Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for current region in check-cloudtrail #988

Merged
merged 3 commits into from Mar 1, 2017
Merged

Support for current region in check-cloudtrail #988

merged 3 commits into from Mar 1, 2017

Conversation

Sutto
Copy link
Contributor

@Sutto Sutto commented Feb 26, 2017

This makes check-cloudtrail able to check if the given region is
covered, at all - not just via multi region.

This lets us run it against individual regions to check cloud trail
logging / auditing.

@Sutto
Support for current region in check-cloudtrail
ca57842 
This makes check-cloudtrail able to check if the given region is
covered, at all - not just via multi region.

This lets us run it against individual regions to check cloud trail
logging / auditing.
@kapilt
Copy link
Collaborator

kapilt commented Feb 27, 2017

Fwiw policies take a region attribute to keep a policy region bound, added for s3.

@Sutto
Copy link
Contributor Author

Sutto commented Feb 27, 2017

That only restricts where they're run though, right?

Using this, you can run / invoke c7n with the check, and it'll only emit the account IF said account has a trail for the region at all.

kapilt
kapilt approved these changes Feb 27, 2017
View reviewed changes
c7n/resources/account.py Outdated
if self.data.get('current-region'):
current_region = session.region_name
trails = [t for t in trails if t.get('HomeRegion') == current_region or t.get('IsMultiRegionTrail')]
print(trails, current_region)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stray print

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah crud! Will fix this :) good catch.

c7n/resources/account.py
trails = client.describe_trails()['trailList']
resources[0]['c7n:cloudtrails'] = trails
if self.data.get('global-events'):
trails = [t for t in trails if t.get('IncludeGlobalServiceEvents')]
if self.data.get('current-region'):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this could use some docs in the class docstring. i do think we have other ways of getting/verifying this with the extant, but its a net win for policy authoring.

@Sutto
Copy link
Contributor Author

Sutto commented Mar 1, 2017

Let me know if the comment looks ok to you!

Thanks

kapilt
kapilt approved these changes Mar 1, 2017
View reviewed changes
Copy link
Collaborator

@kapilt kapilt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@kapilt kapilt merged commit 610561c into cloud-custodian:master Mar 1, 2017
@Sutto Sutto deleted the support-checking-cloudtrail-current-region branch May 10, 2017 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kapilt kapilt kapilt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Sutto @kapilt