From 5f3293af1e41363118034de801eed3c5ab1db88c Mon Sep 17 00:00:00 2001
From: Nimrod Kor <nimrodkor@gmail.com>
Date: Tue, 18 Feb 2020 10:01:23 +0200
Subject: [PATCH] Add conditions check for extra771

(cherry picked from commit 805b276578d5afda60b38cffa28fe09b16380799)
---
 checks/check_extra771 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checks/check_extra771 b/checks/check_extra771
index 943bbffe..ecd240c3 100644
--- a/checks/check_extra771
+++ b/checks/check_extra771
@@ -24,7 +24,7 @@ extra771(){
       if [[ $BUCKET_POLICY_STATEMENTS == *GetBucketPolicy* ]]; then
         textInfo "Bucket policy does not exist for bucket $bucket"
       else
-        BUCKET_POLICY_BAD_STATEMENTS=$(echo $BUCKET_POLICY_STATEMENTS | jq --arg arn "arn:aws:s3:::$bucket" 'fromjson | .Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and (.Action|startswith("s3:Put") or startswith("s3:*")))')
+        BUCKET_POLICY_BAD_STATEMENTS=$(echo $BUCKET_POLICY_STATEMENTS | jq --arg arn "arn:aws:s3:::$bucket" 'fromjson | .Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and (.Action|startswith("s3:Put") or startswith("s3:*")) and .Condition == null)')
         if [[ $BUCKET_POLICY_BAD_STATEMENTS != "" ]]; then
           textFail "Bucket $bucket allows public write: $BUCKET_POLICY_BAD_STATEMENTS"
         else