By using AWS re:Post, you agree to the Terms of Use
/Amazon CloudTrail/

Questions tagged with Amazon CloudTrail

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

powershell cloudtrail trying to get instance id from requestparameters

I am trying to pull instance Id and other parameters from cloudtrail using ps like so $results = Find-CTEvent -StartTime (Get-Date).AddMinutes(-30) | ? {$_.EventName -eq "TerminateInstances"} ` {"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"xx","arn":"arn:aws:iam::462518063128:user/awslab1","accountId":"xxx","acces sKeyId":"xx","userName":"awslab1","sessionContext":{"sessionIssuer":{ },"webIdFederationData":{},"attributes":{"creationDate":"2022-05-27T14:28:44Z","mfaAuth enticated":"false"}}},"eventTime":"2022-05-27T17:04:12Z","eventSource":"ec2.amazonaws.c om","eventName":"TerminateInstances","awsRegion":"us-west-1","sourceIPAddress":"AWS Internal","userAgent":"AWS Internal","requestParameters":{"instancesSet":{"items":[{"in stanceId":"i-07efe3d31ef2cef02"}]}},"responseElements":{"requestId":"dde64a51-2fd6-40ef -b9d6-06fde8a2abd9","instancesSet":{"items":[{"instanceId":"i-07efe3d31ef2cef02","curre ntState":{"code":32,"name":"shutting-down"},"previousState":{"code":16,"name":"running" }}]}},"requestID":"dde64a51-2fd6-40ef-b9d6-06fde8a2abd9","eventID":"dfc1fa38-c5db-401d- 9ac9-11cd5ab41dd8","readOnly":false,"eventType":"AwsApiCall","managementEvent":true,"re cipientAccountId":"462518063038","eventCategory":"Management","sessionCredentialFromCon sole":"true"} ` then convertfrom json $results.CloudTrailEvent | ConvertFrom-Json eventVersion : 1.08 userIdentity : @{type=IAMUser; principalId=xxxx; arn=arn:aws:iam::462518063128user/awslab1; accountId=xx; accessKeyId=xxxx; userName=awslab1; sessionContext=} eventTime : 5/27/2022 5:04:12 PM eventSource : ec2.amazonaws.com eventName : TerminateInstances awsRegion : us-west-1 sourceIPAddress : AWS Internal userAgent : AWS Internal requestParameters : @{instancesSet=} responseElements : @{requestId=dde64a51-2fd6-40ef-b9d6-06fde8a2abd9; instancesSet=} requestID : dde64a51-2fd6-40ef-b9d6-06fde8a2abd9 eventID : dfc1fa38-c5db-401d-9ac9-11cd5ab41dd8 readOnly : False eventType : AwsApiCall managementEvent : True recipientAccountId : 462518061234 eventCategory : Management sessionCredentialFromConsole : true But the requestParameters : @{instancesSet=} is missing instance id and other values any idea?
0
answers
0
votes
4
views
asked a day ago

What is the suggested method to track user's actions after assuming a cross-account role

I need to be able to guarantee that a user's actions can always be traced back to their account regardless of which role they have assumed in another account. What methods are required to guarantee this for? * Assuming a cross-account role in the console * Assuming a cross-account role via the cli I have run tests and can see that when a user assumes a role in the CLI, temporary credentials are generated. These credentials are seen in CloudTrail logs under responseElements.credentials for the assumeRole event. All future events generated by actions taken in the session include the accessKeyId and I can therefore track all of the actions in this case. Using the web console, the same assumeRole event is generated, also including an accessKeyId. Unfortunately, future actions taken by the user don't include the same accessKeyId. At some point a different access key is generated and the session makes use of this new key. I can't find any way to link the two and therefore am not sure of how to attribute actions taken by the role to the user that assumed the role. I can see that when assuming a role in the console, the user can't change the sts:sessionName and this is always set to their username. Is this the suggested method for tracking actions? Whilst this seems appropriate for roles within the same account, as usernames are not globally unique I am concerned about using this for cross account attribution. It seems placing restrictions on the value of sts:sourceIdentity is not supported when assuming roles in the web console.
1
answers
2
votes
62
views
asked 13 days ago

