feat(cloudtrail): cloudtrail service and checks (#1449)

Co-authored-by: sergargar <sergio@verica.io>
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>

providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.metadata.json

@@ -0,0 +1,35 @@
+{
+    "Provider": "aws",
+    "CheckID": "cloudtrail_cloudwatch_logging_enabled",
+    "CheckTitle": "Ensure CloudTrail trails are integrated with CloudWatch Logs",
+    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
+    "ServiceName": "cloudtrail",
+    "SubServiceName": "",
+    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+    "Severity": "low",
+    "ResourceType": "AwsCloudTrailTrail",
+    "Description": "Ensure CloudTrail trails are integrated with CloudWatch Logs",
+    "Risk": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user; API; resource; and IP address; and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.",
+    "RelatedUrl": "",
+    "Remediation": {
+      "Code": {
+        "CLI": "aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group- arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>",
+        "NativeIaC": "",
+        "Other": "https://docs.bridgecrew.io/docs/logging_4#aws-console",
+        "Terraform": ""
+      },
+      "Recommendation": {
+        "Text": "Validate that the trails in CloudTrail has an arn set in the CloudWatchLogsLogGroupArn property.",
+        "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html"
+      }
+    },
+    "Categories": [],
+    "Tags": {
+      "Tag1Key": "value",
+      "Tag2Key": "value"
+    },
+    "DependsOn": [],
+    "RelatedTo": [],
+    "Notes": "",
+    "Compliance": []
+}

providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.py

@@ -0,0 +1,44 @@
+from datetime import datetime, timedelta, timezone
+
+from lib.check.models import Check, Check_Report
+from providers.aws.services.cloudtrail.cloudtrail_client import cloudtrail_client
+
+maximum_time_without_logging = 1
+
+
+class cloudtrail_cloudwatch_logging_enabled(Check):
+    def execute(self):
+        findings = []
+        for trail in cloudtrail_client.trails:
+            if trail.name:
+                report = Check_Report(self.metadata)
+                report.region = trail.region
+                report.resource_id = trail.name
+                report.resource_arn = trail.trail_arn
+                report.status = "PASS"
+                if trail.is_multiregion:
+                    report.status_extended = (
+                        f"Multiregion trail {trail.name} has been logging the last 24h"
+                    )
+                else:
+                    report.status_extended = f"Single region trail {trail.name} has been logging the last 24h"
+                if trail.latest_cloudwatch_delivery_time:
+                    last_log_delivery = (
+                        datetime.now().replace(tzinfo=timezone.utc)
+                        - trail.latest_cloudwatch_delivery_time
+                    )
+                    if last_log_delivery > timedelta(days=maximum_time_without_logging):
+                        report.status = "FAIL"
+                        if trail.is_multiregion:
+                            report.status_extended = f"Multiregion trail {trail.name} is not logging in the last 24h"
+                        else:
+                            report.status_extended = f"Single region trail {trail.name} is not logging in the last 24h"
+                else:
+                    report.status = "FAIL"
+                    if trail.is_multiregion:
+                        report.status_extended = f"Multiregion trail {trail.name} is not configured to deliver logs"
+                    else:
+                        report.status_extended = f"Single region trail {trail.name} is not configured to deliver logs"
+                findings.append(report)
+
+        return findings

providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled_test.py

@@ -0,0 +1,225 @@
+from datetime import datetime, timedelta, timezone
+from re import search
+from unittest import mock
+
+from boto3 import client
+from moto import mock_cloudtrail, mock_s3
+
+
+class Test_cloudtrail_cloudwatch_logging_enabled:
+    @mock_cloudtrail
+    @mock_s3
+    def test_trails_sending_logs_during_and_not_last_day(self):
+        cloudtrail_client_us_east_1 = client("cloudtrail", region_name="us-east-1")
+        s3_client_us_east_1 = client("s3", region_name="us-east-1")
+        cloudtrail_client_eu_west_1 = client("cloudtrail", region_name="eu-west-1")
+        s3_client_eu_west_1 = client("s3", region_name="eu-west-1")
+        trail_name_us = "trail_test_us"
+        bucket_name_us = "bucket_test_us"
+        trail_name_eu = "trail_test_eu"
+        bucket_name_eu = "bucket_test_eu"
+        s3_client_us_east_1.create_bucket(Bucket=bucket_name_us)
+        s3_client_eu_west_1.create_bucket(
+            Bucket=bucket_name_eu,
+            CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
+        )
+        trail_us = cloudtrail_client_us_east_1.create_trail(
+            Name=trail_name_us, S3BucketName=bucket_name_us, IsMultiRegionTrail=False
+        )
+        trail_eu = cloudtrail_client_eu_west_1.create_trail(
+            Name=trail_name_eu, S3BucketName=bucket_name_eu, IsMultiRegionTrail=False
+        )
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.cloudtrail.cloudtrail_service import Cloudtrail
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.cloudtrail.cloudtrail_cloudwatch_logging_enabled.cloudtrail_cloudwatch_logging_enabled.cloudtrail_client",
+            new=Cloudtrail(current_audit_info),
+        ) as service_client:
+            # Test Check
+            from providers.aws.services.cloudtrail.cloudtrail_cloudwatch_logging_enabled.cloudtrail_cloudwatch_logging_enabled import (
+                cloudtrail_cloudwatch_logging_enabled,
+            )
+
+            for trail in service_client.trails:
+                if trail.name == trail_name_us:
+                    trail.latest_cloudwatch_delivery_time = datetime.now().replace(
+                        tzinfo=timezone.utc
+                    )
+                elif trail.name == trail_name_eu:
+                    trail.latest_cloudwatch_delivery_time = (
+                        datetime.now() - timedelta(days=2)
+                    ).replace(tzinfo=timezone.utc)
+
+            regions = []
+            for region in service_client.regional_clients.keys():
+                regions.append(region)
+
+            check = cloudtrail_cloudwatch_logging_enabled()
+            result = check.execute()
+            # len of result if has to be 2 since we only have 2 single region trails
+            assert len(result) == 2
+            for report in result:
+                if report.resource_id == trail_name_us:
+                    assert report.resource_id == trail_name_us
+                    assert report.resource_arn == trail_us["TrailARN"]
+                    assert report.status == "PASS"
+                    assert search(
+                        report.status_extended,
+                        f"Single region trail {trail_name_us} has been logging the last 24h",
+                    )
+                if report.resource_id == trail_name_eu:
+                    assert report.resource_id == trail_name_eu
+                    assert report.resource_arn == trail_eu["TrailARN"]
+                    assert report.status == "FAIL"
+                    assert search(
+                        report.status_extended,
+                        f"Single region trail {trail_name_eu} is not logging in the last 24h",
+                    )
+
+    @mock_cloudtrail
+    @mock_s3
+    def test_multi_region_and_single_region_logging_and_not(self):
+        cloudtrail_client_us_east_1 = client("cloudtrail", region_name="us-east-1")
+        s3_client_us_east_1 = client("s3", region_name="us-east-1")
+        cloudtrail_client_eu_west_1 = client("cloudtrail", region_name="eu-west-1")
+        s3_client_eu_west_1 = client("s3", region_name="eu-west-1")
+        trail_name_us = "trail_test_us"
+        bucket_name_us = "bucket_test_us"
+        trail_name_eu = "trail_test_eu"
+        bucket_name_eu = "bucket_test_eu"
+        s3_client_us_east_1.create_bucket(Bucket=bucket_name_us)
+        s3_client_eu_west_1.create_bucket(
+            Bucket=bucket_name_eu,
+            CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
+        )
+        trail_us = cloudtrail_client_us_east_1.create_trail(
+            Name=trail_name_us, S3BucketName=bucket_name_us, IsMultiRegionTrail=True
+        )
+        trail_eu = cloudtrail_client_eu_west_1.create_trail(
+            Name=trail_name_eu, S3BucketName=bucket_name_eu, IsMultiRegionTrail=False
+        )
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.cloudtrail.cloudtrail_service import Cloudtrail
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.cloudtrail.cloudtrail_cloudwatch_logging_enabled.cloudtrail_cloudwatch_logging_enabled.cloudtrail_client",
+            new=Cloudtrail(current_audit_info),
+        ) as service_client:
+            # Test Check
+            from providers.aws.services.cloudtrail.cloudtrail_cloudwatch_logging_enabled.cloudtrail_cloudwatch_logging_enabled import (
