By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS CloudTrail

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Query JSON files from S3 with Athena

Hello, Can someone please help? I set up a trail to audit all TLS calls in the account and saved all logs in S3. I tried to query the logs from S3 with Athena. This is the query I created: ``` CREATE EXTERNAL TABLE cloudtrail_logs_tls_calls ( eventVersion STRING, userIdentity STRUCT< type: STRING, principalId: STRING, arn: STRING, accountId: STRING, accessKeyId: STRING, sessionContext: STRUCT< sessionIssuer: STRUCT< type: STRING, principalId: STRING, arn: STRING, accountId: STRING, userName: STRING>>>, eventTime STRING, eventSource STRING, eventName STRING, awsRegion STRING, sourceIpAddress STRING, userAgent STRING, requestParameters STRUCT< maxResults: STRING>, responseElements STRING, requestId STRING, eventId STRING, eventType STRING, managementEvent STRING, recipientAccountId STRING, eventCategory STRING, tlsDetails STRUCT< tlsVersion: STRING, cipherSuite: STRING, clientProvidedHostHeader: STRING> ) COMMENT 'CloudTrail table for <bucket_name> bucket' ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde' STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat' OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat' LOCATION 's3://<bucket_name>/AWSLogs/<Acccount_Number>/CloudTrail/' TBLPROPERTIES ('classification'='cloudtrail'); ``` Then, when preview the table. I get this error: ![Enter image description here](/media/postImages/original/IMqzXKwK03SCufTBjRPK_6-Q) Thank you in advance for help,
4
answers
0
votes
76
views
asked 21 days ago

How to get resource referenced from the CloudTrail log

In many of the CloudTrail events, we are not getting the 'Resources' field which indicates which resources are being accessed in this particular event. However, If I look at that event in the CloudTrail event history dashboard, I found the below table (attached image). Which gives the resource referenced details even though there is no resource field present in the raw log. So, my question is how can I get this information from the log because in some way aws is able to populate this table but that information is not directly available in the raw log? ![Enter image description here](/media/postImages/original/IMKkdPGNRGRlWLN755Unv5Yg) ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "[myPrincipalId]:ElasticLoadBalancing", "arn": "arn:aws:sts::[myAccountId]:assumed-role/AWSServiceRoleForElasticLoadBalancing/ElasticLoadBalancing", "accountId": "[myAccountId]", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "[myPrincipalId]", "arn": "arn:aws:iam::[myAccountId]:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing", "accountId": "[myAccountId]", "userName": "AWSServiceRoleForElasticLoadBalancing" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-08-20T07:27:43Z", "mfaAuthenticated": "false" } }, "invokedBy": "elasticloadbalancing.amazonaws.com" }, "eventTime": "2022-08-20T07:27:43Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateNetworkInterface", "awsRegion": "us-east-1", "sourceIPAddress": "elasticloadbalancing.amazonaws.com", "userAgent": "elasticloadbalancing.amazonaws.com", "requestParameters": { "subnetId": "subnet-0a428ff2dcf4e896b", "description": "ELB app/load-test-neptune-db/c458eb27864e9e76", "groupSet": { "items": [ { "groupId": "sg-07408d67d3878fd4e" } ] }, "privateIpAddressesSet": {}, "ipv6AddressCount": 0, "clientToken": "4f7000ef-6927-4cb1-88ad-37609dd52a37" }, "responseElements": { "requestId": "46159ac0-6a14-458f-bbf1-60a319754d71", "networkInterface": { "networkInterfaceId": "eni-009389dca7751c4f9", "subnetId": "subnet-0a428ff2dcf4e896b", "vpcId": "vpc-069ad83a3f41954ba", "availabilityZone": "us-east-1b", "description": "ELB app/load-test-neptune-db/c458eb27864e9e76", "ownerId": "[myAccountId]", "requesterId": "amazon-elb", "requesterManaged": true, "status": "pending", "macAddress": "[myMacAddress]", "privateIpAddress": "[myPrivateIp]", "privateDnsName": "ip-[hereIP].ec2.internal", "sourceDestCheck": true, "interfaceType": "interface", "groupSet": { "items": [ { "groupId": "sg-07408d67d3878fd4e", "groupName": "load-test-neptune-db" } ] }, "privateIpAddressesSet": { "item": [ { "privateIpAddress": "[myPrivateIp]", "privateDnsName": "ip-[hereIP].ec2.internal", "primary": true } ] }, "ipv6AddressesSet": {}, "tagSet": {} } }, "requestID": "46159ac0-6a14-458f-bbf1-60a319754d71", "eventID": "d83cfd17-864a-478b-80f8-2f95c28eaef8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "[myAccountId]", "eventCategory": "Management" } ```
1
answers
0
votes
34
views
asked a month ago

