standard
turbot/aws_compliance

Trigger: Detect & correct CloudTrail trails with S3 object level logging for read events disabled

Detect CloudTrail trails with S3 object level logging for read events disabled.

Query

with s3_selectors as (
select
t.name as trail_name,
t.is_multi_region_trail,
bucket_selector,
t.region,
t.account_id,
t.sp_connection_name
from
aws_cloudtrail_trail as t,
jsonb_array_elements(t.event_selectors) as event_selector,
jsonb_array_elements(event_selector -> 'DataResources') as data_resource,
jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector
where
is_multi_region_trail
and data_resource ->> 'Type' = 'AWS::S3::Object'
and event_selector ->> 'ReadWriteType' in ('ReadOnly', 'All')
)
select
concat(a.title, ' [', '/', t.account_id, ']') as title,
count(t.trail_name) as bucket_selector_count,
a.account_id,
a.sp_connection_name as conn
from
aws_account as a
left join s3_selectors as t on a.account_id = t.account_id
group by
t.trail_name,
t.region,
a.account_id,
t.account_id,
a.sp_connection_name,
a.title
having
count(t.trail_name) = 0;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/Cloudtrail