Cannot see unauthorized api calls in Cloudtrail

0

Dear Experts,

Is it possible to see failed/unauthorized api calls in cloudtrail without using Athena or Cloudwatch?

Currently i am making below call from an EC2 instance intentionally to check if it appears in the log, and it doesnt. I can successfully see the aws iam list-users in logs but not the unauthorized one. (instance id changed on purpose)

sudo aws ec2 modify-instance-attribute --instance-id i-1234 --block-device-mappings "[{"DeviceName": "/dev/sda1","Ebs":{"DeleteOnTermination":false}}]"

asked a year ago1.3K views
3 Answers
1

First of all right syntax for command is as below:

 aws ec2 modify-instance-attribute --instance-id <instance_id> --block-device-mappings "[{\"DeviceName\": \"/dev/xvda\",\"Ebs\":{\"DeleteOnTermination\":false}}]" --profile <cli_profile_name> --region <region_name>

Refer modify-instance-attribute CLI Command for more details.

Since you mentioned that you don't want to use athena or cloudwatch. Here is how you can see directly from cloudtrail console:

  1. Go to Cloudtrail Console
  2. Click Event History from left pane
  3. Lookup Attribute: Event Name
  4. Lookup value: ModifyInstanceAttribute

This will give you all the succeeded and failed attempt for modifying instance attributes. I'm attaching couple of snapshots for your reference to show how it would appear in cloudtrail:

Enter image description here

Enter image description here

In second snapshot, you can see my attempts to modify instance attribute was failed but that's logged with event name "ModifyInstanceAttribute", which I knowingly let it failed. Note that successful event will also have same eventname, it's just you need to check that event detail to see whether that's succeeded or not. Also note the error code just for additional context,

Sorry for small font in snapshot but to fit into a single screen, I had to take snapshot this way. You can zoom your browser window to see the snapshot clearer.

Hope you find this information useful.

Comment here if you have additional questions.

Happy to help.

Abhishek

profile pictureAWS
EXPERT
answered a year ago
  • Do you have additional questions, happy to help.

  • Is there a bug or something, coz yesterday after posting this question i was able to see the failed attempts. Today i am trying again but couldnt see the failed attempts for modifyinstanceattribute

  • No, to best of my knowledge there is no bug. I still see yesterday's failed attempt in cloudtrail console. Can you make sure, if you are checking for correct time window where you attempted this action and it failed.

  • Do you have any further questions, happy to help.

0

In fact you can see that error in the Cloud Trail without using Athena.

Command: ec2 modify-instance-attribute --instance-id i-1234 --block-device-mappings '[{"DeviceName": "/dev/sda1","Ebs":{"DeleteOnTermination":false}}]'

In the Cloud Trail you can find it with the filter Event Source=ec2.amazonaws.com. You will see it with the error code Client.InvalidInstanceID.NotFound

profile picture
answered a year ago
0

Following this page, you can search the cloudtrail logs. https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html Search for the Error Message using SQL to match AccessDeined :-

SELECT
 useridentity.arn,
 eventname,
 sourceipaddress,
 eventtime
FROM cloudtrail_logs
WHERE errorcode = 'AccessDenied'
LIMIT 100;

To do this without Athena, you can turn on the Error Code Column and manually search for the error or download the CSV/JSON and search

You can use the CLi to search, be sure to adjust the max-items or specify a timeline and ensure you are in the CORRECT region.

aws cloudtrail lookup-events --max-items 500 | jq '.Events[] | select(.ErrorCode=="AccessDenied")'
profile picture
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions