Check each S3 bucket for a policy explicitly denying unencrypted put-object requests and identify buckets lacking such a policy.

import boto3 import json # Initialize boto3 client for S3 s3_client = boto3.client('s3', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY'), region_name='us-east-2') buckets_lacking_policy = [] for bucket_name in bucket_names: try: # Get the bucket policy policy = s3_client.get_bucket_policy(Bucket=bucket_name) policy_statements = json.loads(policy['Policy'])['Statement'] # Check for a policy explicitly denying unencrypted put-object requests policy_found = False for statement in policy_statements: if statement.get('Effect') == 'Deny': conditions = statement.get('Condition', {}) if 'Bool' in conditions and 'aws:SecureTransport' in conditions['Bool']: if conditions['Bool']['aws:SecureTransport'] == 'false': policy_found = True break if not policy_found: buckets_lacking_policy.append(bucket_name) except s3_client.exceptions.ClientError as e: # If the error is because the bucket does not have a policy if e.response['Error']['Code'] == 'NoSuchBucketPolicy': buckets_lacking_policy.append(bucket_name) print("Buckets lacking policy explicitly denying unencrypted put-object requests:", buckets_lacking_policy)