feat: Update aws_cloudtrail_trail_event_selectors schema

cloudquery · Nov 22, 2023 · 0d5539f · 0d5539f
1 parent 95bf4bd
commit 0d5539f
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -157,7 +157,7 @@ cython_debug/
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+.idea/
 
 .DS_Store
 transformations/aws_compliance/.user.yml

diff --git a/transformations/aws_compliance/macros/free/cloudtrail/enabled_in_all_regions.sql b/transformations/aws_compliance/macros/free/cloudtrail/enabled_in_all_regions.sql
@@ -10,10 +10,17 @@ select
     aws_cloudtrail_trails.account_id,
     arn as resource_id,
     case
-        when is_multi_region_trail = FALSE or (
-                    is_multi_region_trail = TRUE and (
-                        read_write_type != 'All' or include_management_events = FALSE
-                )) then 'fail'
+        when aws_cloudtrail_trails.is_multi_region_trail = FALSE then 'fail'
+        when exists(select *
+                    from jsonb_array_elements(aws_cloudtrail_trail_event_selectors.event_selectors) as es
+                    where es ->>'ReadWriteType' != 'All' or (es->>'IncludeManagementEvents')::boolean = FALSE)
+            then 'fail'
+        when exists(select *
+                    from jsonb_array_elements(aws_cloudtrail_trail_event_selectors.advanced_event_selectors) as aes
+                    where exists(select *
+                                 from jsonb_array_elements(aes ->'FieldSelectors') as aes_fs
+                                 where aes_fs ->>'Field' = 'readOnly'))
+            then 'fail'
         else 'pass'
     end as status
 from aws_cloudtrail_trails

diff --git a/transformations/aws_compliance/models/shared/aws_compliance__log_metric_filter_and_alarm.sql b/transformations/aws_compliance/models/shared/aws_compliance__log_metric_filter_and_alarm.sql
@@ -1,19 +1,27 @@
 with af as (
   select distinct a.arn, a.actions_enabled, a.alarm_actions, m->'MetricStat'->'Metric'->>'MetricName' as metric_name -- TODO check
   from aws_cloudwatch_alarms a, jsonb_array_elements(a.metrics) as m
+),
+tes as (
+    select trail_arn from aws_cloudtrail_trail_event_selectors
+    where exists(
+        select * from jsonb_array_elements(event_selectors) as es
+        where es ->>'ReadWriteType' = 'All' and (es->>'IncludeManagementEvents')::boolean = TRUE
+    ) or exists(
+        select * from jsonb_array_elements(advanced_event_selectors) as aes
+        where not exists(select * from jsonb_array_elements(aes ->'FieldSelectors') as aes_fs where aes_fs ->>'Field' = 'readOnly')
+    )
 )
 select
     t.account_id,
     t.region,
     t.cloud_watch_logs_log_group_arn,
     mf.filter_pattern as pattern
 from aws_cloudtrail_trails t
-inner join aws_cloudtrail_trail_event_selectors tes on t.arn = tes.trail_arn
+inner join tes on t.arn = tes.trail_arn
 inner join aws_cloudwatchlogs_metric_filters mf on mf.log_group_name = t.cloudwatch_logs_log_group_name
 inner join af on mf.filter_name = af.metric_name
 inner join aws_sns_subscriptions ss on ss.topic_arn = ANY(af.alarm_actions)
 where t.is_multi_region_trail = TRUE
     and (t.status->>'IsLogging')::boolean = TRUE
-    and tes.include_management_events = TRUE
-    and tes.read_write_type = 'All'
     and ss.arn like 'aws:arn:%'