aws.cloudtrail

Filters

• config-compliance

• event

• event-selectors

• finding

• is-shadow

• json-diff

• list-item

• marked-for-op

• ops-item

• reduce

• status

• value

event-selectors

Filter a cloudtrail by its related Event Selectors.

example:

policies:
  - name: cloudtrail-event-selectors
    resource: aws.cloudtrail
    filters:
    - type: event-selectors
      key: EventSelectors[].IncludeManagementEvents
      op: contains
      value: True

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - event-selectors
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - cloudtrail:GetEventSelectors

is-shadow

Identify shadow trails (secondary copies), shadow trails can’t be modified directly, the origin trail needs to be modified.

Shadow trails are created for multi-region trails as well for organizational trails.

properties:
  state:
    type: boolean
  type:
    enum:
    - is-shadow
required:
- type

Permissions - cloudtrail:DescribeTrails

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

status

Filter a cloudtrail by its status.

Example:

policies:
  - name: cloudtrail-check-status
    resource: aws.cloudtrail
    filters:
    - type: status
      key: IsLogging
      value: False

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - status
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - cloudtrail:GetTrailStatus

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• rename-tag

• set-logging

• tag

• update-trail

• webhook

delete

Delete a cloud trail

example:

policies:
  - name: delete-cloudtrail
    resource: aws.cloudtrail
    filters:
     - type: value
       key: Name
       value: delete-me
       op: eq
    actions:
     - type: delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - cloudtrail:DeleteTrail

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App

properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-logging

Set the logging state of a trail

Example:

policies:
  - name: cloudtrail-set-active
    resource: aws.cloudtrail
    filters:
     - type: status
       key: IsLogging
       value: False
    actions:
     - type: set-logging
       enabled: True

properties:
  enabled:
    type: boolean
  type:
    enum:
    - set-logging
required:
- type

Permissions - cloudtrail:StartLogging

update-trail

Update trail attributes.

Example:

policies:
  - name: cloudtrail-set-log
    resource: aws.cloudtrail
    filters:
     - or:
       - KmsKeyId: empty
       - LogFileValidationEnabled: false
    actions:
     - type: update-trail
       attributes:
         KmsKeyId: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef
         EnableLogFileValidation: true

properties:
  attributes:
    type: object
  type:
    enum:
    - update-trail
required:
- attributes

Permissions - cloudtrail:UpdateTrail