From 2c580dd750be26b166c30c2f4ff9346d22fb7047 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Thu, 2 Apr 2020 00:19:43 +0200
Subject: [PATCH] Fix issue #488 only works if CloudWatchLog configuration

---
 include/check3x | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/check3x b/include/check3x
index 8e805e90..cabe626a 100644
--- a/include/check3x
+++ b/include/check3x
@@ -15,8 +15,8 @@ check3x(){
   local CHECK_CROSS_ACCOUNT_WARN
 
   # In order to make all these checks work properly logs and alarms have to 
-  # be based only on CloudTrail tail set as "IsMultiRegionTrail" = True.
-  DESCRIBE_TRAILS_CACHE=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[?IsMultiRegionTrail == `true` ]')
+  # be based only on CloudTrail tail with CloudWatchLog configuration.
+  DESCRIBE_TRAILS_CACHE=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[?CloudWatchLogsLogGroupArn != `null`]')
   TRAIL_LIST=$(echo $DESCRIBE_TRAILS_CACHE | jq -r '. |@base64')
   CURRENT_ACCOUNT_ID=$($AWSCLI sts $PROFILE_OPT get-caller-identity --region "$REGION" --query Account --output text)
   CLOUDWATCH_LOGGROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr '\011' '\012' | awk -F: '{print $7}')