New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for current region in check-cloudtrail #988
Support for current region in check-cloudtrail #988
Conversation
This makes check-cloudtrail able to check if the given region is covered, at all - not just via multi region. This lets us run it against individual regions to check cloud trail logging / auditing.
Fwiw policies take a region attribute to keep a policy region bound, added for s3. |
That only restricts where they're run though, right? Using this, you can run / invoke c7n with the check, and it'll only emit the account IF said account has a trail for the region at all. |
c7n/resources/account.py
Outdated
if self.data.get('current-region'): | ||
current_region = session.region_name | ||
trails = [t for t in trails if t.get('HomeRegion') == current_region or t.get('IsMultiRegionTrail')] | ||
print(trails, current_region) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
stray print
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah crud! Will fix this :) good catch.
trails = client.describe_trails()['trailList'] | ||
resources[0]['c7n:cloudtrails'] = trails | ||
if self.data.get('global-events'): | ||
trails = [t for t in trails if t.get('IncludeGlobalServiceEvents')] | ||
if self.data.get('current-region'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this could use some docs in the class docstring. i do think we have other ways of getting/verifying this with the extant, but its a net win for policy authoring.
Let me know if the comment looks ok to you! Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks!
This makes check-cloudtrail able to check if the given region is
covered, at all - not just via multi region.
This lets us run it against individual regions to check cloud trail
logging / auditing.