Tell the compliance status for AWS account, such as where there is no multi-region CloudTrail or where CloudTrail excludes management events (e.g., AWS KMS, Amazon RDS Data API) and flag them as NON_COMPLIANT.

import boto3 import json # Initialize boto3 client for CloudTrail client = boto3.client( 'cloudtrail', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY'), region_name='us-east-2' ) # Fetch all CloudTrails response = client.describe_trails() trails = response.get('trailList', []) compliance_status = {} for trail in trails: trail_name = trail.get('Name') is_multi_region = trail.get('IsMultiRegionTrail', False) management_events = trail.get('IncludeManagementEvents', True) # Check compliance if not is_multi_region or not management_events: compliance_status[trail_name] = 'NON_COMPLIANT' else: compliance_status[trail_name] = 'COMPLIANT' # Print the compliance status print(json.dumps(compliance_status, indent=4, default=str))