CloudTrail SNS Topic Name Undefined
- Query id: 3e09413f-471e-40f3-8626-990c79ae63f3
- Query name: CloudTrail SNS Topic Name Undefined
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
Check if SNS topic name is set for CloudTrail
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
myTrail3:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
IsLogging: false
IsMultiRegionTrail: true
myTrail4:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: false
S3BucketName:
Ref: S3Bucket
SnsTopicName: ""
IsLogging: false
IsMultiRegionTrail: true
Positive test num. 2 - json file
{
"Resources": {
"myTrail5": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsMultiRegionTrail": true,
"S3BucketName": {
"Ref": "S3Bucket"
},
"IsLogging": false
}
},
"myTrail6": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"EnableLogFileValidation": false,
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": "",
"IsLogging": false,
"IsMultiRegionTrail": true
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Description": "Email address to notify when new logs are published.",
"Type": "String"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: true
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: true
IsMultiRegionTrail: true
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Type": "String",
"Description": "Email address to notify when new logs are published."
}
},
"Resources": {
"myTrail2": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsLogging": true,
"IsMultiRegionTrail": true,
"EnableLogFileValidation": true,
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
}
}
},
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {}
}
}
}