Add access checks for several checks

checks/check_extra720

@@ -22,10 +22,18 @@ CHECK_SERVICENAME_extra720="lambda"
 extra720(){
   # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
   for regx in $REGIONS; do
-    LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
+    LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query 'Functions[*].FunctionName' --output text 2>&1)
+    if [[ $(echo "$LIST_OF_FUNCTIONS" | grep AccessDenied) ]]; then
+      textFail "$regx: Access Denied trying to list functions"
+      continue
+    fi
     if [[ $LIST_OF_FUNCTIONS ]]; then
-      for lambdafunction in $LIST_OF_FUNCTIONS;do
-        LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[].TrailARN --output text)
+      LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].TrailARN' --output text 2>&1)
+      if [[ $(echo "$LIST_OF_TRAILS" | grep AccessDenied) ]]; then
+        textFail "$regx: Access Denied trying to describe trails"
+        continue
+      fi
+      for lambdafunction in $LIST_OF_FUNCTIONS; do
         if [[ $LIST_OF_TRAILS ]]; then
           for trail in $LIST_OF_TRAILS; do
             FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:${AWS_PARTITION}:lambda.*function:$lambdafunction$|^arn:${AWS_PARTITION}:lambda$")
@@ -52,7 +60,7 @@ extra720(){
         else
           textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx"
         fi
-      done
+     done
     else
       textInfo "$regx: No Lambda functions found" "$regx"
     fi