---

policies:
  - name: d-s3-bucket-policy
    resource: aws.s3
    description: >
      Compliance: Policy Statement|
    mode:
      type: config-rule
      role: arn:aws:iam::{account_id}:role/{custodian_detective_role}
      tags:
        CloudCustodianType: Detective
    filters:
      - and:
          - type: missing-statement
          - tag:__Exception-S3Policy: absent