#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    CLOUDTRAIL_S3_DATAEVENTS_ENABLED
#
# Description:
#   Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.
#
# Reports on:
#    AWS::CloudTrail::Trail
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no CloudTrail Trails present
# b) PASS: when all CloudTrail Trails have EventSelectors parameter set
# c) FAIL: when there are CloudTrail Trails with EventSelectors property not present
# d) SKIP: when metada has rule suppression for CLOUDTRAIL_S3_DATAEVENTS_ENABLED

#
# Select all CloudTrail Trail resources from incoming template (payload)
#
let cloudtrail_trails_dataevents = Resources.*[ Type == 'AWS::CloudTrail::Trail'
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "CLOUDTRAIL_S3_DATAEVENTS_ENABLED"
]

rule CLOUDTRAIL_S3_DATAEVENTS_ENABLED when %cloudtrail_trails_dataevents !empty {
  %cloudtrail_trails_dataevents.Properties.EventSelectors EXISTS
  some %cloudtrail_trails_dataevents.Properties.EventSelectors.* == {DataResources:[{Type:'AWS::S3::Object',Values:['arn:aws:s3:::']}],IncludeManagementEvents:true,ReadWriteType:'All'}
  <<
    Violation: CloudTrail Trail should have data events being logged.
    Fix: Set the EventSelectors parameter to enable encryption. The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
  >>
}