From 4ff685635e8c429810b935a6693ab9064d11dfe9 Mon Sep 17 00:00:00 2001
From: Patrick Downey <patrick.downey@dioadconsulting.com>
Date: Wed, 8 Apr 2020 11:54:15 +0100
Subject: [PATCH 1/2] Use TrailARN property to query get-event-selectors

This will work to query cloudtrail's that are in different accounts.
e.g. in the case of organisation managed cloudtrails.
---
 checks/check_extra720 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checks/check_extra720 b/checks/check_extra720
index 1bf63cc5..a3a97c9a 100644
--- a/checks/check_extra720
+++ b/checks/check_extra720
@@ -22,7 +22,7 @@ extra720(){
     LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
     if [[ $LIST_OF_FUNCTIONS ]]; then
       for lambdafunction in $LIST_OF_FUNCTIONS;do
-        LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text)
+        LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].TrailARN --output text)
         if [[ $LIST_OF_TRAILS ]]; then
           for trail in $LIST_OF_TRAILS; do
             FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$|^arn:aws:lambda$")

From 84711d1ef511e344459d65352ff679572802ae3c Mon Sep 17 00:00:00 2001
From: Patrick Downey <patrick.downey@dioadconsulting.com>
Date: Wed, 8 Apr 2020 12:38:20 +0100
Subject: [PATCH 2/2] Remove HomeRegion predicate from describe-trails to look
 for cross-region trails too

This will hopefully address #455
---
 checks/check_extra720 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checks/check_extra720 b/checks/check_extra720
index a3a97c9a..dacee06d 100644
--- a/checks/check_extra720
+++ b/checks/check_extra720
@@ -22,7 +22,7 @@ extra720(){
     LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
     if [[ $LIST_OF_FUNCTIONS ]]; then
       for lambdafunction in $LIST_OF_FUNCTIONS;do
-        LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].TrailARN --output text)
+        LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[].TrailARN --output text)
         if [[ $LIST_OF_TRAILS ]]; then
           for trail in $LIST_OF_TRAILS; do
             FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$|^arn:aws:lambda$")