Skip to content

cloudtrail

Sample rules

A few rules that use objects from this package:

not_car_cloudtrail_trails_encrypt_at_rest_with_sse_kms 
from typing import List, Dict

from cloudrail.knowledge.context.aws.aws_environment_context import AwsEnvironmentContext
from cloudrail.knowledge.rules.aws.aws_base_rule import AwsBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class EnsureCloudTrailEncryptionKmsRule(AwsBaseRule):

    def get_id(self) -> str:
        return 'not_car_cloudtrail_trails_encrypt_at_rest_with_sse_kms'

    def execute(self, env_context: AwsEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []

        for trail in env_context.cloudtrail:
            if not trail.kms_encryption:
                issues.append(
                    Issue(
                        f'The {trail.get_type()} trail `{trail.get_friendly_name()}` is not set to use '
                        f'encryption at rest with KMS CMK', trail, trail))
        return issues

    def should_run_rule(self, environment_context: AwsEnvironmentContext) -> bool:
        return bool(environment_context.cloudtrail)
non_car_aws_cloudtrail_log_validation_disabled 
from typing import List, Dict

from cloudrail.knowledge.context.aws.aws_environment_context import AwsEnvironmentContext
from cloudrail.knowledge.rules.aws.aws_base_rule import AwsBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class EnsureCloudTrailLogValidationEnabledRule(AwsBaseRule):

    def get_id(self) -> str:
        return 'non_car_aws_cloudtrail_log_validation_disabled'

    def execute(self, env_context: AwsEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []

        for trail in env_context.cloudtrail:
            if not trail.log_file_validation:
                issues.append(
                    Issue(
                        f'The {trail.get_type()} trail `{trail.get_friendly_name()}` does not have log validation enabled'
                        , trail, trail))
        return issues

    def should_run_rule(self, environment_context: AwsEnvironmentContext) -> bool:
        return bool(environment_context.cloudtrail)

CloudTrail (AwsResource)

Attributes:

Name Type Description
name str

The name of the CloudTrail trail.
kms_encryption bool

True if KMS encryption is used.
arn str

The ARN of the CloudTrail trail.
log_file_validation bool

True if log file validation is enabled.
is_multi_region_trail bool

An indication if the trail is created in the current region or in all regions.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process