+                cloudtrail_cloudwatch_logging_enabled,
+            )
+
+            for trail in service_client.trails:
+                if trail.name == trail_name_us:
+                    trail.latest_cloudwatch_delivery_time = datetime.now().replace(
+                        tzinfo=timezone.utc
+                    )
+                elif trail.name == trail_name_eu:
+                    trail.latest_cloudwatch_delivery_time = (
+                        datetime.now() - timedelta(days=2)
+                    ).replace(tzinfo=timezone.utc)
+
+            regions = []
+            for region in service_client.regional_clients.keys():
+                regions.append(region)
+
+            check = cloudtrail_cloudwatch_logging_enabled()
+            result = check.execute()
+            # len of result should be 24 -> (1 multiregion entry per region + 1 entry because of single region trail)
+            assert len(result) == 24
+            for report in result:
+                if report.resource_id == trail_name_us:
+                    assert report.resource_id == trail_name_us
+                    assert report.resource_arn == trail_us["TrailARN"]
+                    assert report.status == "PASS"
+                    assert search(
+                        report.status_extended,
+                        f"Multiregion trail {trail_name_us} has been logging the last 24h",
+                    )
+                if report.resource_id == trail_name_eu and report.region == "eu-west-1":
+                    assert report.resource_id == trail_name_eu
+                    assert report.resource_arn == trail_eu["TrailARN"]
+                    assert report.status == "FAIL"
+                    assert search(
+                        report.status_extended,
+                        f"Single region trail {trail_name_eu} is not logging in the last 24h",
+                    )
+
+    @mock_cloudtrail
+    @mock_s3
+    def test_trails_sending_and_not_sending_logs(self):
+        cloudtrail_client_us_east_1 = client("cloudtrail", region_name="us-east-1")
+        s3_client_us_east_1 = client("s3", region_name="us-east-1")
+        cloudtrail_client_eu_west_1 = client("cloudtrail", region_name="eu-west-1")
+        s3_client_eu_west_1 = client("s3", region_name="eu-west-1")
+        trail_name_us = "trail_test_us"
+        bucket_name_us = "bucket_test_us"
+        trail_name_eu = "trail_test_eu"
+        bucket_name_eu = "bucket_test_eu"
+        s3_client_us_east_1.create_bucket(Bucket=bucket_name_us)
+        s3_client_eu_west_1.create_bucket(
+            Bucket=bucket_name_eu,
+            CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
+        )
+        trail_us = cloudtrail_client_us_east_1.create_trail(
+            Name=trail_name_us, S3BucketName=bucket_name_us, IsMultiRegionTrail=False
+        )
+        trail_eu = cloudtrail_client_eu_west_1.create_trail(
+            Name=trail_name_eu, S3BucketName=bucket_name_eu, IsMultiRegionTrail=False
+        )
+
+        from providers.aws.lib.audit_info.audit_info import current_audit_info
+        from providers.aws.services.cloudtrail.cloudtrail_service import Cloudtrail
+
+        current_audit_info.audited_partition = "aws"
+
+        with mock.patch(
+            "providers.aws.services.cloudtrail.cloudtrail_cloudwatch_logging_enabled.cloudtrail_cloudwatch_logging_enabled.cloudtrail_client",
+            new=Cloudtrail(current_audit_info),
+        ) as service_client:
+            # Test Check
+            from providers.aws.services.cloudtrail.cloudtrail_cloudwatch_logging_enabled.cloudtrail_cloudwatch_logging_enabled import (
+                cloudtrail_cloudwatch_logging_enabled,
+            )
+
+            for trail in service_client.trails:
+                if trail.name == trail_name_us:
+                    trail.latest_cloudwatch_delivery_time = datetime.now().replace(
+                        tzinfo=timezone.utc
+                    )
+                elif trail.name == trail_name_us:
+                    trail.latest_cloudwatch_delivery_time = None
+
+            regions = []
+            for region in service_client.regional_clients.keys():
+                regions.append(region)
+
+            check = cloudtrail_cloudwatch_logging_enabled()
+            result = check.execute()
+            # len of result if has to be 2 since we only have 2 single region trails
+            assert len(result) == 2
+            for report in result:
+                if report.resource_id == trail_name_us:
+                    assert report.resource_id == trail_name_us
+                    assert report.resource_arn == trail_us["TrailARN"]
+                    assert report.status == "PASS"
+                    assert search(
+                        report.status_extended,
+                        f"Single region trail {trail_name_us} has been logging the last 24h",
+                    )
+                if report.resource_id == trail_name_eu:
+                    assert report.resource_id == trail_name_eu
+                    assert report.resource_arn == trail_eu["TrailARN"]
+                    assert report.status == "FAIL"
+                    assert search(
+                        report.status_extended,
+                        f"Single region trail {trail_name_eu} is not configured to deliver logs",
+                    )