From fc83a9896c7c8005b83400a4cb3a344d1fcb1e5d Mon Sep 17 00:00:00 2001
From: Patrick Downey <patrick.downey@dioadconsulting.com>
Date: Wed, 8 Apr 2020 13:27:09 +0100
Subject: [PATCH] Use TrailARN property to query get-event-selectors in
 checks_extra725

This will work to query cloudtrail's that are in different accounts.
e.g. in the case of organisation managed cloudtrails.
---
 checks/check_extra725 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/checks/check_extra725 b/checks/check_extra725
index 257a3d8e..259782a9 100644
--- a/checks/check_extra725
+++ b/checks/check_extra725
@@ -33,15 +33,15 @@ extra725(){
   # now create a list with all trails available and their region
   TEMP_TRAILS_LIST_FILE=$(mktemp -t prowler.trails-list-XXXXXX)
   for regx in $REGIONS; do
-    $AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].[Name,HomeRegion] --output text >> $TEMP_TRAILS_LIST_FILE
+    $AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].[TrailARN,HomeRegion] --output text >> $TEMP_TRAILS_LIST_FILE
   done
 
   # look for buckets being logged per trail and create a list with them
   TEMP_BUCKETS_LOGGING_LIST_FILE=$(mktemp -t prowler.buckets-logging-list-XXXXXX)
   while IFS='' read -r LINE || [[ -n "${LINE}" ]]; do
     TRAIL_REGION=$(echo "${LINE}" | awk '{ print $2 }')
-    TRAIL_NAME=$(echo "${LINE}" | awk '{ print $1 }')
-    BUCKETS_OBJECT_LOGGING_ENABLED=$($AWSCLI cloudtrail get-event-selectors --trail-name "${TRAIL_NAME}" $PROFILE_OPT --region $TRAIL_REGION --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1 |cut -d: -f 6|sed 's/\///g')
+    TRAIL_ARN=$(echo "${LINE}" | awk '{ print $1 }')
+    BUCKETS_OBJECT_LOGGING_ENABLED=$($AWSCLI cloudtrail get-event-selectors --trail-name "${TRAIL_ARN}" $PROFILE_OPT --region $TRAIL_REGION --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1 |cut -d: -f 6|sed 's/\///g')
     echo $BUCKETS_OBJECT_LOGGING_ENABLED |tr " " "\n"|sort >> $TEMP_BUCKETS_LOGGING_LIST_FILE
     if [[ $BUCKETS_OBJECT_LOGGING_ENABLED ]]; then
       for bucket in $BUCKETS_OBJECT_LOGGING_ENABLED; do