Can't Detect ListProfileObjects as an Event Trigger in Event Bridge

0

Hello,

I am trying to get this eventname/api call from Cloudtrail or eventbride so it can trigger a Lambda but I cannot trigger the event bridge it only shows SearchProfile but no ProfileID or key included.

here is my pattern

{
  "source": ["profile.amazonaws.com"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["profile.amazonaws.com"]
  }
}

Only SearchProfile is showing on lambda cloud watch logs but no ListProfileObjects while on the cloud trail here is the log.

"eventTime": "2024-08-12T06:28:33Z",
"eventSource": "profile.amazonaws.com",
"eventName": "ListProfileObjects",
"awsRegion": "ap-southeast-2",
"sourceIPAddress": "connect.amazonaws.com",
"userAgent": "connect.amazonaws.com",

Here is the Cloudtrail Event

1 Antwort
0

Hello,

The issue you're facing is that CloudTrail captures the ListProfileObjects event, but EventBridge might not have a predefined pattern for it.

1. Use a broader pattern in EventBridge:

  • Instead of specifying"eventName": "ListProfileObjects",use a wildcard character * to match any event name starting with "ListProfileObjects". This will capture all ListProfileObjects events, including variations.

The updated pattern:

{
  "source": ["profile.amazonaws.com"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["profile.amazonaws.com"],
    "eventName": ["ListProfileObjects*"]  // Capture all ListProfileObjects events
  }
}

Use code

2. Use CloudTrail Lake with Lambda Function:

  • If you need more granular control or want to process specific details within the ListProfileObjects event, consider using CloudTrail Lake.
  • CloudTrail Lake stores CloudTrail events in a data lake format (e.g., S3 bucket with Parquet files).
  • You can create a Lambda function triggered by changes in the S3 bucket where CloudTrail Lake stores events.
  • Inside the Lambda function, you can parse the CloudTrail event data (using a library like PyArrow) and identify events based on eventName or other relevant fields. This allows for more flexibility in filtering and processing events.

**Referral Links: **

EventBridge Patterns: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html  

CloudTrail Lake: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html

Using Lambda with S3: https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html

profile picture
EXPERTE
beantwortet vor 2 Monaten
  • I can see the Event on the cloud trail but it is not showing when I put it on rules, only search profile is showing but "KeyName": "_profileId" profile ID is hidden.

  • ok, Then you try this

    Include wildcard for profile ID: If the profileId is variable, use a wildcard () in the event pattern to capture any value. code: { "source": ["profile.amazonaws.com"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["profile.amazonaws.com"], "eventName": ["ListProfileObjects"], "requestParameters": { "KeyName": ["_profileId"] // Use wildcard for profile ID } } } CloudTrail Event Format:

    1. Verify event structure: Examine the CloudTrail event structure closely to ensure the profileId is indeed within the KeyName field and formatted as expected.
    2. Consider using requestParameters: If the profileId is part of the request parameters, use the requestParameters field in the event pattern.
  • Hello @NARRAVULA,

    Still can't get it I tried only using code bellow (code1) if I can get all API in profile.amazon, but sadly only SearchProfiles, UpdateProfiles are being catch so I am now not sure if ListProfileObjects is a private API or something?

    but my really goal is to get the Profile ID, I did end up on ListProfileObjects because it shows the profile ID unlike the SearchProfiles showing only Code 2

    Code 1 { "source": ["profile.amazonaws.com"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["profile.amazonaws.com"] } }

    Code 2 (This is on SearchProfiles) "requestParameters": { "KeyName": "_profileId", "max-results": "10", "DomainName": "amazon-connect-icxeed-client", "Values": "***" }

  • CloudTrail might be missing info.

    You're not seeing all the API calls you expect. Check CloudTrail settings and make sure it's recording everything.

    Focus on getting the Profile ID:

    Try looking for the Profile ID in other API calls or use a different tool to get it if needed.

    . Adjust EventBridge Rule:

    { "source": ["aws.profile"], "detail-type": ["AWS API Call via CloudTrail"] }

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen