Hey all,
I'm trying to update my CloudTrail trail with a CloudWatch Log Group. I firstly create an IAM Role (that will be assumed by CloudTrail), I then create the CloudWatch Group and run the update_trail Boto3 API call. The error I receive when trying to update is:
"errorCode": "InvalidCloudWatchLogsRoleArnException"
"errorMessage": "Access denied. Check the trust relationships for your role."
The API request extracted from CloudTrail itself looks like:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "<principal_id>:auto-remediate-dev",
"arn": "<sts_arn>",
"accountId": "<acc_num>",
"accessKeyId": "<access_key>",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "<principal_id>",
"arn": "arn:aws:iam::<acc_num>:role/auto-remediate-dev-AutoRemediate-<region>-lambdaRole",
"accountId": "<acc_num>",
"userName": "auto-remediate-dev-AutoRemediate-<region>-lambdaRole"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-05-15T09:13:30Z"
}
}
},
"eventTime": "2019-05-15T09:58:20Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "UpdateTrail",
"awsRegion": "<region>",
"sourceIPAddress": "13.238.217.58",
"userAgent": "Boto3/1.9.42 Python/3.7.3 Linux/4.14.109-80.92.amzn1.x86_64 exec-env/AWS_Lambda_python3.7 Botocore/1.12.42",
"errorCode": "InvalidCloudWatchLogsRoleArnException",
"errorMessage": "Access denied. Check the trust relationships for your role.",
"requestParameters": {
"name": "MaratTest",
"cloudWatchLogsLogGroupArn": "arn:aws:logs:<region>:<acc_num>:log-group:/aws/cloudtrail/MaratTest:*",
"cloudWatchLogsRoleArn": "arn:aws:iam::<acc_num>:role/CloudTrail-CloudWatchLogs-MaratTest"
},
"responseElements": null,
"requestID": "3244c931-3892-4fca-9664-df38cdb3be54",
"eventID": "0d5a1e82-95be-46b5-a430-91a407bd7b13",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "<acc_num>"
}
The strange thing about this is, when I use the exact same IAM Role and CloudWatch Log Group but initiate the CloudTrail update via the console, it all works perfect and then exact same API request is captured by CloudTrail but is successful this time.
I'm not sure what the error could be and nothing I've researched has helped me find the right solution. Any help would be greatly appreciated.