使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

KMS events are not being excluded form CloudTrail Management Events

0

Hi everyone!

I recently struggled with some CloudTrail costs in my account, to give some context, I enabled DynamoDB Global tables for two regions, using encryption with a CMK in the primary region and creating a replica of this key in the second one.

The thing is, after setting up the global table, the CloudTrail costs started to significantly increasing, I notice that most of the events recorded were Decrypt events with the source IP address replication.dynamodb.amazonaws.com and the event source was kms.amazonaws.com. As you might guess, the trail wasn't excluding AWS KMS events for management events, and after changing the configuration I expected those costs to decrease again but they keep the same, also, the event history still shows management events from kms.amazonaws.com. Is there something I might be missing?

This is the Terraform configuration I'm using for setting up CloudTrail.

resource "aws_cloudtrail" "security" {
  name                          = "security"
  s3_bucket_name                = var.supervising_cloudtrail.s3_bucket_name
  s3_key_prefix                 = "audit"
  kms_key_id                    = var.supervising_cloudtrail.kms_key_arn
  enable_log_file_validation    = true
  enable_logging                = true
  is_multi_region_trail         = true
  include_global_service_events = true

  insight_selector {
    insight_type = "ApiCallRateInsight"
  }

  event_selector {
    read_write_type                  = "All"
    include_management_events        = true
    exclude_management_event_sources = ["kms.amazonaws.com"]

    data_resource {
      type   = "AWS::Lambda::Function"
      values = ["arn:aws:lambda"]
    }

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::"]
    }

    data_resource {
      type   = "AWS::DynamoDB::Table"
      values = ["arn:aws:dynamodb"]
    }
  }
}
  • MiguelUT
    2 年前

    When you look at the trail in CloudTrail in the AWS Console under the "Management Events" section do you see that KMS Events are being excluded?

  • Osain
    2 年前

    Hi @MiguelUT! Thanks for answering! Yes, I see the option for excluding KMS events from management events as enabled (With the yes option)

主题
数据库管理与治理云财务管理
标签
Amazon DynamoDBAWS CloudTrailAWS 账单加密
语言
English
Osain
已提问 2 年前655 查看次数
1 回答
1
已接受的回答

If you are using the "Event History" feature to view events in the CloudTrail console, you are not able to exclude KMS events from that dashboard. See the note in Logging management events for trails in the Management Events section. However, you should not see those events showing up in your S3 bucket where the trail events are stored.

profile pictureAWS
MiguelUT
已回答 2 年前
profile picture
专家
Giovanni Lauria
已审核 1 个月前
  • Osain
    2 年前

    You're right, thanks to Athena I was able to see the real events that are causing the high costs, which are the events GetRecords by the agent replication.dynamodb.amazonaws.com from the main and the replica region. Is there a way to filter those events to be tracked by CloudTrail? I think an option can be reducing the tracking scope to the main DynamoDB and selecting to save just write operation.

  • MiguelUT
    2 年前

    The GetRecords event is a data event (as opposed to a management event). See Logging data events for trails for information on how to set up an advanced selector for your events.

  • Osain
    2 年前

    Thanks! That solved the issue, I ended up using advanced selectors for excluding the needed events. Thanks, Miguel!

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容