Control: Redundant enabled regional ActionTrail trails should be reviewed

Usage

Run the control in your terminal:

steampipe check alicloud_thrifty.control.actiontrail_multiple_regional_trails

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share alicloud_thrifty.control.actiontrail_multiple_regional_trails

alicloud_action_trail

SQL

with global_trails as (
  select
    count(*) as total
  from
    alicloud_action_trail
  where
    trail_region = 'All'
    and status = 'Enable'
),
org_trails as (
  select
    count(*) as total
  from
    alicloud_action_trail
  where
    trail_region = 'All'
    and status = 'Enable'
),
regional_trails as (
  select
    region,
    count(*) as total
  from
    alicloud_action_trail
  where
    status = 'Enable'
    and not trail_region = 'All'
    and not is_organization_trail
  group by
    region
)
select
  'acs:actiontrail:' || home_region || ':' || account_id || ':actiontrail/' || name as resource,
  case
    when global_trails.total > 0 then 'alarm'
    when org_trails.total > 0 then 'alarm'
    when regional_trails.total > 1 then 'alarm'
    else 'ok'
  end as status,
  case
    when global_trails.total > 0 then name || ' is redundant to a global trail.'
    when org_trails.total > 0 then name || ' is redundant to a organizational trail.'
    when regional_trails.total > 1 then name || ' is one of ' || regional_trails.total || ' trails in ' || t.region || '.'
    else name || ' is the only regional trail.'
  end as reason,
  t.account_id,
  t.region
from
  alicloud_action_trail as t,
  global_trails,
  org_trails,
  regional_trails
where
  status = 'Enable'
  and regional_trails.region = t.region
  and not trail_region = 'All'
  and not is_organization_trail;

Tags