Skip to content

Commit

Permalink
Make 3.x tests simpler and more useful
Browse files Browse the repository at this point in the history
  • Loading branch information
Tobi Fuhrimann committed Aug 17, 2019
1 parent 8333c57 commit f32b769
Show file tree
Hide file tree
Showing 16 changed files with 74 additions and 323 deletions.
46 changes: 1 addition & 45 deletions checks/check31
Original file line number Diff line number Diff line change
Expand Up @@ -15,49 +15,5 @@ CHECK_TYPE_check31="LEVEL1"
CHECK_ALTERNATE_check301="check31"

check31(){
# "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | grep $group | awk -F: '{ print $4 }' | head -n 1)
#METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' | awk '/UnauthorizedOperation/ || /AccessDenied/ {print $3}')
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --output text | grep METRICFILTERS | awk 'BEGIN {IGNORECASE=1}; /UnauthorizedOperation/ || /AccessDenied/ {print $3};')
if [[ $METRICFILTER_SET ]];then
for metric in $METRICFILTER_SET; do
metric_name=$($AWSCLI logs describe-metric-filters $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --log-group-name $group --filter-name-prefix $metric --output text --query 'metricFilters[0].metricTransformations[0].metricName')
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[?MetricName==`'$metric_name'`]' --output text)
if [[ $HAS_ALARM_ASSOCIATED ]];then
CHECK31OK="$CHECK31OK $group:$metric"
else
CHECK31WARN="$CHECK31WARN $group:$metric"
fi
done
else
CHECK31WARN="$CHECK31WARN $group"
fi
done

if [[ $CHECK31OK ]]; then
for group in $CHECK31OK; do
metric=${group#*:}
group=${group%:*}
textPass "CloudWatch group $group found with metric filter $metric and alarms set for Unauthorized Operation and Access Denied"
done
fi
if [[ $CHECK31WARN ]]; then
for group in $CHECK31WARN; do
case $group in
*:*) metric=${group#*:}
group=${group%:*}
textFail "CloudWatch group $group found with metric filter $metric but no alarms associated"
;;
*) textFail "CloudWatch group $group found but no metric filters or alarms associated"
esac
done
fi
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
}
23 changes: 1 addition & 22 deletions checks/check310
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,5 @@ CHECK_TYPE_check310="LEVEL2"
CHECK_ALTERNATE_check310="check310"

check310(){
# "Ensure a log metric filter and alarm exist for security group changes (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | grep $group | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' | grep -E 'AuthorizeSecurityGroupIngress.*AuthorizeSecurityGroupEgress.*RevokeSecurityGroupIngress.*RevokeSecurityGroupEgress.*CreateSecurityGroup.*DeleteSecurityGroup')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /SecurityGroup/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms for security group changes"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup'
}
23 changes: 1 addition & 22 deletions checks/check311
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,5 @@ CHECK_TYPE_check311="LEVEL2"
CHECK_ALTERNATE_check311="check311"

check311(){
# "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | grep $group | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' | grep -E 'CreateNetworkAcl.*CreateNetworkAclEntry.*DeleteNetworkAcl.*DeleteNetworkAclEntry.*ReplaceNetworkAclEntry.*ReplaceNetworkAclAssociation')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /NetworkAcl/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms for changes to NACLs"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation'
}
23 changes: 1 addition & 22 deletions checks/check312
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,5 @@ CHECK_TYPE_check312="LEVEL1"
CHECK_ALTERNATE_check312="check312"

check312(){
# "Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | grep $group | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' | grep -E 'CreateCustomerGateway.*DeleteCustomerGateway.*AttachInternetGateway.*CreateInternetGateway.*DeleteInternetGateway.*DetachInternetGateway')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /InternetGateway/ || /CustomerGateway/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms for changes to network gateways"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway'
}
23 changes: 1 addition & 22 deletions checks/check313
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,5 @@ CHECK_TYPE_check313="LEVEL1"
CHECK_ALTERNATE_check313="check313"

check313(){
# "Ensure a log metric filter and alarm exist for route table changes (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | grep $group | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' | grep -E 'CreateRoute.*CreateRouteTable.*ReplaceRoute.*ReplaceRouteTableAssociation.*DeleteRouteTable.*DeleteRoute.*DisassociateRouteTable')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /Route/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms for route table changes"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable'
}
23 changes: 1 addition & 22 deletions checks/check314
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,5 @@ CHECK_TYPE_check314="LEVEL1"
CHECK_ALTERNATE_check314="check314"

check314(){
# "Ensure a log metric filter and alarm exist for VPC changes (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | grep $group | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' | grep -E 'CreateVpc.*DeleteVpc.*ModifyVpcAttribute.*AcceptVpcPeeringConnection.*CreateVpcPeeringConnection.*DeleteVpcPeeringConnection.*RejectVpcPeeringConnection.*AttachClassicLinkVpc.*DetachClassicLinkVpc.*DisableVpcClassicLink.*EnableVpcClassicLink')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /VPC/i;')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms for VPC changes"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink'
}
22 changes: 1 addition & 21 deletions checks/check32
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,5 @@ CHECK_TYPE_check32="LEVEL1"
CHECK_ALTERNATE_check302="check32"

check32(){
# "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' |grep filterPattern|grep MFAUsed| awk '/ConsoleLogin/ && (/additionalEventData.MFAUsed.*\!=.*\"Yes/) {print $1}')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /ConsoleLogin/ || /MFAUsed/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms set for sign-in Console without MFA enabled"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
}
22 changes: 1 addition & 21 deletions checks/check33
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,5 @@ CHECK_TYPE_check33="LEVEL1"
CHECK_ALTERNATE_check303="check33"

check33(){
# "Ensure a log metric filter and alarm exist for usage of root account (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | tr '[:upper:]' '[:lower:]'| grep -Ei 'userIdentity|Root|AwsServiceEvent')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms set for usage of root account"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
}
22 changes: 1 addition & 21 deletions checks/check34
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,5 @@ CHECK_TYPE_check34="LEVEL1"
CHECK_ALTERNATE_check304="check34"

check34(){
# "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' | grep -E 'DeleteGroupPolicy.*DeleteRolePolicy.*DeleteUserPolicy.*PutGroupPolicy.*PutRolePolicy.*PutUserPolicy.*CreatePolicy.*DeletePolicy.*CreatePolicyVersion.*DeletePolicyVersion.*AttachRolePolicy.*DetachRolePolicy.*AttachUserPolicy.*DetachUserPolicy.*AttachGroupPolicy.*DetachGroupPolicy')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /DeletePolicy/ || /DeletePolicies/ || /Policies/ || /Policy/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms for IAM policy changes"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
}
22 changes: 1 addition & 21 deletions checks/check35
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,5 @@ CHECK_TYPE_check35="LEVEL1"
CHECK_ALTERNATE_check305="check35"

check35(){
# "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' '
' | awk -F: '{ print $7 }')
if [[ $CLOUDWATCH_GROUP ]];then
for group in $CLOUDWATCH_GROUP; do
CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $4 }' | head -n 1)
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'metricFilters' | grep -E 'CreateTrail.*UpdateTrail.*DeleteTrail.*StartLogging.*StopLogging')
if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /TrailChange/ || /Trails/ || /CreateTrail/ || /UpdateTrail/ || /DeleteTrail/ || /StartLogging/ || /StopLogging/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then
textPass "CloudWatch group $group found with metric filters and alarms for CloudTrail configuration changes"
else
textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi
else
textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi
done
else
textFail "No CloudWatch group found for CloudTrail events"
fi
check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
}
Loading

0 comments on commit f32b769

Please sign in to comment.