The rules/aws/amazon_s3/s3_bucket_ssl_requests_only.guard rule only works if there is a bucket policy present. But if I define a bucket with no bucket policy, then the rule passes/skips, but it should actually fail.
In addition, it would be good to be able to suppress this rule on the bucket resource because you may not have a bucket policy to add the suppression to.
The rule should fail when a bucket is defined without a bucket policy. The rule should also be able to be suppressed on the bucket because the bucket policy may not exist.
What actually happened?
The rule passes/skips when the bucket has no bucket policy.
What is the problem?
The rules/aws/amazon_s3/s3_bucket_ssl_requests_only.guard rule only works if there is a bucket policy present. But if I define a bucket with no bucket policy, then the rule passes/skips, but it should actually fail.
In addition, it would be good to be able to suppress this rule on the bucket resource because you may not have a bucket policy to add the suppression to.
Reproduction Steps
Add this to its tests file:
If you run with that test case, you currently get this failure:
What did you expect to happen?
The rule should fail when a bucket is defined without a bucket policy. The rule should also be able to be suppressed on the bucket because the bucket policy may not exist.
What actually happened?
The rule passes/skips when the bucket has no bucket policy.
CloudFormation Guard Version
cfn-guard 2.1.3
OS
macOS
OS Version
No response
Other information
Think this is another example that could be fixed if https://github.com/aws-cloudformation/cloudformation-guard/issues/267 was resolved. Think we would need to be able to find S3 buckets and then lookup its bucket policy by Logical ID.