standard
turbot/aws_compliance

Trigger: Detect & correct CloudTrail trails with multi-region read/write disabled

Detect CloudTrail trails with multi-region read/write disabled.

Query

with event_selectors_trail_details as (
select
distinct name,
account_id
from
aws_cloudtrail_trail,
jsonb_array_elements(event_selectors) as e
where
(
is_logging
and is_multi_region_trail
and e ->> 'ReadWriteType' = 'All'
)
),
advanced_event_selectors_trail_details as (
select
distinct name,
account_id
from
aws_cloudtrail_trail,
jsonb_array_elements_text(advanced_event_selectors) as a
where
(
is_logging
and is_multi_region_trail
and advanced_event_selectors is not null
and (not a like '%readOnly%')
)
)
select
concat(a.title, ' [', a.account_id, ']') as title,
a.account_id,
a.sp_connection_name as conn
from
aws_account as a
left join event_selectors_trail_details as d on d.account_id = a.account_id
left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id
where
ad.account_id is null
and d.account_id is null;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/Cloudtrail