Manual remediation config works, automatic remediation config fails

SOLVED! There was a syntax problem in the runbook, that is not detected when manually remediating. In the content of the remediation doc (that was created using Cloudformation), I used a parameter declaration: parameters: InstanceID: type: 'AWS::EC2::Instance::Id' It should be: parameters: InstanceID: type: String ===================================================================================== I have a remediation runbook that creates Cloudwatch alarms for the metric 'CPUUtilization' for any EC2 instances that have none defined. The runbook is configured as a remediation document for a config rule that checks for the absence of such alarms. When I configure the remediation on the rule as manual, all goes well. When I configure the remediation with the exact same runbook as automatic, the remediation fails with this error (snippet): "StepDetails": [ { "Name": "Initialization", "State": "FAILED", "ErrorMessage": "Invalid Automation document content for Create-CloudWatch-Alarm-EC2-CPUUtilization", "StartTime": "2022-05-09T17:30:02.361000+02:00", "StopTime": "2022-05-09T17:30:02.361000+02:00" } ], This is the remediation configuration for the automatic remediation. The only difference with the manual remediation configuration is obviously the value for key "Automatic" being "false" { "RemediationConfigurations": [ { "ConfigRuleName": "rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists", "TargetType": "SSM_DOCUMENT", "TargetId": "Create-CloudWatch-Alarm-EC2-CPUUtilization", "TargetVersion": "$DEFAULT", "Parameters": { "AutomationAssumeRole": { "StaticValue": { "Values": [ "arn:aws:iam::123456789012:role/rol_ssm_full_access_to_cloudwatch" ] } }, "ComparisonOperator": { "StaticValue": { "Values": [ "GreaterThanThreshold" ] } }, "InstanceID": { "ResourceValue": { "Value": "RESOURCE_ID" } }, "Period": { "StaticValue": { "Values": [ "300" ] } }, "Statistic": { "StaticValue": { "Values": [ "Average" ] } }, "Threshold": { "StaticValue": { "Values": [ "10" ] } } }, "Automatic": true, "MaximumAutomaticAttempts": 5, "RetryAttemptSeconds": 60, "Arn": "arn:aws:config:eu-west-2:123456789012:remediation-configuration/rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists/5e3a81a7-fc55-4cbe-ad75-6b27be8da79a" } ] } The error message is rather cryptic, I can't find documentation on possible root causes. Any suggestions would be very welcome! Thanks!
1
answers
0
votes
10
views
asked 20 days ago

Cloudtrail event notifications

Hello, we have configured configured Control Tower landing zone and enrolled tens of accounts in our organization. We would like to monitor some of the actions (ConsoleLogin, SwitchRole, CreateUser, CreatePolicy, CreateRole, PutGroupPolicy, ...) across all accounts in organization and be notified when the action occurs via Slack or Pagerduty. Is there any out of box solution or recommended approach? I am considering two approaches: 1. Listen Cloudtrail S3 logs bucket Create an account which will have read only access to cloudtrail logs S3 bucket in Log Archive account. Lambda function will be triggered on new records in bucket. It will download the files from S3 and parse the events. Huge disadvantage is that it'll have to parse all cloudtrail entries which could be expensive and in inefficient. 2. Aggregate events using EventBridge buses Create dedicated account "Audit Notifications" where will be EventBridge event bus aggregating matched events from all other accounts. There will be configured event rule with Lambda target forwarding matched events from all accounts to Slack/Pagerduty/... in "Audit Notifications" account. Event rule forwarding matched events to Event Bus target in "Audit Notifications" will be deployed into each governed region in each member account. Similar as described in https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-eventbridge-rule/ I favor second approach, but maybe there are some other options. thanks
1
answers
0
votes
30
views
asked 4 months ago
  • 1
  • 90 / page