Giters

mondoohq / cnquery

open source, cloud-native, graph-based asset inventory

Home Page:https://cnquery.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

aws: Support for Advanced Event Selectors in eventSelectors() Function

HRouhani opened this issue · comments

commented

related to: Ensure that Object-level logging for write events is enabled for S3 bucket

Issue Description

Currently, the eventSelectors() function in aws_cloudtrails.go is designed to retrieve data event selectors for AWS CloudTrail trails. However, it only successfully retrieves data when Basic Event Selectors are configured. This limitation prevents the function from fetching and processing Advanced Event Selectors, which are crucial for detailed logging configurations, especially for object-level logging for write events on S3 buckets.

In Cloud trail, for each Trail, there is 2 ways of configuring Data Events:

  1. Advanced event selectors are enabled

Screenshot from 2024-02-20 14-17-26

The output of the aws cli is also different as can be seen here:

Screenshot from 2024-02-20 14-18-40

  1. Basic event selectors are enabled

At the moment we are able to retrieve data only when the customer is using the Basic Event selector.

The output of the aws cli when basic has been used:

Screenshot from 2024-02-20 14-20-19

Problematic Behavior

When Advanced Event Selectors are enabled in CloudTrail, the eventSelectors() function does not retrieve any data.

Solution:
To address this discrepancy and ensure that the eventSelectors() function can handle both types of event selectors, the function needs to be enhanced to correctly process and return Advanced Event Selectors.

in aws_cloudtrails.go the function eventSelectors() need also be able to retrieve the advance type. Following might be helpful:

resp, err := svc.GetEventSelectors(ctx, &cloudtrail.GetEventSelectorsInput{
        TrailName: aws.String(a.Arn),
    })
    if err != nil {
        return nil, fmt.Errorf("error getting advanced event selectors: %w", err)
    }

    var selectors []interface{}
    for _, selector := range resp.AdvancedEventSelectors {
        fieldSelectors := make([]map[string]interface{}, 0)
        for _, field := range selector.FieldSelectors {
            fieldSelector := map[string]interface{}{
                "Field":  field.Field,
                "Equals": field.Equals,
            }
            fieldSelectors = append(fieldSelectors, fieldSelector)
        }

        selectorMap := map[string]interface{}{
            "Name":           selector.Name,
            "FieldSelectors": fieldSelectors,
        }
        selectors = append(selectors, selectorMap)
    }

We might need to have 2 function for this purpose.

The outcome shows here that eventSelectors for the second one which is advanced eventType is empty.

Screenshot from 2024-02-20 15-04-26