(S3): S3 SSL requests only rule does not work when the policy does not exist

[polothy]

What is the problem?

The rules/aws/amazon_s3/s3_bucket_ssl_requests_only.guard rule only works if there is a bucket policy present. But if I define a bucket with no bucket policy, then the rule passes/skips, but it should actually fail.

In addition, it would be good to be able to suppress this rule on the bucket resource because you may not have a bucket policy to add the suppression to.

Reproduction Steps

Add this to its tests file:

- name: S3 Bucket is missing Bucket Policy statement, FAIL
  input:
    Resources:
      Bucket:
        Type: AWS::S3::Bucket

  expectations:
    rules:
      S3_BUCKET_SSL_REQUESTS_ONLY: FAIL

If you run with that test case, you currently get this failure:

Name: S3 Bucket is missing Bucket Policy statement, FAIL
  FAIL Rules:
    S3_BUCKET_SSL_REQUESTS_ONLY: Expected = FAIL, Evaluated = [SKIP]

What did you expect to happen?

The rule should fail when a bucket is defined without a bucket policy. The rule should also be able to be suppressed on the bucket because the bucket policy may not exist.

What actually happened?

The rule passes/skips when the bucket has no bucket policy.

CloudFormation Guard Version

cfn-guard 2.1.3

OS

macOS

OS Version

No response

Other information

Think this is another example that could be fixed if https://github.com/aws-cloudformation/cloudformation-guard/issues/267 was resolved. Think we would need to be able to find S3 buckets and then lookup its bucket policy by Logical ID.