What Changed
Fixed two critical issues in the AWS CloudTrail connector configuration script:
- Variable scoping fix: Introduced \ variable to persist the KMS confirmation decision across different script execution contexts
- AWS CLI syntax fix: Corrected malformed aws cloudtrail update-trail command (missing dash in -kms-key-id flag)
Security Impact (Visibility & Fidelity)
The script errors would cause CloudTrail setup failures in specific scenarios:
- KMS variable scope issue: The \ variable was not accessible in nested execution blocks, potentially causing CloudTrail creation to fail or use incorrect encryption settings when KMS was requested
- AWS CLI syntax error: The malformed command ("-kms-key-id" instead of “–kms-key-id”) would cause trail updates to fail completely when KMS encryption was enabled
These failures resulted in incomplete CloudTrail ingestion setup — customers attempting to configure AWS audit log collection would encounter deployment errors, leaving them with no AWS API activity visibility in Microsoft Sentinel.
Affected Files
DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1