How to get resource referenced from the CloudTrail log

Question

```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAV4B5HOXQNKHTNXV6O",
        "arn": "arn:aws:iam::403855341000:user/rahul.shah",
        "accountId": "403855341000",
        "accessKeyId": "ASIAV4B5HOXQF7USP2V4",
        "userName": "rahul.shah",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-08-23T04:50:55Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2022-08-23T08:34:31Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "CreateBucket",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "103.108.207.58",
    "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "requestParameters": {
        "bucketName": "rahul-test-1",
        "Host": "s3.amazonaws.com",
        "x-amz-object-ownership": "BucketOwnerEnforced"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "XaSiP6kwzBYfi8KGWMNM4DQy31Lce6qRBVc+gbD/rXg7W53uzT5Q1fmo6tL0f/yj9mFTk8eZQYQ=",
        "bytesTransferredOut": 0
    },
    "requestID": "0WKZRVANGE15WRYG",
    "eventID": "d89d952c-68b8-4c39-bdd1-67b6b92e0b4f",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "403855341000",
    "vpcEndpointId": "vpce-f40dc59d",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "s3.amazonaws.com"
    }
}
```
There are events which does not give resource
* null is obtained in `responseElements`
* actual resource arn won't be available in `requestParameters`

Is there any way to get actual resource in above types of scenarios?

Answer

You can usually infer the resource from the contents of `requestParameters` or in the `responseElements`, but the contents will vary widely depending on the API call. There is no single attribute in the CloudTrail output that always indicates which resource(s) are related.

How to get resource referenced from the CloudTrail log

관련 콘텐츠