使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

KMS events are not being excluded form CloudTrail Management Events

0

Hi everyone!

I recently struggled with some CloudTrail costs in my account, to give some context, I enabled DynamoDB Global tables for two regions, using encryption with a CMK in the primary region and creating a replica of this key in the second one.

The thing is, after setting up the global table, the CloudTrail costs started to significantly increasing, I notice that most of the events recorded were Decrypt events with the source IP address replication.dynamodb.amazonaws.com and the event source was kms.amazonaws.com. As you might guess, the trail wasn't excluding AWS KMS events for management events, and after changing the configuration I expected those costs to decrease again but they keep the same, also, the event history still shows management events from kms.amazonaws.com. Is there something I might be missing?

This is the Terraform configuration I'm using for setting up CloudTrail.

resource "aws_cloudtrail" "security" {
  name                          = "security"
  s3_bucket_name                = var.supervising_cloudtrail.s3_bucket_name
  s3_key_prefix                 = "audit"
  kms_key_id                    = var.supervising_cloudtrail.kms_key_arn
  enable_log_file_validation    = true
  enable_logging                = true
  is_multi_region_trail         = true
  include_global_service_events = true

  insight_selector {
    insight_type = "ApiCallRateInsight"
  }

  event_selector {
    read_write_type                  = "All"
    include_management_events        = true
    exclude_management_event_sources = ["kms.amazonaws.com"]

    data_resource {
      type   = "AWS::Lambda::Function"
      values = ["arn:aws:lambda"]
    }

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::"]
    }

    data_resource {
      type   = "AWS::DynamoDB::Table"
      values = ["arn:aws:dynamodb"]
    }
  }
}
  • MiguelUT
    2 年前

    When you look at the trail in CloudTrail in the AWS Console under the "Management Events" section do you see that KMS Events are being excluded?

  • Osain
    2 年前

    Hi @MiguelUT! Thanks for answering! Yes, I see the option for excluding KMS events from management events as enabled (With the yes option)

主題
資料庫管理與治理雲端財務管理
標籤
Amazon DynamoDBAWS CloudTrailAWS Billing加密
語言
English
Osain
已提問 2 年前檢視次數 655 次
1 個回答
1
已接受的答案

If you are using the "Event History" feature to view events in the CloudTrail console, you are not able to exclude KMS events from that dashboard. See the note in Logging management events for trails in the Management Events section. However, you should not see those events showing up in your S3 bucket where the trail events are stored.

profile pictureAWS
MiguelUT
已回答 2 年前
profile picture
專家
Giovanni Lauria
已審閱 1 個月前
  • Osain
    2 年前

    You're right, thanks to Athena I was able to see the real events that are causing the high costs, which are the events GetRecords by the agent replication.dynamodb.amazonaws.com from the main and the replica region. Is there a way to filter those events to be tracked by CloudTrail? I think an option can be reducing the tracking scope to the main DynamoDB and selecting to save just write operation.

  • MiguelUT
    2 年前

    The GetRecords event is a data event (as opposed to a management event). See Logging data events for trails for information on how to set up an advanced selector for your events.

  • Osain
    2 年前

    Thanks! That solved the issue, I ended up using advanced selectors for excluding the needed events. Thanks, Miguel!

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容