/
public_access_test.rego
35 lines (26 loc) · 1.04 KB
/
public_access_test.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
package aws.s3.bucket_public_access_test
import rego.v1
import data.aws.s3.bucket.deny
import data.test_helpers.create_with_properties
test_deny_if_not_public_access_blocked if {
inp := create_with_properties("AWS::S3::Bucket", "MyS3Bucket", {"PublicAccessBlockConfiguration": {
"BlockPublicAcls": "false",
"BlockPublicPolicy": "true",
"IgnorePublicAcls": "true",
"RestrictPublicBuckets": "false",
}})
deny["public access not blocked for bucket MyS3Bucket"] with input as inp
}
test_allow_if_public_access_blocked if {
inp := create_with_properties("AWS::S3::Bucket", "MyS3Bucket", {"PublicAccessBlockConfiguration": {
"BlockPublicAcls": "true",
"BlockPublicPolicy": "true",
"IgnorePublicAcls": "true",
"RestrictPublicBuckets": "true",
}})
not deny["public access not blocked for bucket MyS3Bucket"] with input as inp
}
test_allow_if_excluded_prefix if {
inp := create_with_properties("AWS::S3::Bucket", "MyS3Bucket", {"BucketName": "excluded-bucket"})
not deny["public access not blocked for bucket MyS3Bucket"] with input as inp
}