Question about AwsGuard policy. With s3BucketLoggingEnabled mandatory all buckets are verified to have access logs. This creates problem with the log buckets themselves, that don't have access log buckets of their own, but rather rely on retention policy (glacier, etc...) or otherwise that would be infinite chain of buckets. To me it seems that this policy needs to support filtering those buckets out, either by dependency or by tag/name predicate.

That's a great point. Do you mind opening an issue at https://github.com/pulumi/pulumi-policy-aws for this?