in scripts/confirm_log_buckets_nodelete.py [0:0]
def evaluate_compliance(rule_parameters):
log_buckets = rule_parameters['LogBuckets']
for bucket in log_buckets:
response = s3.get_bucket_policy(Bucket=bucket)
bucket_policy = json.loads(response['Policy'])
deny_statements = [_ for _ in bucket_policy['Statement'] if _['Effect'] == 'Deny']
allow_statements = [_ for _ in bucket_policy['Statement'] if _['Effect'] == 'Allow']
# First verify denies for delete object and bucket are in place
if validate_deny_delete_object(deny_statements, bucket) == 'NON_COMPLIANT':
return {
'compliance_type': 'NON_COMPLIANT',
'annotation': '%s is missing explicit deny of DeleteObject' % bucket
}
if validate_deny_delete_bucket(deny_statements, bucket) == 'NON_COMPLIANT':
return {
'compliance_type': 'NON_COMPLIANT',
'annotation': '%s is missing explicit deny of DeleteObject' % bucket
}
# Then ensure that none of the Allow Policies contradict
for statement in allow_statements:
if statement['Effect'] == 'Allow':
if not validate_acceptable_allow(statement['Action']):
return {
'compliance_type': 'NON_COMPLIANT',
'annotation': 'Non-compliant S3 Bucket Policy for %s. Problematic statement is: %s' % (bucket,
statement)
}
return {
'compliance_type': 'COMPLIANT',
'annotation': 'Bucket policies disallow delete object and bucket'
}