CloudTrail event guardduty.amazonaws.com : GetRemainingFreeTrialDays not readOnly

0

I'm working on analyzing CloudTrail events as they come in and when I was setting up a filter ( ignore events that are readOnly ) I was surpised to see the above events coming through. is that something that should be marked as readOnly or is it doing something I'm not aware of? Thanks...

{
"eventVersion" : "1.08",
"eventTime" : "2023-04-21T14:33:23Z",
"eventSource" : "guardduty.amazonaws.com",
"eventName" : "GetRemainingFreeTrialDays",
"requestParameters" : {
"detectorId" : "",
"accountIds" : [ "", "****" ]
},
"readOnly" : false,
"eventType" : "AwsApiCall",
"managementEvent" : true,
"eventCategory" : "Management"
}
1 Answer
0

The readOnly field in a CloudTrail event is a Boolean value that indicates whether the API call made was a read-only operation or not. In the case of the event you provided, the readOnly field is set to false, which means that the API call was not a read-only operation.

However, not all API calls are marked as read-only, even if they don't modify any resources. The AWS API is designed to be flexible, and some API calls may not fit neatly into the read-only or write category. For example, the GetRemainingFreeTrialDays API call you provided may not modify any resources, but it still provides information about the account's free trial, which could be considered a non-read-only operation.

It's generally a good practice to filter out CloudTrail events that are read-only, as they are less likely to be associated with security issues. However, as you have noticed, not all events that don't modify resources are marked as read-only. So, it's important to use your judgement and take into account the specific API being called and the context in which it's being used.

Manu
answered a year ago
  • I think I agree with most of this, but probably not the conclusion in this case. An API call often either affects a change to data or system state or something or it doesn't. But I can imagine there are some cases that are a bit fuzzier. But in this case, I'm not sure how that can apply since it is a "get" request and I can't see what data or system state would be changing because of it.

    But, it's not a big deal in any way, just seems confusing.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions