added policy to check cloudwatch_integration for cloudtrail

avd_docs/aws/cloudtrail/AVD-AWS-0182/docs.md

@@ -0,0 +1,13 @@
+
+Ensures CloudTrail logs are being properly delivered to CloudWatch
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html#send-cloudtrail-events-to-cloudwatch-logs-console
+
+

avd_docs/kubernetes/general/AVD-KSV-0108/docs.md

@@ -2,8 +2,8 @@
 Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554
 
 ### Impact
-Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
-https://www.cvedetails.com/cve/CVE-2020-8554/
+<!-- Add Impact here -->
+
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 

internal/rules/policies/cloud/policies/aws/cloudtrail/ensure_cloudwatch_integration.rego

@@ -0,0 +1,25 @@
+# METADATA
+# title: "CloudTrail To CloudWatch"
+# description: "Ensures CloudTrail logs are being properly delivered to CloudWatch"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html#send-cloudtrail-events-to-cloudwatch-logs-console
+# custom:
+#   avd_id: AVD-AWS-0182
+#   provider: aws
+#   service: cloudtrail
+#   severity: LOW
+#   short_code: ensure-cloudwatch-integration
+#   recommended_action: "Enable CloudTrail CloudWatch integration for all regions"
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.cloudtrail.aws0182
+
+deny[res] {
+	trail := input.aws.cloudtrail.trails[_]
+	trail.cloudwatchlogsloggrouparn.value == ""
+	res := result.new("Trail does not have CloudWatch logging configured", trail.cloudwatchlogsloggrouparn)
+}

internal/rules/policies/cloud/policies/aws/cloudtrail/ensure_cloudwatch_integration_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.cloudtrail.aws0182
+
+test_detects_when_not_configured {
+	r := deny with input as {"aws": {"cloudtrail": {"trails": [{"cloudwatchlogsloggrouparn": {"value": ""}}]}}}
+	count(r) == 1
+}
+
+test_when_configured {
+	r := deny with input as {"aws": {"cloudtrail": {"trails": [{"cloudwatchlogsloggrouparn": {"value": "arn:aws:logs:us-east-1:123456789012:log-group:my-log-group"}}]}}}
+	count(r) == 0
+}