lib/resources/aws/aws_s3_bucket.rb in inspec-2.1.59 vs lib/resources/aws/aws_s3_bucket.rb in inspec-2.1.67
- old
+ new
@@ -8,11 +8,11 @@
end
"
supports platform: 'aws'
include AwsSingularResourceMixin
- attr_reader :bucket_name, :has_access_logging_enabled, :region
+ attr_reader :bucket_name, :has_default_encryption_enabled, :has_access_logging_enabled, :region
def to_s
"S3 Bucket #{@bucket_name}"
end
@@ -33,12 +33,17 @@
bucket_acl.any? { |g| g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/ } || \
bucket_acl.any? { |g| g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/ } || \
bucket_policy.any? { |s| s.effect == 'Allow' && s.principal == '*' }
end
+ def has_default_encryption_enabled?
+ return false unless @exists
+ @has_default_encryption_enabled ||= fetch_bucket_encryption_configuration
+ end
+
def has_access_logging_enabled?
- return unless @exists
+ return false unless @exists
catch_aws_errors do
@has_access_logging_enabled ||= !BackendFactory.create(inspec_runner).get_bucket_logging(bucket: bucket_name).logging_enabled.nil?
end
end
@@ -87,10 +92,23 @@
@bucket_policy = []
end
end
end
+ def fetch_bucket_encryption_configuration
+ @has_default_encryption_enabled ||= catch_aws_errors do
+ begin
+ !BackendFactory.create(inspec_runner)
+ .get_bucket_encryption(bucket: bucket_name)
+ .server_side_encryption_configuration
+ .nil?
+ rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
+ false
+ end
+ end
+ end
+
# Uses the SDK API to really talk to AWS
class Backend
class AwsClientApi < AwsBackendBase
BackendFactory.set_default_backend(self)
self.aws_client_class = Aws::S3::Client
@@ -107,9 +125,13 @@
aws_service_client.get_bucket_policy(query)
end
def get_bucket_logging(query)
aws_service_client.get_bucket_logging(query)
+ end
+
+ def get_bucket_encryption(query)
+ aws_service_client.get_bucket_encryption(query)
end
end
end
end