turbot/alicloud_thrifty

Control: Redundant enabled regional ActionTrail trails should be reviewed

Description

Your actiontrail in each region is charged based on the billing policies of an Object Storage Service (OSS) bucket or a Log Service Logstore.

Usage

steampipe check alicloud_thrifty.control.actiontrail_multiple_regional_trails

Plugins & Tables

SQL

with
global_trails as (
select
count(*) as total
from
alicloud_action_trail
where
trail_region = 'All'
and status = 'Enable'
),
org_trails as (
select
count(*) as total
from
alicloud_action_trail
where
trail_region = 'All'
and status = 'Enable'
),
regional_trails as (
select
region,
count(*) as total
from
alicloud_action_trail
where
status = 'Enable'
and not trail_region = 'All'
and not is_organization_trail
group by
region
)
select
'acs:actiontrail:' || home_region || ':' || account_id || ':actiontrail/' || name as resource,
case
when global_trails.total > 0 then 'alarm'
when org_trails.total > 0 then 'alarm'
when regional_trails.total > 1 then 'alarm'
else 'ok'
end as status,
case
when global_trails.total > 0 then name || ' is redundant to a global trail.'
when org_trails.total > 0 then name || ' is redundant to a organizational trail.'
when regional_trails.total > 1 then name || ' is one of ' || regional_trails.total || ' trails in ' || t.region || '.'
else name || ' is the only regional trail.'
end as reason,
t.region,
account_id
from
alicloud_action_trail as t,
global_trails,
org_trails,
regional_trails
where
status = 'Enable'
and regional_trails.region = t.region
and not trail_region = 'All'
and not is_organization_trail;

Tags