def validate_deny_delete

def validate_deny_delete_bucket()

in scripts/confirm_log_buckets_nodelete.py [0:0]

14 lines of code
10 McCabe index (conditional complexity)


def validate_deny_delete_bucket(deny_statements, bucket):
    valid_resource = 'arn:aws:s3:::%s' % bucket

    for statement in deny_statements:
        if statement['Resource'] != valid_resource or statement['Principal'] != '*':
            continue

        if type(statement['Action']) is str:
            action = statement['Action']
            if action == '*' or action[-1] in 's3:DeleteBucket':
                return 'COMPLIANT'
        else:
            for action in statement['Action']:
                if action == '*' or action[-1] in 's3:DeleteBucket':
                    return 'COMPLIANT'

    return 'NON_COMPLIANT'