KMS events are not being excluded form CloudTrail Management Events

0

Hi everyone!

I recently struggled with some CloudTrail costs in my account, to give some context, I enabled DynamoDB Global tables for two regions, using encryption with a CMK in the primary region and creating a replica of this key in the second one.

The thing is, after setting up the global table, the CloudTrail costs started to significantly increasing, I notice that most of the events recorded were Decrypt events with the source IP address replication.dynamodb.amazonaws.com and the event source was kms.amazonaws.com. As you might guess, the trail wasn't excluding AWS KMS events for management events, and after changing the configuration I expected those costs to decrease again but they keep the same, also, the event history still shows management events from kms.amazonaws.com. Is there something I might be missing?

This is the Terraform configuration I'm using for setting up CloudTrail.

resource "aws_cloudtrail" "security" {
  name                          = "security"
  s3_bucket_name                = var.supervising_cloudtrail.s3_bucket_name
  s3_key_prefix                 = "audit"
  kms_key_id                    = var.supervising_cloudtrail.kms_key_arn
  enable_log_file_validation    = true
  enable_logging                = true
  is_multi_region_trail         = true
  include_global_service_events = true

  insight_selector {
    insight_type = "ApiCallRateInsight"
  }

  event_selector {
    read_write_type                  = "All"
    include_management_events        = true
    exclude_management_event_sources = ["kms.amazonaws.com"]

    data_resource {
      type   = "AWS::Lambda::Function"
      values = ["arn:aws:lambda"]
    }

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::"]
    }

    data_resource {
      type   = "AWS::DynamoDB::Table"
      values = ["arn:aws:dynamodb"]
    }
  }
}

  • When you look at the trail in CloudTrail in the AWS Console under the "Management Events" section do you see that KMS Events are being excluded?

  • Hi @MiguelUT! Thanks for answering! Yes, I see the option for excluding KMS events from management events as enabled (With the yes option)

1 Answer
1
Accepted Answer

If you are using the "Event History" feature to view events in the CloudTrail console, you are not able to exclude KMS events from that dashboard. See the note in Logging management events for trails in the Management Events section. However, you should not see those events showing up in your S3 bucket where the trail events are stored.

profile pictureAWS
answered a year ago
profile picture
EXPERT
reviewed 6 days ago
  • You're right, thanks to Athena I was able to see the real events that are causing the high costs, which are the events GetRecords by the agent replication.dynamodb.amazonaws.com from the main and the replica region. Is there a way to filter those events to be tracked by CloudTrail? I think an option can be reducing the tracking scope to the main DynamoDB and selecting to save just write operation.

  • The GetRecords event is a data event (as opposed to a management event). See Logging data events for trails for information on how to set up an advanced selector for your events.

  • Thanks! That solved the issue, I ended up using advanced selectors for excluding the needed events. Thanks, Miguel!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions