failing_template_with_slash_in_key.yaml Status = FAIL FAILED rules s3_bucket_server_side_encryption_enabled.guard/S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED FAIL --- Evaluating data failing_template_with_slash_in_key.yaml against rules s3_bucket_server_side_encryption_enabled.guard Number of non-compliant resources 1 Resource = A/Resource/Name/With/Slash { Type = AWS::S3::Bucket Rule = S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED { ALL { Check = %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"] { Message { Violation: S3 Bucket must enable server-side encryption. Fix: Set the S3 Bucket property BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm to either "aws:kms" or "AES256" } RequiredPropertyError { PropertyPath = /Resources/A/Resource/Name/With/Slash/Properties/BucketEncryption[L:9,C:23] MissingProperty = ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm Reason = Attempting to retrieve from key ServerSideEncryptionConfiguration but type is not an struct type at path /Resources/A/Resource/Name/With/Slash/Properties/BucketEncryption[L:9,C:23], Type = String, Value = String((Path("/Resources/A/Resource/Name/With/Slash/Properties/BucketEncryption", Location { line: 9, col: 23 }), "")) Code: 7. BlockPublicPolicy: true 8. IgnorePublicAcls: true 9. RestrictPublicBuckets: true 10. BucketEncryption: 11. VersioningConfiguration: 12. Status: Enabled } } } } } `- File(failing_template_with_slash_in_key.yaml, Status=FAIL)[Context=File(rules=1)] `- Rule(S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED, Status=FAIL)[Context=S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED] |- Rule/When(Status=PASS)[Context=Rule#S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED/When] | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption not EMPTY ] | |- Filter/ConjunctionsBlock(Status=PASS)[Context=Filter/Map#2] | | |- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Type EQUALS "AWS::S3::Bucket"] | | | `- GuardClauseValueCheck(Status=PASS)[Context= Type EQUALS "AWS::S3::Bucket"] | | `- Disjunction(Status = PASS)[Context=cfn_guard::rules::exprs::GuardClause#disjunction] | | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Metadata.guard.SuppressedRules not EXISTS ] | | `- GuardClauseValueCheck(Status=PASS)[Context= Metadata.guard.SuppressedRules not EXISTS ] | `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption not EMPTY ] |- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption[*].Properties.BucketEncryption EXISTS ] | `- GuardClauseValueCheck(Status=PASS)[Context= %s3_buckets_server_side_encryption[*].Properties.BucketEncryption EXISTS ] `- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"]] `- GuardClauseBinaryCheck(Status=FAIL, Comparison= IN, from=(unresolved, Path=/Resources/A/Resource/Name/With/Slash/Properties/BucketEncryption[L:9,C:23] Value=""), to=)[Context= %s3_buckets_server_side_encryption[*].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:kms","AES256"]]