Open teddy-codes opened 1 month ago
When using ScoutSuite to audit our infrastructure, we came across a problem where data events were incorrectly being logged.
Our CloudTrail logs from aws look like this:
{ "TrailARN": "<trail-arn>", "EventSelectors": [ { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [ { "Type": "AWS::Lambda::Function", "Values": [ "arn:aws:lambda" ] } ], "ExcludeManagementEventSources": [] }, { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [ { "Type": "AWS::S3::Object", "Values": [ "arn:aws:s3:::" ] } ], "ExcludeManagementEventSources": [] }, { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [], "ExcludeManagementEventSources": [] } ] }
This is the check that is occuring: https://github.com/nccgroup/ScoutSuite/blob/7909f2fc6186063e5c9e7ddef8c4d7d1072c8f3d/ScoutSuite/providers/aws/resources/cloudtrail/trails.py#L50-L53
Which is incorrect as it reads not ALL data events, but overwrites DataEventsEnabled while iterating through the EventSelectors.
DataEventsEnabled
When using ScoutSuite to audit our infrastructure, we came across a problem where data events were incorrectly being logged.
Our CloudTrail logs from aws look like this:
This is the check that is occuring: https://github.com/nccgroup/ScoutSuite/blob/7909f2fc6186063e5c9e7ddef8c4d7d1072c8f3d/ScoutSuite/providers/aws/resources/cloudtrail/trails.py#L50-L53
Which is incorrect as it reads not ALL data events, but overwrites
DataEventsEnabledwhile iterating through the EventSelectors.