search

awslabs / aws-config-rules

[Node, Python, Java] Repository of sample Custom Rules for AWS Config.
http://aws.amazon.com/config/
Creative Commons Zero v1.0 Universal
1.58k stars 851 forks source link

multi-region-cloudtrail-enabled always fails #401

Open pnutshellmenace opened 1 year ago

pnutshellmenace commented 1 year ago

Can't seem to get multi-region-cloudtrail-enabled to pass no matter what I do. The trail is configured as:

        {
            "Name": "REDACTED",
            "S3BucketName": "REDACTED",
            "IncludeGlobalServiceEvents": true,
            "IsMultiRegionTrail": true,
            "HomeRegion": "us-east-1",
            "TrailARN": "REDACTED",
            "LogFileValidationEnabled": true,
            "CloudWatchLogsLogGroupArn": "REDACTED",
            "CloudWatchLogsRoleArn": "REDACTED",
            "KmsKeyId": "REDACTED",
            "HasCustomEventSelectors": true,
            "HasInsightSelectors": true,
            "IsOrganizationTrail": true
        }

It is also configured to include management events, S3 data events, Lambda data events.

Trail status (from aws cloudtrail get-trail-status):

{
    "IsLogging": true,
    "LatestDeliveryTime": "2023-01-21T13:58:49.666000-05:00",
    "LatestNotificationTime": "2023-01-19T10:41:45.793000-05:00",
    "StartLoggingTime": "2023-01-19T10:25:48.120000-05:00",
    "LatestCloudWatchLogsDeliveryTime": "2023-01-21T14:00:23.026000-05:00",
    "LatestDigestDeliveryTime": "2023-01-21T13:45:44.749000-05:00",
    "LatestDeliveryAttemptTime": "2023-01-21T18:58:49Z",
    "LatestNotificationAttemptTime": "2023-01-21T18:43:20Z",
    "LatestNotificationAttemptSucceeded": "2023-01-19T15:41:45Z",
    "LatestDeliveryAttemptSucceeded": "2023-01-21T18:58:49Z",
    "TimeLoggingStarted": "2023-01-19T15:25:48Z",
    "TimeLoggingStopped": ""
}

Lines 215-216 in CLOUDTRAIL_ENABLED_V2.py contain this:

        if 'LatestDeliveryError' in trail_status:
            continue

That is my best guess as to where the NON_COMPLIANT result is coming from. I don't see LatestDeliveryError when I make a aws cloudtrail get-trail-status api call - it's not a property in the returned json (referenced above). I don't really understand the purpose of that logic to begin with. Why should LatestDeliveryError be in the status json? Shouldn't the expectation be that there isn't an error?

I'm not positive this is the reason for the failure, but it is the best I can tell from interpreting the code.