CloudTrail: DataEvents not enabled is incorrect

[teddy-codes]

When using ScoutSuite to audit our infrastructure, we came across a problem where data events were incorrectly being logged.

Our CloudTrail logs from aws look like this:

{
  "TrailARN": "<trail-arn>",
  "EventSelectors": [
    {
      "ReadWriteType": "All",
      "IncludeManagementEvents": true,
      "DataResources": [
        {
          "Type": "AWS::Lambda::Function",
          "Values": [
            "arn:aws:lambda"
          ]
        }
      ],
      "ExcludeManagementEventSources": []
    },
    {
      "ReadWriteType": "All",
      "IncludeManagementEvents": true,
      "DataResources": [
        {
          "Type": "AWS::S3::Object",
          "Values": [
            "arn:aws:s3:::"
          ]
        }
      ],
      "ExcludeManagementEventSources": []
    },
    {
      "ReadWriteType": "All",
      "IncludeManagementEvents": true,
      "DataResources": [],
      "ExcludeManagementEventSources": []
    }
  ]
}

This is the check that is occuring:

ScoutSuite/ScoutSuite/providers/aws/resources/cloudtrail/trails.py

Lines 50 to 53 in 7909f2f

	for event_selector in trail.get('EventSelectors', []):
	trail['DataEventsEnabled'] = len(event_selector['DataResources']) > 0
	trail['ManagementEventsEnabled'] = event_selector['IncludeManagementEvents']

Which is incorrect as it reads not ALL data events, but overwrites DataEventsEnabled while iterating through the EventSelectors.