ConformancePack revert (#108)

a-shokri-ssc · web-flow · commit de98bfbb900e · 2025-02-12T13:30:06.000-05:00
diff --git a/arch/templates/ConformancePack.yaml b/arch/templates/ConformancePack.yaml
@@ -479,20 +479,12 @@ Resources:
     Properties:
       ConfigRuleName: gc02_check_access_management_attestation
       Description: Checks S3 bucket for the access management attestation document.
-
       InputParameters:
-        S3AccessReviewDocumentPath:
-          Fn::If:
-            - S3AccessReviewDocumentPath
-            - Ref: S3AccessReviewDocumentPath
-            - AWS::NoValue
-
-        S3AccessManagementAttestationDocumentPath:
+        s3ObjectPath:
           Fn::If:
-            - S3AccessManagementAttestationDocumentPath
+            - s3AccessManagementAttestationDocumentPath
             - Ref: S3AccessManagementAttestationDocumentPath
-            - AWS::NoValue
-
+            - Ref: AWS::NoValue
         ExecutionRoleName:
           Fn::If:
             - GCLambdaExecutionRoleName
diff --git a/arch/templates/main.yaml b/arch/templates/main.yaml
@@ -1142,7 +1142,7 @@ Resources:
             Action:
               - "redshift:DescribeClusters"
               - "redshift:DescribeClusterParameters"
-            Resource:
+            Resource: 
               - !Sub "arn:${AWS::Partition}:redshift:*:*:cluster:*"
               - !Sub "arn:${AWS::Partition}:redshift:*:*:parametergroup:*"
             Effect: Allow
diff --git a/src/lambda/gc02_check_access_management_attestation/app.py b/src/lambda/gc02_check_access_management_attestation/app.py
@@ -77,21 +77,13 @@ def lambda_handler(event, context):
             event,
             [build_evaluation(aws_account_id, "NOT_APPLICABLE", event, gr_requirement_type=gr_requirement_type)],
         )
-    
-    pdf_paths = [ 
-        rule_parameters["S3AccessReviewDocumentPath"],
-        rule_parameters["S3AccessManagementAttestationDocumentPath"]
-    ]
 
-    missing_files = [path for path in pdf_paths if not check_s3_object_exists(aws_s3_client, path)]
-
-    if not missing_files:
+    if check_s3_object_exists(aws_s3_client, rule_parameters["s3ObjectPath"]):
         compliance_type = "COMPLIANT"
-        annotation = "Both required access management documents found"
+        annotation = "Access Management Attestation document found"
     else:
         compliance_type = "NON_COMPLIANT"
-        annotation = f"Missing documents: {', '.join(missing_files)}"
-
+        annotation = "Access Management Attestation document NOT found"
 
     logger.info(f"{compliance_type}: {annotation}")
     evaluations.append(build_evaluation(aws_account_id, compliance_type, event, annotation=annotation))
