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket is located in a less cost-effective region🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket is not configured to block public access🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket is not encrypted with a KMS key🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket Lifecycle Configuration is not enabled🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket MFA Delete is not enabled🟠🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket Object Lock is not enabled🟠🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket Policy allows public read or write access🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket Server Access Logging is not enabled🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket Versioning is not enabled🟢🟢 x3
🧠 prod.logic.yaml🟢🛡️ AWS S3 Bucket with Intelligent-Tiering is missing Archive configurations🟢🟢 x3

Content

Open File

---
extracts:
# Values: yes, no. Not Nullable.
  - name: "CA10__objectLockEnabled__c"
    value: 
      FIELD:
        path: "CA10__objectLockEnabled__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__objectLockEnabled__c"
            currentStateMessage: "Unable to determine Object Lock status. Possible permission issue with s3:GetObjectLockConfiguration"
          isEmpty: "Object Lock status is not populated yet"
# Nullable.
  - name: "CA10__lifecycleRulesJson__c"
    value: 
      FIELD:
        path: "CA10__lifecycleRulesJson__c"
        returnType: BYTES
        # undeterminedIf:
        #   noAccessDelegate:
        #     path: "CA10__lifecycleRulesJson__c"
        #     currentStateMessage: "Unable to determine Lifecycle Configuration. Possible permission issue with s3:GetLifecycleConfiguration"
# Values: enabled, suspended, off. Not Nullable.
  - name: "CA10__versioningStatus__c"
    value: 
      FIELD:
        path: "CA10__versioningStatus__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__versioningStatus__c"
            currentStateMessage: "Unable to determine versioning status. Possible permission issue with s3:GetBucketVersioning"
          isEmpty: "Status is not populated yet"
# Checkbox.
  - name: "CA10__versioningMfaDeleteEnabled__c"
    value: 
      FIELD:
        path: "CA10__versioningMfaDeleteEnabled__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__versioningStatus__c"
            currentStateMessage: "Unable to determine versioning status. Possible permission issue with s3:GetBucketVersioning"
# The field can be empty if server access logging is not enabled
  - name: "CA10__loggingDestinationBucketName__c"
    value: 
      FIELD:
        path: "CA10__loggingDestinationBucketName__c"
        # undeterminedIf:
        #   noAccessDelegate:
        #     path: "CA10__loggingDestinationBucketName__c"
        #     currentStateMessage: "Unable to determine if server access logging is enabled. Possible permission issue with s3:GetBucketLogging"
# Cloudaware derives this field from CA10__loggingDestinationBucketName__c
  - name: "CA10__loggingDestinationBucketArn__c"
    value: 
      FIELD:
        path: "CA10__loggingDestinationBucketArn__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__loggingDestinationBucketName__c"
            currentStateMessage: "Unable to determine if server access logging is enabled. Possible permission issue with s3:GetBucketLogging"
# This is a look up on CA10__CaAwsBucket__c derived from CA10__loggingDestinationBucketName__c
  - name: "CA10__loggingDestinationBucket__c"
    value: 
      FIELD:
        path: "CA10__loggingDestinationBucket__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__loggingDestinationBucketName__c"
            currentStateMessage: "Unable to determine if server access logging is enabled. Possible permission issue with s3:GetBucketLogging"
  - name: "CA10__arn__c"
    value: 
      FIELD:
        path: "CA10__arn__c"
        undeterminedIf:
          isEmpty: "Bucket ARN cannot be empty. Potential data corruption"
  - name: "caJsonFrom__lifecycleRulesJson__c"
    value: 
      JSON_FROM:
        arg: 
          EXTRACT: "CA10__lifecycleRulesJson__c"
        undeterminedIf:
          isInvalid: "S3 Bucket Lifecycle Rules JSON is invalid."
# Returns BOOLEAN true if number of enabled lifecycle rules more than 0 otherwise returns false
  - name: "caJsonBoolean__lifecycleRulesJsonStatusEnabled__c"
    value: 
      JSON_QUERY_BOOLEAN:
