I want to know why the responseElements in some AWS CloudTrail events for AWS Secrets Manager contain "aRN" instead of "arn".
Short description
This is a known issue for the following Secrets Manager APIs:
- CancelRotateSecret
- DeleteResourcePolicy
- DeleteSecret
- PutResourcePolicy
- RemoveRegionsFromReplication
- ReplicateSecretToRegions
- RestoreSecret
- RotateSecret
- StopReplicationToReplica
- UpdateSecretVersionStage
In January 2024, Secrets Manager will standardize the response element for secret ARN to "arn" in CloudTrail events for all Secrets Manager APIs.
Resolution
When using CloudTrail events for Secrets Manager, include both "arn" and "aRN" in your logic. For an example, see Match AWS Secrets Manager events with Amazon EventBridge.
The following JSON shows an example of the CloudTrail event for DeleteSecret before January 2024:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "",
"arn": "",
"accountId": "",
"accessKeyId": "",
"sessionContext": {
"sessionIssuer": {
"type": "",
"principalId": "",
"arn": "",
"accountId": "",
"userName": ""
},
"webIdFederationData": {},
"attributes": {
"creationDate": "",
"mfaAuthenticated": ""
}
}
},
"eventTime": "",
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "DeleteSecret",
"awsRegion": "",
"sourceIPAddress": "",
"userAgent": "",
"requestParameters": {
"secretId": "",
"recoveryWindowInDays":
},
"responseElements": {
"aRN": "",
"name": "",
"deletionDate": ""
},
"requestID": "",
"eventID": "",
"readOnly": ,
"eventType": "",
"managementEvent": ,
"recipientAccountId": "",
"eventCategory": "",
"tlsDetails": {
"tlsVersion": "",
"cipherSuite": "",
"clientProvidedHostHeader": ""
},
"sessionCredentialFromConsole": ""
}
The following JSON shows an example of the CloudTrail event for DeleteSecret after January 2024:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "",
"arn": "",
"accountId": "",
"accessKeyId": "",
"sessionContext": {
"sessionIssuer": {
"type": "",
"principalId": "",
"arn": "",
"accountId": "",
"userName": ""
},
"webIdFederationData": {},
"attributes": {
"creationDate": "",
"mfaAuthenticated": ""
}
}
},
"eventTime": "",
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "DeleteSecret",
"awsRegion": "",
"sourceIPAddress": "",
"userAgent": "",
"requestParameters": {
"secretId": "",
"recoveryWindowInDays":
},
"responseElements": {
"arn": "",
"name": "",
"deletionDate": ""
},
"requestID": "",
"eventID": "",
"readOnly": ,
"eventType": "",
"managementEvent": ,
"recipientAccountId": "",
"eventCategory": "",
"tlsDetails": {
"tlsVersion": "",
"cipherSuite": "",
"clientProvidedHostHeader": ""
},
"sessionCredentialFromConsole": ""
}
Related information
AWS CloudTrail entries for Secrets Manager