Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Many AWS Step Functions events in CloudTrail are considered "Management Events", but should be "Data Events"

0

We use Step Functions pretty extensively in one of our applications. I noticed higher than expected costs in CloudTrail and GuardDuty which caused me to investigate.

It looks like every call to StartExecution, SendTaskHeartbeat, StartExecution, SendTaskSuccess, SendTaskFailure, etc are all considered "Management Events" inside CloudTrail. Since all of these function are normal usage of the Step Functions service, I think they should be considered "Data Events" in the same way that regular "usage" of S3, Dynamo, and Lambda API calls are handled.

By being considered "management events", they are causing a large number of events (and cost) in CloudTrail, and similar with GuardDuty.

Below is a typical event caused by an API call to SendTaskHeartbeat, where you can see "managementEvent": true and "eventCategory": "Management". I believe this should be "managementEvent": false and "eventCategory": "Data"

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxxxxxxxxxx-04fe38ef50d84dad1",
        "arn": "arn:aws:sts::722537357562:assumed-role/my-role-name/i-x0x4xfxex3x8xex",
        "accountId": "999999999999",
        "accessKeyId": "ASIAXXXXXXXXXXXPB",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROxxxxxxxxxxxxAGI",
                "arn": "arn:aws:iam::999999999999:role/my-role-name",
                "accountId": "999999999999",
                "userName": "my-role-name"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-05-03T19:21:10Z",
                "mfaAuthenticated": "false"
            },
            "ec2RoleDelivery": "2.0"
        }
    },
    "eventTime": "2022-05-03T20:56:18Z",
    "eventSource": "states.amazonaws.com",
    "eventName": "SendTaskHeartbeat",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "3.81.182.218",
    "userAgent": "aws-sdk-php/3.183.13 OS/Linux/5.4.0-1030-aws GuzzleHttp/6.5.5 curl/7.68.0 PHP/7.4.3",
    "requestParameters": {
        "taskToken": "AAAAKgAAAA......AqHoA+2qxXBI="
    },
    "responseElements": null,
    "requestID": "999999999-81de-40bf-8b77-7ccbf0db5fb4",
    "eventID": "999999999-2193-47dd-8e3d-10a5d9e6266d",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "999999999999",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "states.us-east-1.amazonaws.com"
    }
}
Topics
Application IntegrationServerlessManagement & Governance
Tags
AWS CloudTrailAWS Step Functions
Language
English
asked 4 years ago223 views
1 Answer
0

This looks like the behavior is still the same. Another option would be great if we could exclude these events with something like:

aws cloudtrail put-event-selectors \ --trail-name my-main-trail \ --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [], "ExcludeManagementEventSources": [ "kms.amazonaws.com", "rdsdata.amazonaws.com", "states.amazonaws.com"]}]'

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content