Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

CloudTrail event guardduty.amazonaws.com : GetRemainingFreeTrialDays not readOnly

0

I'm working on analyzing CloudTrail events as they come in and when I was setting up a filter ( ignore events that are readOnly ) I was surpised to see the above events coming through. is that something that should be marked as readOnly or is it doing something I'm not aware of? Thanks...

{
"eventVersion" : "1.08",
"eventTime" : "2023-04-21T14:33:23Z",
"eventSource" : "guardduty.amazonaws.com",
"eventName" : "GetRemainingFreeTrialDays",
"requestParameters" : {
"detectorId" : "",
"accountIds" : [ "", "****" ]
},
"readOnly" : false,
"eventType" : "AwsApiCall",
"managementEvent" : true,
"eventCategory" : "Management"
}
Argomenti
Sicurezza, identità e conformitàGestione e amministrazione
Tag
Amazon GuardDutyAWS CloudTrail
Lingua
English
larryjkl
posta un anno fa393 visualizzazioni
1 Risposta
0

The readOnly field in a CloudTrail event is a Boolean value that indicates whether the API call made was a read-only operation or not. In the case of the event you provided, the readOnly field is set to false, which means that the API call was not a read-only operation.

However, not all API calls are marked as read-only, even if they don't modify any resources. The AWS API is designed to be flexible, and some API calls may not fit neatly into the read-only or write category. For example, the GetRemainingFreeTrialDays API call you provided may not modify any resources, but it still provides information about the account's free trial, which could be considered a non-read-only operation.

It's generally a good practice to filter out CloudTrail events that are read-only, as they are less likely to be associated with security issues. However, as you have noticed, not all events that don't modify resources are marked as read-only. So, it's important to use your judgement and take into account the specific API being called and the context in which it's being used.

Manu
con risposta un anno fa
  • larryjkl
    un anno fa

    I think I agree with most of this, but probably not the conclusion in this case. An API call often either affects a change to data or system state or something or it doesn't. But I can imagine there are some cases that are a bit fuzzier. But in this case, I'm not sure how that can apply since it is a "get" request and I can't see what data or system state would be changing because of it.

    But, it's not a big deal in any way, just seems confusing.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente