By using AWS re:Post, you agree to the Terms of Use

Questions tagged with Amazon CloudTrail

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Query JSON files from S3 with Athena

Hello, Can someone please help? I set up a trail to audit all TLS calls in the account and saved all logs in S3. I tried to query the logs from S3 with Athena. This is the query I created: ``` CREATE EXTERNAL TABLE cloudtrail_logs_tls_calls ( eventVersion STRING, userIdentity STRUCT< type: STRING, principalId: STRING, arn: STRING, accountId: STRING, accessKeyId: STRING, sessionContext: STRUCT< sessionIssuer: STRUCT< type: STRING, principalId: STRING, arn: STRING, accountId: STRING, userName: STRING>>>, eventTime STRING, eventSource STRING, eventName STRING, awsRegion STRING, sourceIpAddress STRING, userAgent STRING, requestParameters STRUCT< maxResults: STRING>, responseElements STRING, requestId STRING, eventId STRING, eventType STRING, managementEvent STRING, recipientAccountId STRING, eventCategory STRING, tlsDetails STRUCT< tlsVersion: STRING, cipherSuite: STRING, clientProvidedHostHeader: STRING> ) COMMENT 'CloudTrail table for <bucket_name> bucket' ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde' STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat' OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat' LOCATION 's3://<bucket_name>/AWSLogs/<Acccount_Number>/CloudTrail/' TBLPROPERTIES ('classification'='cloudtrail'); ``` Then, when preview the table. I get this error: ![Enter image description here](/media/postImages/original/IMqzXKwK03SCufTBjRPK_6-Q) Thank you in advance for help,
4
answers
0
votes
69
views
asked 11 days ago

Allowing permission to Generate a policy based on CloudTrail events where the selected Trail logs events in an S3 bucket in another account

I have an AWS account (Account A) with CloudTrail enabled and logging management events to an S3 'logs' bucket in another, dedicated logs account (Account B, which I also own). The logging part works fine, but I'm now trying (and failing) to use the 'Generate policy based on CloudTrail events' tool in the IAM console (under the Users > Permissions tab) in Account A. This is supposed to read the CloudTrail logs for a given user/region/no. of days, identify all of the actions the user performed, then generate a sample IAM security policy to allow only those actions, which is great for setting up least privilege policies etc. When I first ran the generator, it created a new service role to assume in the same account (Account A): AccessAnalyzerMonitorServiceRole_ABCDEFGHI When I selected the CloudTrail trail to analyse, it (correctly) identified that the trail logs are stored in an S3 bucket in another account, and displayed this warning messsage: > Important: Verify cross-account access is configured for the selected trail The selected trail logs events in an S3 bucket in another account. The role you choose or create must have read access to the bucket in that account to generate a policy. Learn more. Attempting to run the generator at this stage fails after a short amount of time, and if you hover over the 'Failed' status in the console you see the message: > Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again. Makes sense, but actually giving read access to the S3 bucket to the automatically generated AccessAnalyzerMonitorServiceRole_ABCDEFGHI is where I'm now stuck! I'm relatively new to AWS so I might have done something dumb or be missing something obvious, but I'm trying to give the automatically generated role in Account A permission to the S3 bucket by adding to the 'Bucket Policy' attached to the S3 logs bucket in our Account B. I've added the below extract to the existing bucket policy (which is just the standard policy for a CloudTrail logs bucket, extended to allow CloudTrail in Account A to write logs to it as well), but my attempts to run the policy generator still fail with the same error message. ``` { "Sid": "IAMPolicyGeneratorRead", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::1234567890:role/service-role/AccessAnalyzerMonitorServiceRole_ABCDEFGHI" }, "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::aws-cloudtrail-logs-ABCDEFGHI", "arn:aws:s3:::aws-cloudtrail-logs-ABCDEFGHI/*" ] } ``` Any suggestions how I can get this working?
1
answers
0
votes
48
views
asked a month ago

KMS policy for cross account cloudtrail

Hi, i have cloudtrail enabled for the organization in the root account. An s3 bucket in a security account (with kms enabled). All logs from all accounts are hitting the bucket! I know need to enable KMS for cloudtrail, im trying to follow the below guide in terraform: [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html]() Using the below code: ``` resource "aws_kms_key" "cloudtrail" { description = "KMS for cloudtrail" deletion_window_in_days = 7 is_enabled = true enable_key_rotation = true policy = <<POLICY { "Sid": "Enable CloudTrail Encrypt Permissions", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "${aws_kms_key.cloudtrail.arn}", # THIS IS THE LINE THAT FAILS! "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": [ "arn:aws:cloudtrail:*:xxx:trail/*", "arn:aws:cloudtrail:*:xx:trail/*", ] }, "StringEquals": { "aws:SourceArn": "arn:aws:cloudtrail:eu-west-2:xxx:trail/organization_trail" } } } POLICY } ``` But getting an error that the ``` Error: Self-referential block │ │ on kms-cloudtrail.tf line 16, in resource "aws_kms_key" "cloudtrail": │ 16: "Resource": "${aws_kms_key.cloudtrail.arn}", │ │ Configuration for aws_kms_key.cloudtrail may not refer to itself. ``` Im guessing i get the error because the KMS doesnt exist yet so it cant reference it? So is the document wrong? or am miss understanding something regarding it? Any help would be great!
2
answers
0
votes
186
views
asked 4 months ago