From 1df80fd94be95ae14b01ad2b0d3c7e52541f0c77 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Wed, 26 Jan 2022 15:38:55 -0800
Subject: [PATCH] Escape double-quotes in aws cloudtrail rule

The rule Delete Bucket Public Access Block has a predicate
`json.value[/requestParameters/publicAccessBlock]=""` to match
an event snippet like this:

```
			"requestParameters": {
				"publicAccessBlock": "",
```

The cloudtrail plugin properly returns `""` for this field, but the
yaml representation was a literal back-to-back quote, which gets
interpreted by the yaml parser to be an empty string.

Escaping the back-to-back quote fixes the ambiguity.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
---
 rules/aws_cloudtrail_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/aws_cloudtrail_rules.yaml b/rules/aws_cloudtrail_rules.yaml
index 6dafb0d1..c3c2c0f9 100644
--- a/rules/aws_cloudtrail_rules.yaml
+++ b/rules/aws_cloudtrail_rules.yaml
@@ -335,7 +335,7 @@
   desc: Detect deleting blocking public access to bucket.
   condition:
     ct.name="PutBucketPublicAccessBlock" and not ct.error exists and
-    json.value[/requestParameters/publicAccessBlock]="" and
+    json.value[/requestParameters/publicAccessBlock]='""' and
       (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or
       json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or
       json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or