def validate_deny_delete

def validate_deny_delete_object()

in scripts/confirm_log_buckets_nodelete.py [0:0]

14 lines of code
10 McCabe index (conditional complexity)


def validate_deny_delete_object(deny_statements, bucket):
    valid_resource = 'arn:aws:s3:::%s/*' % bucket

    for statement in deny_statements:
        if statement['Resource'] != valid_resource or statement['Principal'] != '*':
            continue

        if type(statement['Action']) is str:
            action = statement['Action']
            if action == '*' or action[-1] in 's3:DeleteObject':
                return 'COMPLIANT'
        else:
            for action in statement['Action']:
                if action == '*' or action[-1] in 's3:DeleteObject':
                    return 'COMPLIANT'

    return 'NON_COMPLIANT'