Check for snapshot taken using programmatic access

Reply
L0 Member

Check for snapshot taken using programmatic access

I need to write a query to check for events of a snapshot taken using programmatic access :

 

event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.userIdentity.type = "Consolepassword"

Till now I have tried to do this, and I am pretty sure "json.rule = $.userIdentity.type = "Consolepassword" is 100% incorrect.

 

I need help on the second part to check if the user is using programmatic access or console access to take a snapshot.

Highlighted
L2 Linker

Re: Check for snapshot taken using programmatic access

Hi @APaul 

 

Looking into CloudTrail's options for the type field, I don't see an option for "Consolepassword" :

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity....

 

All types though do not differentiate consoel vs. API operation, just where did it come from, i.e. other account, AD, IAM, assumed role etc.

 

I think using JSON rule for eventtype might be more beneficial. More info on AWS page, look for eventType:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-content...

AwsApiCall – An API was called.

AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.

AwsConsoleSignin – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.

 

So consider doing:

event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.eventType = "AwsApiCall"

In addition, you can add a filter to include specific email addresses with MATCHES or excluding specific known users from the output.

 

Did that help?

 

L0 Member

Re: Check for snapshot taken using programmatic access

Hi @SRohatyn ,

 

Thanks a lot for your valuable inputs and related reference links. I am able to get the result with little modification.

event where cloud.type = 'aws' AND operation = 'CreateSnapshot' AND json.rule != (( $.userAgent = 'signin.amazonaws.com' ) OR ($.userAgent = 'console.amazonaws.com' ))

This is giving me the desired results. A big thanks for your help.

L2 Linker

Re: Check for snapshot taken using programmatic access

You're very welcome. Thanks for the update with what works for you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!