How to get resource referenced from the CloudTrail log

0
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAV4B5HOXQNKHTNXV6O",
        "arn": "arn:aws:iam::403855341000:user/rahul.shah",
        "accountId": "403855341000",
        "accessKeyId": "ASIAV4B5HOXQF7USP2V4",
        "userName": "rahul.shah",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-08-23T04:50:55Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2022-08-23T08:34:31Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "CreateBucket",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "103.108.207.58",
    "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "requestParameters": {
        "bucketName": "rahul-test-1",
        "Host": "s3.amazonaws.com",
        "x-amz-object-ownership": "BucketOwnerEnforced"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "XaSiP6kwzBYfi8KGWMNM4DQy31Lce6qRBVc+gbD/rXg7W53uzT5Q1fmo6tL0f/yj9mFTk8eZQYQ=",
        "bytesTransferredOut": 0
    },
    "requestID": "0WKZRVANGE15WRYG",
    "eventID": "d89d952c-68b8-4c39-bdd1-67b6b92e0b4f",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "403855341000",
    "vpcEndpointId": "vpce-f40dc59d",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "s3.amazonaws.com"
    }
}

There are events which does not give resource

  • null is obtained in responseElements
  • actual resource arn won't be available in requestParameters

Is there any way to get actual resource in above types of scenarios?

1回答
0

You can usually infer the resource from the contents of requestParameters or in the responseElements, but the contents will vary widely depending on the API call. There is no single attribute in the CloudTrail output that always indicates which resource(s) are related.

profile picture
エキスパート
bwhaley
回答済み 1年前
  • Inferring from your answer, do we have to manually map the attribute for different type of events. For example:

    1. CreateBucket: requestParameters.bucketName (name will be obtained and not an ARN)

    2. GetBucketAcl "requestParameters": { "bucketName": "aws-cloudtrail-logs-21748-f0b24d76", "Host": "aws-cloudtrail-logs-21748-f0b24d76.s3.us-east-1.amazonaws.com", "acl": "" }, "responseElements": null,

      requestParameters.bucketName (name will be obtained and not an ARN)

    3. AttachRolePolicy "requestParameters": { "roleName": "s3crr_role_for_poc-s3_3", "policyArn": "arn:aws:iam::40385534:policy/service-role/s3crr_for_poc-s3_a3a10f" }, "responseElements": null,

      requestParameters.policyArn will be obtained but (roleName will be obtained and not an ARN of role)

    Is there any way to get exact arn of resources??

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