By using AWS re:Post, you agree to the Terms of Use
/AWS CloudTrail/

Questions tagged with AWS CloudTrail

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Many AWS Step Functions events in CloudTrail are considered "Management Events", but should be "Data Events"

We use Step Functions pretty extensively in one of our applications. I noticed higher than expected costs in CloudTrail and GuardDuty which caused me to investigate. It looks like every call to StartExecution, SendTaskHeartbeat, StartExecution, SendTaskSuccess, SendTaskFailure, etc are all considered "Management Events" inside CloudTrail. Since all of these function are normal usage of the Step Functions service, I think they should be considered "Data Events" in the same way that regular "usage" of S3, Dynamo, and Lambda API calls are handled. By being considered "management events", they are causing a large number of events (and cost) in CloudTrail, and similar with GuardDuty. Below is a typical event caused by an API call to SendTaskHeartbeat, where you can see `"managementEvent": true` and ` "eventCategory": "Management"`. I believe this should be `"managementEvent": false` and ` "eventCategory": "Data"` ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxx-04fe38ef50d84dad1", "arn": "arn:aws:sts::722537357562:assumed-role/my-role-name/i-x0x4xfxex3x8xex", "accountId": "999999999999", "accessKeyId": "ASIAXXXXXXXXXXXPB", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROxxxxxxxxxxxxAGI", "arn": "arn:aws:iam::999999999999:role/my-role-name", "accountId": "999999999999", "userName": "my-role-name" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-05-03T19:21:10Z", "mfaAuthenticated": "false" }, "ec2RoleDelivery": "2.0" } }, "eventTime": "2022-05-03T20:56:18Z", "eventSource": "states.amazonaws.com", "eventName": "SendTaskHeartbeat", "awsRegion": "us-east-1", "sourceIPAddress": "3.81.182.218", "userAgent": "aws-sdk-php/3.183.13 OS/Linux/5.4.0-1030-aws GuzzleHttp/6.5.5 curl/7.68.0 PHP/7.4.3", "requestParameters": { "taskToken": "AAAAKgAAAA......AqHoA+2qxXBI=" }, "responseElements": null, "requestID": "999999999-81de-40bf-8b77-7ccbf0db5fb4", "eventID": "999999999-2193-47dd-8e3d-10a5d9e6266d", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "999999999999", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "states.us-east-1.amazonaws.com" } }
0
answers
0
votes
3
views
bchecketts
asked 13 days ago

IAM Profile can create VPC IPV6 Subnet in some regions, but fails in other regions

A minimal IAM profile has been prepared for a CloudFormation stack which creates a VPC with IPv6CidrBlock and IPv6Cidr subnet. The IAM profile is sufficient for creating the stack in us-east-1 region. The profile has been tested attached directly to an IAM user, and also attached to a IAM role which another IAM user assumes. Upon further testing the IPv6 subnet create fails in many, though not all regions. There is one additional IAM profile action, ec2:DescribeNetworkAcls, which is needed for these other regions. For example us-east-1 and eu-west-2 do not require the action. eu-central-1 and several other regions do require that IAM profile action 1. Is there any known reason for this different requirement among the regions? Is there any EC2 or VPC service setting which can be queried to see the difference? 2. Why does CloudTrail not log the failure message when the IAM profile is missing the "ec2:DescribeNetworkAcls" action? 3. For the previous failing regions, when the action is added to IAM profile, upon retest, CloudTrail does not log the successful event named "DescribeNetworkAcls" though it does log all other related events. The error shown in CloudFormation, though not CloudTrail: ``` "ResourceStatus": "CREATE_FAILED", LogicalId: Subnet, "ResourceStatusReason": "Unable to retrieve Ipv6CidrBlocks attribute for AWS::EC2::VPC, with error message You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: XXX, Extended Request ID: null)... ``` When the error occurs, adding the following IAM Policy action resolves the issue. Though still this eventName is never logged by CloudTrail: ``` "ec2:DescribeNetworkAcls" ``` Cloudformation Template: ```yaml --- AWSTemplateFormatVersion: '2010-09-09' Description: 'Test stack' Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 172.16.0.0/16 EnableDnsSupport: true EnableDnsHostnames: true InstanceTenancy: default VPCIPv6: Type: AWS::EC2::VPCCidrBlock Properties: AmazonProvidedIpv6CidrBlock: true VpcId: !Ref VPC Subnet: Type: AWS::EC2::Subnet DependsOn: - VPCIPv6 Properties: CidrBlock: 172.16.254.0/23 Ipv6CidrBlock: !Select [0, !Cidr [!Select [0, !GetAtt 'VPC.Ipv6CidrBlocks'], 1, 64]] MapPublicIpOnLaunch: false VpcId: !Ref VPC ``` IAM Policy ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "CloudFormationStackActions", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:ListStackResources" ], "Resource": [ "*" ] }, { "Sid": "TESTINGVPCIPv6Subnet", "Effect": "Allow", "Action": [ "ec2:CreateVpc", "ec2:CreateSubnet", "ec2:AssociateVpcCidrBlock", "ec2:AssociateSubnetCidrBlock", "ec2:ModifyVpcAttribute", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:DescribeSubnets" ], "Resource": [ "*" ] } ] } ``` To reproduce: * Save the above cloud formation text to a file named "a-test-stack-template.yaml" * Set the temporary bash variable named `aws_cred_profile` with the aws credentials profile name to be used for the aws cli commands. The creds should be of the IAM user with the above IAM profile attached. Use default if there is only one set of credentials ```bash aws_cred_profile=default ``` * AWS CLI Commands to test mockup: ``` aws_region=eu-central-1 # aws cli create-stack test_env=$(aws cloudformation create-stack --region $aws_region --no-cli-pager \ --profile $aws_cred_profile --disable-rollback \ --stack-name test-$(date +%Y%b%d-%H%M%S) \ --template-body file://a-test-stack-template.yaml \ | sed -r -e 's/.*:stack\/(.*)\/.*/\1/' | sed '1d' | sed '2d') echo $test_env # repeat calls to list-stack-resources until the stack creation is complete aws cloudformation list-stack-resources --region $aws_region --no-cli-pager \ --stack-name=$test_env --max-items=3 ```
0
answers
1
votes
14
views
wywave
asked 4 months ago

Create an Athena-queryable CloudTrail with CDK (or CloudFormation?)

I'm trying to create an app/stack/solution which, when deployed, sets up the necessary infrastructure to programmatically query CloudTrail logs: In particular, to find resource creation requests in some services by a given execution role. It seemed (e.g. from this [Querying CloudTrail Logs page](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html) in the Athena developer guide) like Athena would be a good solution here, but I'm struggling to get the setup automated properly. Setting up the [Trail](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cloudtrail-readme.html#trail) is pretty straightforward. However, my current attempt at mapping the [Athena manual partitioning instructions](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html#create-cloudtrail-table) to CDK generating a Glue table, seems to come up with a table with 0 partitions... And I don't really understand how the [partition projection instructions](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html#create-cloudtrail-table-partition-projection) could translate to CDK? There are definitely CloudTrail events in the source bucket/prefix - does anybody know how to make this work? I'm not that deep on either Glue or Athena yet. Current draft CDK for the Glue table below: ```typescript const cloudTrailTable = new glue.Table(this, "CloudTrailGlueTable", { columns: [ { name: "eventversion", type: glue.Schema.STRING }, { name: "useridentity", type: glue.Schema.struct([ { name: "type", type: glue.Schema.STRING }, { name: "principalid", type: glue.Schema.STRING }, { name: "arn", type: glue.Schema.STRING }, { name: "accountid", type: glue.Schema.STRING }, { name: "invokedby", type: glue.Schema.STRING }, { name: "accesskeyid", type: glue.Schema.STRING }, { name: "userName", type: glue.Schema.STRING }, { name: "sessioncontext", type: glue.Schema.struct([ { name: "attributes", type: glue.Schema.struct([ { name: "mfaauthenticated", type: glue.Schema.STRING }, { name: "creationdate", type: glue.Schema.STRING }, ]), }, { name: "sessionissuer", type: glue.Schema.struct([ { name: "type", type: glue.Schema.STRING }, { name: "principalId", type: glue.Schema.STRING }, { name: "arn", type: glue.Schema.STRING }, { name: "accountId", type: glue.Schema.STRING }, { name: "userName", type: glue.Schema.STRING }, ]), }, ]), }, ]), }, { name: "eventtime", type: glue.Schema.STRING }, { name: "eventsource", type: glue.Schema.STRING }, { name: "eventname", type: glue.Schema.STRING }, { name: "awsregion", type: glue.Schema.STRING }, { name: "sourceipaddress", type: glue.Schema.STRING }, { name: "useragent", type: glue.Schema.STRING }, { name: "errorcode", type: glue.Schema.STRING }, { name: "errormessage", type: glue.Schema.STRING }, { name: "requestparameters", type: glue.Schema.STRING }, { name: "responseelements", type: glue.Schema.STRING }, { name: "additionaleventdata", type: glue.Schema.STRING }, { name: "requestid", type: glue.Schema.STRING }, { name: "eventid", type: glue.Schema.STRING }, { name: "resources", type: glue.Schema.array( glue.Schema.struct([ { name: "ARN", type: glue.Schema.STRING }, { name: "accountId", type: glue.Schema.STRING }, { name: "type", type: glue.Schema.STRING }, ]) ), }, { name: "eventtype", type: glue.Schema.STRING }, { name: "apiversion", type: glue.Schema.STRING }, { name: "readonly", type: glue.Schema.STRING }, { name: "recipientaccountid", type: glue.Schema.STRING }, { name: "serviceeventdetails", type: glue.Schema.STRING }, { name: "sharedeventid", type: glue.Schema.STRING }, { name: "vpcendpointid", type: glue.Schema.STRING }, ], dataFormat: glue.DataFormat.CLOUDTRAIL_LOGS, database: myGlueDatabase, tableName: "cloudtrail_table", bucket: myCloudTrailBucket, description: "CloudTrail Glue table", s3Prefix: `AWSLogs/${cdk.Stack.of(this).account}/CloudTrail/`, partitionKeys: [ { name: "region", type: glue.Schema.STRING }, { name: "year", type: glue.Schema.STRING }, { name: "month", type: glue.Schema.STRING }, { name: "day", type: glue.Schema.STRING }, ], }); ```
1
answers
0
votes
18
views
EXPERT
Alex_T
asked 5 months ago
  • 1
  • 90 / page