Allowing permission to Generate a policy based on CloudTrail events where the selected Trail logs events in an S3 bucket in another account

I have an AWS account (Account A) with CloudTrail enabled and logging management events to an S3 'logs' bucket in another, dedicated logs account (Account B, which I also own). The logging part works fine, but I'm now trying (and failing) to use the 'Generate policy based on CloudTrail events' tool in the IAM console (under the Users > Permissions tab) in Account A. This is supposed to read the CloudTrail logs for a given user/region/no. of days, identify all of the actions the user performed, then generate a sample IAM security policy to allow only those actions, which is great for setting up least privilege policies etc. When I first ran the generator, it created a new service role to assume in the same account (Account A): AccessAnalyzerMonitorServiceRole_ABCDEFGHI When I selected the CloudTrail trail to analyse, it (correctly) identified that the trail logs are stored in an S3 bucket in another account, and displayed this warning messsage: > Important: Verify cross-account access is configured for the selected trail The selected trail logs events in an S3 bucket in another account. The role you choose or create must have read access to the bucket in that account to generate a policy. Learn more. Attempting to run the generator at this stage fails after a short amount of time, and if you hover over the 'Failed' status in the console you see the message: > Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again. Makes sense, but actually giving read access to the S3 bucket to the automatically generated AccessAnalyzerMonitorServiceRole_ABCDEFGHI is where I'm now stuck! I'm relatively new to AWS so I might have done something dumb or be missing something obvious, but I'm trying to give the automatically generated role in Account A permission to the S3 bucket by adding to the 'Bucket Policy' attached to the S3 logs bucket in our Account B. I've added the below extract to the existing bucket policy (which is just the standard policy for a CloudTrail logs bucket, extended to allow CloudTrail in Account A to write logs to it as well), but my attempts to run the policy generator still fail with the same error message. ``` { "Sid": "IAMPolicyGeneratorRead", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::1234567890:role/service-role/AccessAnalyzerMonitorServiceRole_ABCDEFGHI" }, "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::aws-cloudtrail-logs-ABCDEFGHI", "arn:aws:s3:::aws-cloudtrail-logs-ABCDEFGHI/*" ] } ``` Any suggestions how I can get this working?
1
answers
0
votes
55
views
asked 2 months ago

How do we look up more verbose information by RequestID's thrown in AWS CloudFormation events which status reports CREATE_FAILED?

Without setting up a CloudTrail and executing a CFN template which rolls back, I have started looking at Debugging options. I found [this](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-api-logging-cloudtrail.html) which says we can see the most recent without a created trail. I tried to find RequestId documentation from [here](https://docs.aws.amazon.com/search/doc-search.html?searchPath=documentation-guide&searchQuery=resourceid&this_doc_product=AWS+CloudFormation&facet_doc_product=AWS+CloudFormation) entering 'requested' in the search bar, which returned many unrelated items to my specific case (thanks for the attempt Kendra:). I also have looked at cli docs [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-listing-event-history.html) I guess I fist need to know what a RequestID is capable of helping me trace, as I am doing a simple debug of an instance I already know that has the wrong AMI ID for that region, but am trying. to re-familiarize myself. with fixing CFN templates after being out of the loop for a few years. I'd like to know how someone else handles a CREATE _FAILED and ways to use the status reason in a verbose way. Each reason appears to be ';' separated, so even just a point in that direction might help weed through the mountain of information here. Thanks ahead of time- Rudy
0
answers
0
votes
27
views
asked 2 months ago