Skip to content

Latest commit

 

History

History
113 lines (78 loc) · 3.91 KB

aws_cloudtrail_trail.md

File metadata and controls

113 lines (78 loc) · 3.91 KB
title platform
About the aws_cloudtrail_trail Resource
aws

aws_cloudtrail_trail

Use the aws_cloudtrail_trail InSpec audit resource to test properties of a single AWS CloudTrail.

Syntax

An aws_cloudtrail_trail resource block identifies a trail by trail_name.

# Find a trail by name
describe aws_cloudtrail_trail('trail-name') do
  it { should exist }
end

# Hash syntax for trail name
describe aws_cloudtrail_trail(trail_name: 'trail-name') do
  it { should exist }
end

Parameters

trail_name (required)

This resource expects a single parameter, the CloudTrail Name which uniquely identifies it. This can be passed either as a string or as a trail_name: 'value' key-value entry in a hash.

See also the AWS documentation on CloudTrail.

Properties

Property Description
trail_arn Specifies the ARN of the trail.
trail_name Name of the trail.
home_region The region in which the trail was created.
s3_bucket_name Name of the Amazon S3 bucket into which CloudTrail delivers your trail files.
cloud_watch_logs_role_arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
cloud_watch_logs_log_group_arn Specifies an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs will be delivered.
kms_key_id Specifies the KMS key ID that encrypts the logs delivered by CloudTrail.

Examples

Test that the specified trail does exist
describe aws_cloudtrail_trail('my-cloudtrail') do
  it { should exist }
end

describe aws_cloudtrail_trail(trail_name: 'my-cloudtrail') do
  it { should exist }
end
Check the KMS key used to encrypt
describe aws_cloudtrail_trail('my-cloudtrail') do
  its('kms_key_id') { should eq "my-kms-key" }
end
Check the Home Region is correct
describe aws_cloudtrail_trail('my-cloudtrail') do
  its('home_region') { should eq 'us-east-1' }
end
Test that the specified trail is a multi-region trail
describe aws_cloudtrail_trail('my-cloudtrail') do
  it { should be_multi_region_trail }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

# Verify that at least one CloudTrail Trail exists.
describe aws_cloudtrail_trail('my-cloudtrail') do
  it { should exist }
end

be_multi_region_trail

The test will pass if the identified trail is a multi-region trail.

describe aws_cloudtrail_trail('my-cloudtrail') do
  it { should be_multi_region_trail }
end

be_encrypted

The test will pass if the logs delivered by the identified trail are encrypted.

describe aws_cloudtrail_trail('my-cloudtrail') do
  it { should be_encrypted }
end

be_log_file_validation_enabled

The test will pass if the identified trail has log file integrity validation is enabled.

describe aws_cloudtrail_trail('my-cloudtrail') do
  it { should be_log_file_validation_enabled }
end

AWS Permissions

Your Principal will need the CloudTrail:Client:DescribeTrailsResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for AWS CloudTrail.