let volumes = Resources.*[ Type == 'AWS::EC2::Volume' ]
rule sample_volume when %volumes !empty {
    %volumes.Properties {
        Encrypted == true
        Size <= 10
        VolumeType == 'gp2'
    }
}

let buckets = Resources.*[ Type == 'AWS::S3::Bucket' ]
rule sample_bucket_encryption when %buckets !empty {
    %buckets.Properties {
        BucketEncryption.ServerSideEncryptionConfiguration[*] {
            ServerSideEncryptionByDefault.SSEAlgorithm == 'AES256'
        }
    }
}

rule sample_bucket when %buckets !empty {
    %buckets.Properties.VersioningConfiguration.Status == 'Enabled'
}