let s3_buckets_server_side_encryption_2 = Resources.*[ Type == 'AWS::S3::Bucket' ] rule S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED_2 when %s3_buckets_server_side_encryption_2 !empty { %s3_buckets_server_side_encryption_2.Properties.BucketEncryption exists %s3_buckets_server_side_encryption_2.Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm in ["aws:kms","AES256"] << Violation: S3 Bucket must enable server-side encryption #2. Fix: Set the S3 Bucket property #2 BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm to either "aws:kms" or "AES256" >> }