How to get resource referenced from the CloudTrail log
In many of the CloudTrail events, we are not getting the 'Resources' field which indicates which resources are being accessed in this particular event. However, If I look at that event in the CloudTrail event history dashboard, I found the below table (attached image). Which gives the resource referenced details even though there is no resource field present in the raw log. So, my question is how can I get this information from the log because in some way aws is able to populate this table but that information is not directly available in the raw log?
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "[myPrincipalId]:ElasticLoadBalancing",
"arn": "arn:aws:sts::[myAccountId]:assumed-role/AWSServiceRoleForElasticLoadBalancing/ElasticLoadBalancing",
"accountId": "[myAccountId]",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "[myPrincipalId]",
"arn": "arn:aws:iam::[myAccountId]:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
"accountId": "[myAccountId]",
"userName": "AWSServiceRoleForElasticLoadBalancing"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-20T07:27:43Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "elasticloadbalancing.amazonaws.com"
},
"eventTime": "2022-08-20T07:27:43Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateNetworkInterface",
"awsRegion": "us-east-1",
"sourceIPAddress": "elasticloadbalancing.amazonaws.com",
"userAgent": "elasticloadbalancing.amazonaws.com",
"requestParameters": {
"subnetId": "subnet-0a428ff2dcf4e896b",
"description": "ELB app/load-test-neptune-db/c458eb27864e9e76",
"groupSet": {
"items": [
{
"groupId": "sg-07408d67d3878fd4e"
}
]
},
"privateIpAddressesSet": {},
"ipv6AddressCount": 0,
"clientToken": "4f7000ef-6927-4cb1-88ad-37609dd52a37"
},
"responseElements": {
"requestId": "46159ac0-6a14-458f-bbf1-60a319754d71",
"networkInterface": {
"networkInterfaceId": "eni-009389dca7751c4f9",
"subnetId": "subnet-0a428ff2dcf4e896b",
"vpcId": "vpc-069ad83a3f41954ba",
"availabilityZone": "us-east-1b",
"description": "ELB app/load-test-neptune-db/c458eb27864e9e76",
"ownerId": "[myAccountId]",
"requesterId": "amazon-elb",
"requesterManaged": true,
"status": "pending",
"macAddress": "[myMacAddress]",
"privateIpAddress": "[myPrivateIp]",
"privateDnsName": "ip-[hereIP].ec2.internal",
"sourceDestCheck": true,
"interfaceType": "interface",
"groupSet": {
"items": [
{
"groupId": "sg-07408d67d3878fd4e",
"groupName": "load-test-neptune-db"
}
]
},
"privateIpAddressesSet": {
"item": [
{
"privateIpAddress": "[myPrivateIp]",
"privateDnsName": "ip-[hereIP].ec2.internal",
"primary": true
}
]
},
"ipv6AddressesSet": {},
"tagSet": {}
}
},
"requestID": "46159ac0-6a14-458f-bbf1-60a319754d71",
"eventID": "d83cfd17-864a-478b-80f8-2f95c28eaef8",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "[myAccountId]",
"eventCategory": "Management"
}
- 최신
- 최다 투표
- 가장 많은 댓글
It is not available directly from the raw log. You can get the list of resources referenced with the resource type and name by downloading the CloudTrail Event History. Kindly note that event history only shows the last 90 days of management events.
Information on how to download the event history is available here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html#downloading-events
Thanks! But If we download this then also if we check the logs, we will not have this additional data of resources referenced because resources referenced is a kind of derived data (they call event lookup API with particular eventId). So the question is, how they are able to do this because we don't have anything in the raw log by which we can derive this data? If I want to do the same then one way can be by writing a custom parser/aggregator. Which is not feasible at all for each event.
Is there any approach on getting resources? Or parser should be written for 12K events?