How to get resource referenced from the CloudTrail log

1

In many of the CloudTrail events, we are not getting the 'Resources' field which indicates which resources are being accessed in this particular event. However, If I look at that event in the CloudTrail event history dashboard, I found the below table (attached image). Which gives the resource referenced details even though there is no resource field present in the raw log. So, my question is how can I get this information from the log because in some way aws is able to populate this table but that information is not directly available in the raw log?

Enter image description here

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "[myPrincipalId]:ElasticLoadBalancing",
        "arn": "arn:aws:sts::[myAccountId]:assumed-role/AWSServiceRoleForElasticLoadBalancing/ElasticLoadBalancing",
        "accountId": "[myAccountId]",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "[myPrincipalId]",
                "arn": "arn:aws:iam::[myAccountId]:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
                "accountId": "[myAccountId]",
                "userName": "AWSServiceRoleForElasticLoadBalancing"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-08-20T07:27:43Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "elasticloadbalancing.amazonaws.com"
    },
    "eventTime": "2022-08-20T07:27:43Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "CreateNetworkInterface",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "elasticloadbalancing.amazonaws.com",
    "userAgent": "elasticloadbalancing.amazonaws.com",
    "requestParameters": {
        "subnetId": "subnet-0a428ff2dcf4e896b",
        "description": "ELB app/load-test-neptune-db/c458eb27864e9e76",
        "groupSet": {
            "items": [
                {
                    "groupId": "sg-07408d67d3878fd4e"
                }
            ]
        },
        "privateIpAddressesSet": {},
        "ipv6AddressCount": 0,
        "clientToken": "4f7000ef-6927-4cb1-88ad-37609dd52a37"
    },
    "responseElements": {
        "requestId": "46159ac0-6a14-458f-bbf1-60a319754d71",
        "networkInterface": {
            "networkInterfaceId": "eni-009389dca7751c4f9",
            "subnetId": "subnet-0a428ff2dcf4e896b",
            "vpcId": "vpc-069ad83a3f41954ba",
            "availabilityZone": "us-east-1b",
            "description": "ELB app/load-test-neptune-db/c458eb27864e9e76",
            "ownerId": "[myAccountId]",
            "requesterId": "amazon-elb",
            "requesterManaged": true,
            "status": "pending",
            "macAddress": "[myMacAddress]",
            "privateIpAddress": "[myPrivateIp]",
            "privateDnsName": "ip-[hereIP].ec2.internal",
            "sourceDestCheck": true,
            "interfaceType": "interface",
            "groupSet": {
                "items": [
                    {
                        "groupId": "sg-07408d67d3878fd4e",
                        "groupName": "load-test-neptune-db"
                    }
                ]
            },
            "privateIpAddressesSet": {
                "item": [
                    {
                        "privateIpAddress": "[myPrivateIp]",
                        "privateDnsName": "ip-[hereIP].ec2.internal",
                        "primary": true
                    }
                ]
            },
            "ipv6AddressesSet": {},
            "tagSet": {}
        }
    },
    "requestID": "46159ac0-6a14-458f-bbf1-60a319754d71",
    "eventID": "d83cfd17-864a-478b-80f8-2f95c28eaef8",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "[myAccountId]",
    "eventCategory": "Management"
}
1 Answer
1

It is not available directly from the raw log. You can get the list of resources referenced with the resource type and name by downloading the CloudTrail Event History. Kindly note that event history only shows the last 90 days of management events.

Information on how to download the event history is available here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html#downloading-events

profile picture
joahna
answered 2 years ago
  • Thanks! But If we download this then also if we check the logs, we will not have this additional data of resources referenced because resources referenced is a kind of derived data (they call event lookup API with particular eventId). So the question is, how they are able to do this because we don't have anything in the raw log by which we can derive this data? If I want to do the same then one way can be by writing a custom parser/aggregator. Which is not feasible at all for each event.

  • Is there any approach on getting resources? Or parser should be written for 12K events?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions