1 Answer
- Newest
- Most votes
- Most comments
0
Hello,
The issue you're facing is that CloudTrail captures the ListProfileObjects
event, but EventBridge might not have a predefined pattern for it.
1. Use a broader pattern in EventBridge:
- Instead of specifying
"eventName": "ListProfileObjects",
use a wildcard character*
to match any event name starting with"ListProfileObjects"
. This will capture all ListProfileObjects events, including variations.
The updated pattern:
{
"source": ["profile.amazonaws.com"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["profile.amazonaws.com"],
"eventName": ["ListProfileObjects*"] // Capture all ListProfileObjects events
}
}
Use code
2. Use CloudTrail Lake with Lambda Function:
- If you need more granular control or want to process specific details within the
ListProfileObjects
event, consider using CloudTrail Lake. - CloudTrail Lake stores CloudTrail events in a data lake format (e.g., S3 bucket with Parquet files).
- You can create a Lambda function triggered by changes in the S3 bucket where CloudTrail Lake stores events.
- Inside the Lambda function, you can parse the CloudTrail event data (using a library like PyArrow) and identify events based on eventName or other relevant fields. This allows for more flexibility in filtering and processing events.
**Referral Links: **
EventBridge Patterns: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html
CloudTrail Lake: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html
Using Lambda with S3: https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
I can see the Event on the cloud trail but it is not showing when I put it on rules, only search profile is showing but "KeyName": "_profileId" profile ID is hidden.
ok, Then you try this
Include wildcard for profile ID: If the profileId is variable, use a wildcard () in the event pattern to capture any value. code: { "source": ["profile.amazonaws.com"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["profile.amazonaws.com"], "eventName": ["ListProfileObjects"], "requestParameters": { "KeyName": ["_profileId"] // Use wildcard for profile ID } } } CloudTrail Event Format:
Hello @NARRAVULA,
Still can't get it I tried only using code bellow (code1) if I can get all API in profile.amazon, but sadly only SearchProfiles, UpdateProfiles are being catch so I am now not sure if ListProfileObjects is a private API or something?
but my really goal is to get the Profile ID, I did end up on ListProfileObjects because it shows the profile ID unlike the SearchProfiles showing only Code 2
Code 1 { "source": ["profile.amazonaws.com"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["profile.amazonaws.com"] } }
Code 2 (This is on SearchProfiles) "requestParameters": { "KeyName": "_profileId", "max-results": "10", "DomainName": "amazon-connect-icxeed-client", "Values": "***" }
CloudTrail might be missing info.
You're not seeing all the API calls you expect. Check CloudTrail settings and make sure it's recording everything.
Focus on getting the Profile ID:
Try looking for the Profile ID in other API calls or use a different tool to get it if needed.
. Adjust EventBridge Rule:
{ "source": ["aws.profile"], "detail-type": ["AWS API Call via CloudTrail"] }