update(plugins/cloudtrail): support pre-ControlTower organization trails

uhei · uhei · commit 97ae6516be1a · 2025-03-05T21:22:01.000+01:00
Some pre-ControlTower organization Cloutrail trails are missing the OrgId
in the AWSLogs S3 path. Making the OrgId optional gives them the option
to use S3AccountList.

Signed-off-by: Uli Heilmeier &lt;uh@heilmeier.eu&gt;
diff --git a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
@@ -48,7 +48,7 @@ const (
 	PluginName               = "cloudtrail"
 	PluginDescription        = "reads cloudtrail JSON data saved to file in the directory specified in the settings"
 	PluginContact            = "github.com/falcosecurity/plugins/"
-	PluginVersion            = "0.12.4"
+	PluginVersion            = "0.12.5"
 	PluginEventSource        = "aws_cloudtrail"
 )
 
diff --git a/plugins/cloudtrail/pkg/cloudtrail/source.go b/plugins/cloudtrail/pkg/cloudtrail/source.go
@@ -271,15 +271,17 @@ func (oCtx *PluginInstance) openS3(input string) error {
 	// bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.json.gz
 	// for organization trails the format is
 	// bucket_name/prefix_name/AWSLogs/O-ID/Account ID/CloudTrail/Region/YYYY/MM/DD/AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.json.gz
+	// for pre ControlTower organization trails the format is
+	// bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/Region/YYYY/MM/DD/AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.json.gz
 	// Reduce the number of pages we have to process using "StartAfter" parameters
 	// here, then trim individual filepaths below.
 
 	intervalPrefix := prefix
 
 	// For durations, carve out a special case for "Copy S3 URI" in the AWS console, which gives you
 	// bucket_name/prefix_name/AWSLogs/<Account ID>/ or bucket_name/prefix_name/AWSLogs/<Org-ID>/<Account ID>/
-	awsLogsRE := regexp.MustCompile(`AWSLogs/(?:o-[a-z0-9]{10,32}/)?\d{12}/?$`)
-	awsLogsOrgRE := regexp.MustCompile(`AWSLogs/o-[a-z0-9]{10,32}/?$`)
+	awsLogsRE := regexp.MustCompile(`/AWSLogs/(?:o-[a-z0-9]{10,32}/)?\d{12}/?$`)
+	awsLogsOrgRE := regexp.MustCompile(`/AWSLogs(?:/o-[a-z0-9]{10,32})?/?$`)
 	if awsLogsRE.MatchString(prefix) {
 		if (! strings.HasSuffix(intervalPrefix, "/")) {
 			intervalPrefix += "/"

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ const (`
`48`	`48`	`PluginName = "cloudtrail"`
`49`	`49`	`PluginDescription = "reads cloudtrail JSON data saved to file in the directory specified in the settings"`
`50`	`50`	`PluginContact = "github.com/falcosecurity/plugins/"`
`51`		`- PluginVersion = "0.12.4"`
	`51`	`+ PluginVersion = "0.12.5"`
`52`	`52`	`PluginEventSource = "aws_cloudtrail"`
`53`	`53`	`)`
`54`	`54`