Test Case #1 Name: Empty, SKIP `- File(, Status=SKIP)[Context=File(rules=1)] `- Rule(S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED, Status=SKIP)[Context=S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED] `- Rule/When(Status=FAIL)[Context=Rule#S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED/When] `- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption not EMPTY ] `- GuardClauseUnaryCheck(Status=FAIL, Comparison=not EMPTY, Value-At=(unresolved, Path=[L:0,C:0] Value={}))[Context= %s3_buckets_server_side_encryption not EMPTY ] PASS Rules: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED: Expected = SKIP Test Case #2 Name: No resources, SKIP `- File(, Status=SKIP)[Context=File(rules=1)] `- Rule(S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED, Status=SKIP)[Context=S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED] `- Rule/When(Status=FAIL)[Context=Rule#S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED/When] `- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption not EMPTY ] `- GuardClauseUnaryCheck(Status=FAIL, Comparison=not EMPTY, Value-At=(unresolved, Path=/Resources[L:0,C:0] Value={}))[Context= %s3_buckets_server_side_encryption not EMPTY ] PASS Rules: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED: Expected = SKIP Test Case #3 Name: S3 Bucket Encryption set to SSE AES 256, PASS `- File(, Status=PASS)[Context=File(rules=1)] `- Rule(S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED, Status=PASS)[Context=S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED] |- Rule/When(Status=PASS)[Context=Rule#S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED/When] | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption not EMPTY ] | |- Filter/ConjunctionsBlock(Status=PASS)[Context=Filter/Map#2] | | |- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Type EQUALS "AWS::S3::Bucket"] | | | `- GuardClauseValueCheck(Status=PASS)[Context= Type EQUALS "AWS::S3::Bucket"] | | `- Disjunction(Status = PASS)[Context=cfn_guard::rules::exprs::GuardClause#disjunction] | | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Metadata.guard.SuppressedRules not EXISTS ] | | `- GuardClauseValueCheck(Status=PASS)[Context= Metadata.guard.SuppressedRules not EXISTS ] | `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption not EMPTY ] |- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption[*].Properties.BucketEncryption EXISTS ] | `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption[*].Properties.BucketEncryption EXISTS ] `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"]] `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"]] PASS Rules: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED: Expected = PASS Test Case #4 Name: S3 Bucket Encryption set to SSE AWS KMS key, PASS `- File(, Status=PASS)[Context=File(rules=1)] `- Rule(S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED, Status=PASS)[Context=S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED] |- Rule/When(Status=PASS)[Context=Rule#S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED/When] | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption not EMPTY ] | |- Filter/ConjunctionsBlock(Status=PASS)[Context=Filter/Map#2] | | |- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Type EQUALS "AWS::S3::Bucket"] | | | `- GuardClauseValueCheck(Status=PASS)[Context= Type EQUALS "AWS::S3::Bucket"] | | `- Disjunction(Status = PASS)[Context=cfn_guard::rules::exprs::GuardClause#disjunction] | | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Metadata.guard.SuppressedRules not EXISTS ] | | `- GuardClauseValueCheck(Status=PASS)[Context= Metadata.guard.SuppressedRules not EXISTS ] | `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption not EMPTY ] |- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption[*].Properties.BucketEncryption EXISTS ] | `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption[*].Properties.BucketEncryption EXISTS ] `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"]] `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"]] PASS Rules: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED: Expected = PASS Test Case #5 Name: S3 Bucket Encryption not set, FAIL `- File(, Status=FAIL)[Context=File(rules=1)] `- Rule(S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED, Status=FAIL)[Context=S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED] |- Rule/When(Status=PASS)[Context=Rule#S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED/When] | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption not EMPTY ] | |- Filter/ConjunctionsBlock(Status=PASS)[Context=Filter/Map#2] | | |- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Type EQUALS "AWS::S3::Bucket"] | | | `- GuardClauseValueCheck(Status=PASS)[Context= Type EQUALS "AWS::S3::Bucket"] | | `- Disjunction(Status = PASS)[Context=cfn_guard::rules::exprs::GuardClause#disjunction] | | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Metadata.guard.SuppressedRules not EXISTS ] | | `- GuardClauseValueCheck(Status=PASS)[Context= Metadata.guard.SuppressedRules not EXISTS ] | `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption not EMPTY ] |- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption[*].Properties.BucketEncryption EXISTS ] | `- GuardClauseUnaryCheck(Status=FAIL, Comparison= EXISTS, Value-At=(unresolved, Path=/Resources/ExampleS3/Properties[L:0,C:0] Value={"BucketName":"my-bucket"}))[Context= %s3_buckets_server_side_encryption[*].Properties.BucketEncryption EXISTS ] `- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"]] `- GuardClauseBinaryCheck(Status=FAIL, Comparison= IN, from=(unresolved, Path=/Resources/ExampleS3/Properties[L:0,C:0] Value={"BucketName":"my-bucket"}), to=)[Context= %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"]] PASS Rules: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED: Expected = FAIL Test Case #6 Name: S3 Bucket Encryption not set but rule is suppressed, SKIP `- File(, Status=SKIP)[Context=File(rules=1)] `- Rule(S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED, Status=SKIP)[Context=S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED] `- Rule/When(Status=FAIL)[Context=Rule#S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED/When] `- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption not EMPTY ] |- Filter/ConjunctionsBlock(Status=FAIL)[Context=Filter/Map#2] | |- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Type EQUALS "AWS::S3::Bucket"] | | `- GuardClauseValueCheck(Status=PASS)[Context= Type EQUALS "AWS::S3::Bucket"] | `- Disjunction(Status = FAIL)[Context=cfn_guard::rules::exprs::GuardClause#disjunction] | |- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block Metadata.guard.SuppressedRules not EXISTS ] | | `- GuardClauseUnaryCheck(Status=FAIL, Comparison=not EXISTS, Value-At=(resolved, Path=/Resources/ExampleS3/Metadata/guard/SuppressedRules[L:0,C:0] Value=["S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"]))[Context= Metadata.guard.SuppressedRules not EXISTS ] | `- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block Metadata.guard.SuppressedRules.* not EQUALS "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"] | `- GuardClauseBinaryCheck(Status=FAIL, Comparison=not EQUALS, from=(resolved, Path=/Resources/ExampleS3/Metadata/guard/SuppressedRules/0[L:0,C:0] Value="S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"), to=(resolved, Path=[L:0,C:0] Value="S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"))[Context= Metadata.guard.SuppressedRules.* not EQUALS "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"] `- GuardClause(Status=FAIL, Empty, )[Context= %s3_buckets_server_side_encryption not EMPTY ] PASS Rules: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED: Expected = SKIP