Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to get resource referenced from the CloudTrail log

0
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAV4B5HOXQNKHTNXV6O",
        "arn": "arn:aws:iam::403855341000:user/rahul.shah",
        "accountId": "403855341000",
        "accessKeyId": "ASIAV4B5HOXQF7USP2V4",
        "userName": "rahul.shah",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-08-23T04:50:55Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2022-08-23T08:34:31Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "CreateBucket",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "103.108.207.58",
    "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "requestParameters": {
        "bucketName": "rahul-test-1",
        "Host": "s3.amazonaws.com",
        "x-amz-object-ownership": "BucketOwnerEnforced"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "XaSiP6kwzBYfi8KGWMNM4DQy31Lce6qRBVc+gbD/rXg7W53uzT5Q1fmo6tL0f/yj9mFTk8eZQYQ=",
        "bytesTransferredOut": 0
    },
    "requestID": "0WKZRVANGE15WRYG",
    "eventID": "d89d952c-68b8-4c39-bdd1-67b6b92e0b4f",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "403855341000",
    "vpcEndpointId": "vpce-f40dc59d",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "s3.amazonaws.com"
    }
}

There are events which does not give resource

  • null is obtained in responseElements
  • actual resource arn won't be available in requestParameters

Is there any way to get actual resource in above types of scenarios?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
Management & GovernanceSecurity, Identity, & Compliance
Language
English
asked 3 years ago483 views
1 Answer
0

You can usually infer the resource from the contents of requestParameters or in the responseElements, but the contents will vary widely depending on the API call. There is no single attribute in the CloudTrail output that always indicates which resource(s) are related.

EXPERT
answered 3 years ago
  • rePost-User-2385204
    3 years ago

    Inferring from your answer, do we have to manually map the attribute for different type of events. For example:

    1. CreateBucket: requestParameters.bucketName (name will be obtained and not an ARN)

    2. GetBucketAcl "requestParameters": { "bucketName": "aws-cloudtrail-logs-21748-f0b24d76", "Host": "aws-cloudtrail-logs-21748-f0b24d76.s3.us-east-1.amazonaws.com", "acl": "" }, "responseElements": null,

      requestParameters.bucketName (name will be obtained and not an ARN)

    3. AttachRolePolicy "requestParameters": { "roleName": "s3crr_role_for_poc-s3_3", "policyArn": "arn:aws:iam::40385534:policy/service-role/s3crr_for_poc-s3_a3a10f" }, "responseElements": null,

      requestParameters.policyArn will be obtained but (roleName will be obtained and not an ARN of role)

    Is there any way to get exact arn of resources??

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content