Can't Detect ListProfileObjects as an Event Trigger in Event Bridge

0

Hello,

I am trying to get this eventname/api call from Cloudtrail or eventbride so it can trigger a Lambda but I cannot trigger the event bridge it only shows SearchProfile but no ProfileID or key included.

here is my pattern

{
  "source": ["profile.amazonaws.com"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["profile.amazonaws.com"]
  }
}

Only SearchProfile is showing on lambda cloud watch logs but no ListProfileObjects while on the cloud trail here is the log.

"eventTime": "2024-08-12T06:28:33Z",
"eventSource": "profile.amazonaws.com",
"eventName": "ListProfileObjects",
"awsRegion": "ap-southeast-2",
"sourceIPAddress": "connect.amazonaws.com",
"userAgent": "connect.amazonaws.com",

Here is the Cloudtrail Event

Joemar
demandé il y a 2 mois149 vues
1 réponse
0

Hello,

The issue you're facing is that CloudTrail captures the ListProfileObjects event, but EventBridge might not have a predefined pattern for it.

1. Use a broader pattern in EventBridge:

  • Instead of specifying"eventName": "ListProfileObjects",use a wildcard character * to match any event name starting with "ListProfileObjects". This will capture all ListProfileObjects events, including variations.

The updated pattern:

{
  "source": ["profile.amazonaws.com"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["profile.amazonaws.com"],
    "eventName": ["ListProfileObjects*"]  // Capture all ListProfileObjects events
  }
}

Use code

2. Use CloudTrail Lake with Lambda Function:

  • If you need more granular control or want to process specific details within the ListProfileObjects event, consider using CloudTrail Lake.
  • CloudTrail Lake stores CloudTrail events in a data lake format (e.g., S3 bucket with Parquet files).
  • You can create a Lambda function triggered by changes in the S3 bucket where CloudTrail Lake stores events.
  • Inside the Lambda function, you can parse the CloudTrail event data (using a library like PyArrow) and identify events based on eventName or other relevant fields. This allows for more flexibility in filtering and processing events.

**Referral Links: **

EventBridge Patterns: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html  

CloudTrail Lake: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html

Using Lambda with S3: https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html

profile picture
EXPERT
répondu il y a 2 mois
  • I can see the Event on the cloud trail but it is not showing when I put it on rules, only search profile is showing but "KeyName": "_profileId" profile ID is hidden.

  • ok, Then you try this

    Include wildcard for profile ID: If the profileId is variable, use a wildcard () in the event pattern to capture any value. code: { "source": ["profile.amazonaws.com"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["profile.amazonaws.com"], "eventName": ["ListProfileObjects"], "requestParameters": { "KeyName": ["_profileId"] // Use wildcard for profile ID } } } CloudTrail Event Format:

    1. Verify event structure: Examine the CloudTrail event structure closely to ensure the profileId is indeed within the KeyName field and formatted as expected.
    2. Consider using requestParameters: If the profileId is part of the request parameters, use the requestParameters field in the event pattern.
  • Hello @NARRAVULA,

    Still can't get it I tried only using code bellow (code1) if I can get all API in profile.amazon, but sadly only SearchProfiles, UpdateProfiles are being catch so I am now not sure if ListProfileObjects is a private API or something?

    but my really goal is to get the Profile ID, I did end up on ListProfileObjects because it shows the profile ID unlike the SearchProfiles showing only Code 2

    Code 1 { "source": ["profile.amazonaws.com"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["profile.amazonaws.com"] } }

    Code 2 (This is on SearchProfiles) "requestParameters": { "KeyName": "_profileId", "max-results": "10", "DomainName": "amazon-connect-icxeed-client", "Values": "***" }

  • CloudTrail might be missing info.

    You're not seeing all the API calls you expect. Check CloudTrail settings and make sure it's recording everything.

    Focus on getting the Profile ID:

    Try looking for the Profile ID in other API calls or use a different tool to get it if needed.

    . Adjust EventBridge Rule:

    { "source": ["aws.profile"], "detail-type": ["AWS API Call via CloudTrail"] }

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions