CIS v1.4.0 - Control: 3.1 Ensure CloudTrail is enabled in all regions

[vkumbha]

Describe the bug
When there are no trails in the account, the control should throw ALARM.

Steampipe version (steampipe -v)
steampipe version 0.13.0 (I know I am on an outdated version :p)

Plugin version (steampipe plugin list)
aws@latest - 0.63.0

To reproduce

• Make sure you do not have any trails in your account across all the regions (Maybe a new aws account)
• Run the cis-v1.4 - 3.1 control
• steampipe check control.cis_v140_3_1

Expected behavior
CIS v1.4 - 3.1 control expects a multi-regions trail with logging enabled, in our case since there are no trails to begin with, this should go to ALARM. However, as of today this says (idk how to interpret 0/0 for everything, but for sure) not alarm.

Additional context
Add any other context about the problem here.

[Sirbank]

Same issue. I have attached this issue screenshot for more information.

[rajlearner17]

@Sirbank Appreciate the feedback!

I will take a look; meanwhile, if you have any recommendations to change the query, happy to see that 👍
Will keep this thread posted

[rajlearner17]

@Sirbank, thanks for waiting; here are some analysis updates

There are two problem statements,

[1] - when we have no trail or current query, CTE block does not return, and the control runs to render no data. Hence, the CIS control does not answer what it is intended to do. As @vkumbha raised above and you also observed the same.

The proposed query for [1] (not finalised)

 with trail_details as (
  select
    distinct region
  from
    aws_cloudtrail_trail,
    jsonb_array_elements(event_selectors) as e
  where is_logging and e ->> 'ReadWriteType' = 'All' and is_multi_region_trail
)
select
  -- Required Columns
  r.name as resource,
  case
    when r.opt_in_status = 'not-opted-in' then 'skip'
    when d.region is null then 'alarm'
    else 'ok'
  end as status,
    case
    when r.opt_in_status = 'not-opted-in' then r.region ||  ' region not-opted-in.'
    when d.region is null then 'cloudtrail disabled.'
    else 'cloudtrail enabled ' || r.name || '.'
  end as reason,
  -- Additional Dimensions
  r.name,
  r.account_id
from
  aws_region as r
left join trail_details as d on d.region = r.name;

[2] - Even if we tried to address the issue [1] by changing the query to evaluate based on regions, the control works to result in data; however, it fails to fetch data for event_selectors validation.

The OBSERVATION is

• The attribute 'event_selectors' > which is fetched from GetEventSelectors, is expected to render value when the default Management events is selected; however, it does not render the data and returns <null>,
• When we select Data events as Basic event selectors with the required 'Data event type', it renders the data for 'event_selectors'; this helps the control with a new query to work as expected.

> select event_selectors, name, is_multi_region_trail, home_region, region from aws_cloudtrail_trail
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------+-------->
| event_selectors                                                                                                                                                   | name        | is_multi_region_trail | home_re>
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------+-------->
| [{"DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3"]}],"ExcludeManagementEventSources":[],"IncludeManagementEvents":false,"ReadWriteType":"All"}] | issue-408-2 | true                  | ap-sout>
| [{"DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3"]}],"ExcludeManagementEventSources":[],"IncludeManagementEvents":false,"ReadWriteType":"All"}] | issue-408-2 | true                  | ap-sout>
| [{"DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3"]}],"ExcludeManagementEventSources":[],"IncludeManagementEvents":false,"ReadWriteType":"All"}] | issue-408-2 | true                  | ap-sout>

• With further observation, once the 'Data events' is turned off, the 'event_selectors' value gets populated from 'Management events' as expected.

So we have been playing to accurate the solution; however, we see some anomalies in the AWS SDK response event_selectors, and this is one of the CIS requirements, which we are trying re-validate again.

I know it's an extended response; sorry for that. Meanwhile, I see your screenshot has one trail listed, even though the control listed zero results. Can you help share the details as per the below query? This will help to understand your trail setting for the current account.

select event_selectors, name, is_multi_region_trail, home_region, region from aws_cloudtrail_trail

[Sirbank]

@rajlearner17 Here the query as you mention sir.

[rajlearner17]

@Sirbank, I see the event_selectors comes for you, whereas your trail might have been set to log Management events? Possible to send a screenshot to confirm whether my settings match with you or not?

[Sirbank]

@rajlearner17 this is my setting on AWS Management Console.

[rajlearner17]

@Sirbank THANKS, this will help. We will be investigating the behaviour
, here is the alternative for the time being (while we are working this out)

If you update the Data events as Basic event selectors and execute this query, it should return data in event_selectors
select event_selectors, name, is_multi_region_trail, home_region, region from aws_cloudtrail_trail

and the below query is expected to evaluate properly for all regions for CIS control. Again this is an alternative for now

 with trail_details as (
  select
    distinct region
  from
    aws_cloudtrail_trail,
    jsonb_array_elements(event_selectors) as e
  where is_logging and e ->> 'ReadWriteType' = 'All' and is_multi_region_trail
)
select
  -- Required Columns
  r.name as resource,
  case
    when r.opt_in_status = 'not-opted-in' then 'skip'
    when d.region is null then 'alarm'
    else 'ok'
  end as status,
    case
    when r.opt_in_status = 'not-opted-in' then r.region ||  ' region not-opted-in.'
    when d.region is null then 'cloudtrail disabled.'
    else 'cloudtrail enabled ' || r.name || '.'
  end as reason,
  -- Additional Dimensions
  r.name,
  r.account_id
from
  aws_region as r
left join trail_details as d on d.region = r.name;

The outcome, if there is no trail in the account and .spc file is with regions = ["*"]

If there is one global trial is set as shown in your image, it will render as below

[rajlearner17]

@Sirbank hope you are doing well.
We have adjusted & modified the query to report it at the account level; the below query is associated with the PR; if you want to give it a try and feedback?

with event_selectors_trail_details as (
  select
    distinct account_id
  from
    aws_cloudtrail_trail,
    jsonb_array_elements(event_selectors) as e
  where
    (is_logging and e ->> 'ReadWriteType' = 'All' and is_multi_region_trail)
),
advanced_event_selectors_trail_details as (
  select
    distinct account_id
  from
    aws_cloudtrail_trail,
    jsonb_array_elements_text(advanced_event_selectors) as a
  where
    (is_multi_region_trail and is_logging and advanced_event_selectors is not null and (not a like '%readOnly%'))
)
select
  -- Required Columns
  a.title as resource,
  case
    when d.account_id is null and ad.account_id is null then 'alarm'
    else 'ok'
  end as status,
    case
    when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.'
    else 'cloudtrail enabled.'
  end as reason,
  -- Additional Dimensions
  a.account_id
from
  aws_account as a
  left join event_selectors_trail_details as d on d.account_id = a.account_id
  left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id;

[Sirbank]

I just tried the above query and get this result.
I have configured regions =["*"].