fix(cross account): cloudtrail s3 bucket logging (#1902)

2026-02-14 02:55:05 +00:00 · 2023-02-14 11:23:31 +01:00
parent 259e9f1c17
commit 2d5de6ff99
2 changed files with 61 additions and 6 deletions
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py
@@ -10,6 +10,7 @@ class cloudtrail_logs_s3_bucket_access_logging_enabled(Check):
        findings = []
        for trail in cloudtrail_client.trails:
            if trail.name:
+                trail_bucket_is_in_account = False
                trail_bucket = trail.s3_bucket
                report = Check_Report_AWS(self.metadata())
                report.region = trail.region
@@ -21,13 +22,19 @@ class cloudtrail_logs_s3_bucket_access_logging_enabled(Check):
                else:
                    report.status_extended = f"Single region Trail {trail.name} S3 bucket access logging is not enabled for bucket {trail_bucket}"
                for bucket in s3_client.buckets:
-                    if trail_bucket == bucket.name and bucket.logging:
-                        report.status = "PASS"
-                        if trail.is_multiregion:
-                            report.status_extended = f"Multiregion trail {trail.name} S3 bucket access logging is enabled for bucket {trail_bucket}"
-                        else:
-                            report.status_extended = f"Single region trail {trail.name} S3 bucket access logging is enabled for bucket {trail_bucket}"
+                    if trail_bucket == bucket.name:
+                        trail_bucket_is_in_account = True
+                        if bucket.logging:
+                            report.status = "PASS"
+                            if trail.is_multiregion:
+                                report.status_extended = f"Multiregion trail {trail.name} S3 bucket access logging is enabled for bucket {trail_bucket}"
+                            else:
+                                report.status_extended = f"Single region trail {trail.name} S3 bucket access logging is enabled for bucket {trail_bucket}"
+                        break

+                # check if trail is delivering logs in a cross account bucket
+                if not trail_bucket_is_in_account:
+                    report.status_extended = f"Trail {trail.name} is delivering logs in a cross-account bucket {trail_bucket} in another account out of Prowler's permissions scope, please check it manually"
                findings.append(report)

        return findings