Questions tagged with AWS CloudTrail

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Failure in Cloudformation template [ CommandRunenr] while running CLI command for Cloudtrail

Hi Guys, I am trying to run CLI command to update a CloudTrail but stack is getting failed. Requirement is to apply advanced data events to existing CloudTrail. Please find below details of CF template: 1. CF template AWSTemplateFormatVersion: 2010-09-09 Resources: UpdateTrail: Type: AWSUtility::CloudFormation::CommandRunner Properties: Role: ec2-role-name SubnetId: subnet-XXXXXXXXX LogGroup: log-group-name Command: aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX \ --advanced-event-selectors.... 2. Error Resource handler returned message: "Either the command failed to execute, the value written to /command-output.txt was invalid or the Subnet specified did not have internet access. The value written to /command-output.txt must be a non-empty single word value without quotation marks. Check cloud-init.log in the LogGroup specified for more information." 3. CLI command aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX --advanced-event-selectors '[ { "Name": "S3EventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["PutObject","DeleteObject"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::XX","arn:aws:s3:::XX"] } ] } ]' Note : Command runs successfully in CLI. pre-requisites for commandRunner is installed. Also, Subnet specified does have internet access. I sense, it might be the issue with command format or may be something else. Any assistance would be appreciated. Thanks
1
answers
0
votes
45
views
Pradnya
asked 15 days ago

Policies applied on organization trail logs bucket created by AWS Tower

Hello, We just setup AWS Tower on our organization. Everything ran smoothly but we detected a strange policy applied by AWS Tower on the bucket responsible to aggregate Cloudtrail trails from all of our organization. This bucket is located on the Log Archive account of Tower architecture. The policy is : ``` { "Sid": "AWSBucketDeliveryForOrganizationTrail", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::CLOUDTRAIL_BUCKET/ORGANIZATION_ID/AWSLogs/ORGANIZATION_ID/*" ] } ``` This policy allows `cloudtrail` service to push objects on the provided path. Out of curiosity, we tried to configure a Cloudtrail trail located on non-related AWS account (by non-related I mean an AWS account that doesn't belong to the AWS organization) to use this S3 path to push data on. And it worked. Is there any reason why this policy doesn't have a `condition` field to restrict access to accounts that belong to the organization like : ``` "Condition": { "StringEquals": { "aws:PrincipalOrgID": [ "ORGANIZATION_ID" ]} } } ``` Our Tower landing zone version is 3.0. This version enabled Organization-based trail instead of Account-based trails, so I think this policy exists since this version. I know there are some non easily guessable variables (like the Org ID and the bucket name) in the process, but as a compliance tool, AWS Tower should restrict access to the organization itself as it's restricted to it by design. Thanks for your time
0
answers
1
votes
39
views
asked 17 days ago

KMS events are not being excluded form CloudTrail Management Events

Hi everyone! I recently struggled with some CloudTrail costs in my account, to give some context, I enabled DynamoDB Global tables for two regions, using encryption with a CMK in the primary region and creating a replica of this key in the second one. The thing is, after setting up the global table, the CloudTrail costs started to significantly increasing, I notice that most of the events recorded were `Decrypt` events with the source IP address `replication.dynamodb.amazonaws.com` and the event source was `kms.amazonaws.com`. As you might guess, the trail wasn't excluding AWS KMS events for management events, and after changing the configuration I expected those costs to decrease again but they keep the same, also, the event history still shows management events from `kms.amazonaws.com`. **Is there something I might be missing?** This is the Terraform configuration I'm using for setting up CloudTrail. ``` resource "aws_cloudtrail" "security" { name = "security" s3_bucket_name = var.supervising_cloudtrail.s3_bucket_name s3_key_prefix = "audit" kms_key_id = var.supervising_cloudtrail.kms_key_arn enable_log_file_validation = true enable_logging = true is_multi_region_trail = true include_global_service_events = true insight_selector { insight_type = "ApiCallRateInsight" } event_selector { read_write_type = "All" include_management_events = true exclude_management_event_sources = ["kms.amazonaws.com"] data_resource { type = "AWS::Lambda::Function" values = ["arn:aws:lambda"] } data_resource { type = "AWS::S3::Object" values = ["arn:aws:s3:::"] } data_resource { type = "AWS::DynamoDB::Table" values = ["arn:aws:dynamodb"] } } } ```
1
answers
0
votes
61
views
Osain
asked 2 months ago