Aws S3 Bucket Audit

Workflow-scope report that audits S3 buckets against standard security best practices. Operates on bucket state and bucket-policy data produced earlier in the workflow by @swamp/aws/s3/bucket and @swamp/aws/s3/bucket-policy.

Rules:

• bucket-versioning-enabled (error)
• bucket-encryption-enabled (error)
• bucket-public-access-blocked (error)
• bucket-ownership-enforced (error)
• bucket-tls-only-policy (error)
• bucket-no-overbroad-allow (error)
• bucket-tls-min-version-1.2 (warn)
• bucket-lifecycle-expires-noncurrent-versions (warn)
• bucket-server-access-logging (warn)
• bucket-tag-inventory (info)

Emits both human-readable markdown and a machine-readable JSON object with a failOn gate (none | error | warn | info) controlled by the S3_BUCKET_AUDIT_FAILON env var. The report itself never throws; missing or unparseable step data produces a skip finding instead of failing the workflow.

• feat: add new bucket-no-overbroad-allow error rule — flags bucket-policy statements that grant Allow to broad principals (* / AWS: "*") without a tight narrowing Condition. Transport keys (aws:SecureTransport, s3:TlsVersion) explicitly don't count as narrowing.

  Breaking at the error tier: consumers at the default S3_BUCKET_AUDIT_FAILON=error will see their gate trip on any bucket whose policy contains an overbroad Allow. Pin a prior CalVer if you need to evaluate the rule before letting it gate your workflow.

• fix: when the bucket-policy step data is missing or unparseable, the overbroad-Allow rule now emits a skip finding instead of failing — consistent with how the other policy-dependent rules behave.