星期日, 7月 18, 2021

AWS 自定義 Input Transformer 輸出 CloudTrail Event 通知小記

AWS 自定義 Input Transformer 輸出 CloudTrail Event 通知小記


上次的文章, 寫到使用 AWS CloudWatch 通知 IAM 如果新增使用者就透過 SNS 來通知


但是如果收到通知, 信件的內容長的像下列這樣



{"version":"0","id":"baf019d3-e9ce-73cf-8248-342029a1c773","detail-type":"AWS API Call via CloudTrail","source":"aws.iam","account":"838212984580","time":"2021-06-30T07:45:33Z","region":"us-east-1","resources":[],"detail":{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"AIDAIRJWANII4AJY47KV4","arn":"arn:aws:iam::938212984580:user/sakana","accountId":"847212984580","accessKeyId":"ASIA4K7LPAMDNYEVZOBN","userName":"sakana","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"creationDate":"2021-06-30T04:10:47Z","mfaAuthenticated":"true"}}},"eventTime":"2021-06-30T07:45:33Z","eventSource":"iam.amazonaws.com","eventName":"CreateUser","awsRegion":"us-east-1","sourceIPAddress":"xxx.32.yy.195","userAgent":"console.amazonaws.com","requestParameters":{"userName":"demouser","tags":[]},"responseElements":{"user":{"path":"/","userName":"demouser","userId":"AEDA4K7LPAMCPHPLSOBYA","arn":"arn:aws:iam::843212934570:user/demouser","createDate":"Jun 30, 2021 7:45:33 AM"}},"requestID":"5b86b4d1-c23b-48b0-9de3-f33803aefe96","eventID":"322fea0c-93ac-43f3-9786-a596fe121a6a","readOnly":false,"eventType":"AwsApiCall","managementEvent":true,"recipientAccountId":"838212984581","eventCategory":"Management"}}


雖然收到信會知道 IAM  有變動, 但是還是不好閱讀, 想要在收到信的時候, 可以快速的掌握狀況, 上述標示顏色的部份, 就是想要整理出來的資訊.

請教了 Partner , 得到了解法, 在此小記下來



首先可以到 AWS CloudTrail 的 Event history 觀察相關資訊

  • 對應自己收到的資訊, 之後想要顯示

    • userIdentity 下的

      • accountId

      • userName

    • eventName

    • awsRegion

    • sourceIPAddress

    • responseElements 下 user 下的 userName


{

    "eventVersion": "1.08",

    "userIdentity": {

        "type": "IAMUser",

        "principalId": "BIDAJ6LK4OH4WD54F3P5U",

        "arn": "arn:aws:iam::732126821902:user/sakana",

        "accountId": "783127531104",

        "accessKeyId": "ASBA2MGTTSNQFXSELCEQ",

        "userName": "sakana",

        "sessionContext": {

            "sessionIssuer": {},

            "webIdFederationData": {},

            "attributes": {

                "mfaAuthenticated": "true",

                "creationDate": "2021-07-14T14:17:37Z"

            }

        }

    },

    "eventTime": "2021-07-14T14:49:32Z",

    "eventSource": "iam.amazonaws.com",

    "eventName": "CreateUser",

    "awsRegion": "us-east-1",

    "sourceIPAddress": "210.85.244.27",

    "userAgent": "console.amazonaws.com",

    "requestParameters": {

        "userName": "test2021071401",

        "tags": []

    },

    "responseElements": {

        "user": {

            "path": "/",

            "userName": "test2021071401",

            "userId": "AIDA3MGTTTNQMPPHXXTVQ",

            "arn": "arn:aws:iam::782127831904:user/test2021071401",

            "createDate": "Jul 14, 2021 2:49:32 PM"

        }

    },

    "requestID": "7ea3d0b0-4071-4faf-b8e5-afff56ff443d",

    "eventID": "849d37e2-1235-46bc-8398-2b3eda5c325c",

    "readOnly": false,

    "eventType": "AwsApiCall",

    "managementEvent": true,

    "eventCategory": "Management",

    "recipientAccountId": "683125831904"

}


作法是開啟 AWS 的 CloudWatch, Region: Virginia ( 之前的 Events Rule 設定在這邊 )


可以編輯之前建立的 Rule ( 或是之後新建 Rule 的時候設定進去 )

Targets 我們之前是使用 SNS topic, 在 Configure input 的部份

將預設的 Matched event 改為 Input Transformer



Input Transformer 總共有 2 個欄位

  • Input Path

    • 定義要取得的 Key-value 變數

  • Input Template

    • 要顯示的內容


在 Input Path 的部份, 記得要在前面加上 $.detail

以下是 Input Path 此次設定的範例


{"AccountID":"$.detail.userIdentity.accountId","Staff-userName":"$.detail.userIdentity.userName","sourceIPAddress":"$.detail.sourceIPAddress","eventTime":"$.detail.eventTime","Region":"$.detail.awsRegion","eventName":"$.detail.eventName","Target-userName":"$.detail.responseElements.user.userName"}


  • 取出 userIdentity.accountId 定義為 AccountID

  • 取出 userIdentity.userName 定義為 Staff-userName

  • 取出 sourceIPAddress 定義為 sourceIPAddress 

  • 取出 eventTime 定義為 eventTime 

  • 取出 awsRegion 定義為 Region 

  • 取出 eventName 定義為 eventName 

  • 取出 responseElements.user.userName 定義為 Target-userName 

  • 以上請先觀察你的 Cloudwatch Event history 相關資訊


接下來是 Input Template, 這個就比較簡單了, 就是通知的信件內容

以下為此次設定的範例


"這是來自雲端課的通知,偵測到Assume Role行為"

"AccountID: <AccountID>"

"Region:<Region>"

"同仁帳號: <Staff-userName>"

"EventTime: <eventTime>"

"SourceIP: <sourceIPAddress>"

"EventName: <eventName>"

"目標帳號名稱: <Target-userName>"



接下來就是收到信的範例


"這是來自雲端課的通知,偵測到Assume Role行為"

"AccountID: 762327821902"

"Region:us-east-1"

"建立者: sakana"

"EventTime: 2021-07-14T15:22:28Z"

"SourceIP: 210.59.244.94"

"EventName: CreateUser"

"目標帳號名稱: test2021071403"


又前進一步了


~ enjoy it


Reference