        arg: 
          EXTRACT: "caJsonFrom__lifecycleRulesJson__c"
        expression: "length([?status=='Enabled']) > `0`"
        undeterminedIf: 
          evaluationError: "The JSON query has failed."
          resultTypeMismatch: "The JSON query did not return a boolean."
  - name: "CA10__blockPublicAcls__c"
    value: 
      FIELD:
        path: "CA10__blockPublicAcls__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__blockPublicAcls__c"
            currentStateMessage: "Unable to determine the bucket policy. Possible permission issue with s3:GetBucketPublicAccessBlock"
  - name: "CA10__blockPublicPolicy__c"
    value: 
      FIELD:
        path: "CA10__blockPublicPolicy__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__blockPublicPolicy__c"
            currentStateMessage: "Unable to determine the bucket policy. Possible permission issue with s3:GetBucketPublicAccessBlock"
  - name: "CA10__ignorePublicAcls__c"
    value: 
      FIELD:
        path: "CA10__ignorePublicAcls__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__ignorePublicAcls__c"
            currentStateMessage: "Unable to determine the bucket policy. Possible permission issue with s3:GetBucketPublicAccessBlock"
  - name: "CA10__restrictPublicBuckets__c"
    value: 
      FIELD:
        path: "CA10__restrictPublicBuckets__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__restrictPublicBuckets__c"
            currentStateMessage: "Unable to determine the bucket policy. Possible permission issue with s3:GetBucketPublicAccessBlock"
# Nullable.
  - name: "CA10__policyDocument__c"
    value: 
      FIELD:
        path: "CA10__policyDocument__c"
        returnType: BYTES
        # undeterminedIf:
        #   noAccessDelegate:
        #     path: "CA10__policyDocument__c"
        #     currentStateMessage: "Unable to determine the bucket policy. Possible permission issue with s3:GetBucketPolicy"
  - name: "caJsonFrom__policyDocument__c"
    value: 
      JSON_FROM:
        arg: 
          EXTRACT: "CA10__policyDocument__c"
        undeterminedIf:
          isInvalid: "S3 Bucket Policy Document JSON is invalid."
# Nullable.
  - name: "CA10__intelligentTieringConfigurationsJson__c"
    value: 
      FIELD:
        path: "CA10__intelligentTieringConfigurationsJson__c"
        returnType: BYTES
  - name: "caJsonFrom__intelligentTieringConfigurationsJson__c"
    value: 
      JSON_FROM:
        arg: 
          EXTRACT: "CA10__intelligentTieringConfigurationsJson__c"
        undeterminedIf:
          isInvalid: "S3 Bucket Policy Document JSON is invalid."
# Nullable.
  - name: "CA10__regionName__c"
    value:
      FIELD:
        path: "CA10__regionName__c"
# Nullable.
  - name: "CA10__intelligentTieringStorageGb__c"
    value:
      FIELD:
        path: "CA10__intelligentTieringStorageGb__c"
# Values: AES256 | aws:fsx | aws:kms | aws:kms:dsse | None. Not Nullable.
  - name: "CA10__serverSideEncryptionAlgorithm__c"
    value:
      FIELD:
        path: "CA10__serverSideEncryptionAlgorithm__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__serverSideEncryptionAlgorithm__c"
            currentStateMessage: "Unable to determine Bucket Encryption Algorithm. Possible permissions issue with s3:GetEncryptionConfiguration"
  - name: "CA10__accessControlPolicy__c"
    value: 
      FIELD:
        path: "CA10__accessControlPolicy__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__accessControlPolicy__c"
            currentStateMessage: "Unable to determine the bucket ACL. Possible permission issue with s3:GetBucketAcl"
  - name: "caJsonFrom__accessControlPolicy__c"
    value: 
      JSON_FROM:
        arg:
          EXTRACT: "CA10__accessControlPolicy__c"
        undeterminedIf:
          isInvalid: "The Access Control Policy JSON is invalid."
  - name: "CA10__accessControlGrants__c"
    value: 
      FIELD:
        path: "CA10__accessControlGrants__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__accessControlGrants__c"
            currentStateMessage: "Unable to determine the bucket ACL. Possible permission issue with s3:GetBucketAcl"
  - name: "CA10__policyIsPublic__c"
    value: 
      FIELD:
        path: "CA10__policyIsPublic__c"
        undeterminedIf:
          noAccessDelegate:
            path: "CA10__policyIsPublic__c"
            currentStateMessage: "Unable to determine the bucket policy status. Possible permission issue with s3:GetBucketPolicyStatus"