I'm working on analyzing CloudTrail events as they come in and when I was setting up a filter ( ignore events that are readOnly ) I was surpised to see the above events coming through. The event DescribePackage from the source codeartifact.amazonaws.com is not marked as a readOnly event. Does anyone know of a reason why this would be or is this an oversight on AWS's part? ( I removed some parts of the event below )
{
"eventVersion" : "1.08",
"userIdentity" : { },
"eventSource" : "codeartifact.amazonaws.com",
"eventName" : "DescribePackage",
"awsRegion" : "us-east-1",
"readOnly" : false,
"eventType" : "AwsApiCall",
"managementEvent" : true,
}
Great, thanks. While you are in there : ) This one seems like it could be readOnly as well, unless there's something it's doing that I'm missing ( I can open a new question if that's easier, let me know )
guardduty.amazonaws.com : GetRemainingFreeTrialDays
{ "eventVersion" : "1.08", "eventTime" : "2023-04-21T14:33:23Z", "eventSource" : "guardduty.amazonaws.com", "eventName" : "GetRemainingFreeTrialDays", "requestParameters" : { "detectorId" : "", "accountIds" : [ "", "****" ] }, "readOnly" : false, "eventType" : "AwsApiCall", "managementEvent" : true, "eventCategory" : "Management" }
Yes I would suggest opening a new question for GetRemainingFreeTrialDays and tag it with GuardDuty.