Query: s3_bucket_enforces_ssl

with ssl_ok as (
  select
    distinct b.name,
    b.arn,
    'ok' as status
  from
    aws_s3_bucket b,
    jsonb_array_elements(b.policy_std -> 'Statement') as s,
    jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
    jsonb_array_elements_text(s -> 'Action') as a,
    jsonb_array_elements_text(s -> 'Resource') as r,
    jsonb_array_elements_text (
      case
      when (s -> 'Condition' -> 'NumericLessThan' -> 's3:tlsversion') is not null then (s -> 'Condition' -> 'NumericLessThan' -> 's3:tlsversion')
      when (s -> 'Condition' -> 'Bool' -> 'aws:securetransport') is not null then (s -> 'Condition' -> 'Bool' -> 'aws:securetransport')
        else null end
      ) as ssl
  where
    p = '*'
    and s ->> 'Effect' = 'Deny'
    and (ssl = '1.2' or ssl :: bool = false)
)
select
  b.arn as resource,
  case
    when ok.status = 'ok' then 'ok'
    else 'alarm'
  end status,
  case
    when ok.status = 'ok' then b.name || ' bucket policy enforces HTTPS.'
    else b.name || ' bucket policy does not enforce HTTPS.'
  end reason
  
  , b.region, b.account_id
from
  aws_s3_bucket as b
  left join ssl_ok as ok on ok.name = b.name;