08-01-2019 12:19 AM - last edited on 09-02-2020 10:17 AM by kwadsack
I need to write a query to check for events of a snapshot taken using programmatic access :
event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.userIdentity.type = "Consolepassword"
Till now I have tried to do this, and I am pretty sure "json.rule = $.userIdentity.type = "Consolepassword" is 100% incorrect.
I need help on the second part to check if the user is using programmatic access or console access to take a snapshot.
08-01-2019 01:47 AM
Hi @APaul
Looking into CloudTrail's options for the type field, I don't see an option for "Consolepassword" :
All types though do not differentiate consoel vs. API operation, just where did it come from, i.e. other account, AD, IAM, assumed role etc.
I think using JSON rule for eventtype might be more beneficial. More info on AWS page, look for eventType:
AwsApiCall – An API was called.
AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.
AwsConsoleSignin – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.
So consider doing:
event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.eventType = "AwsApiCall"
In addition, you can add a filter to include specific email addresses with MATCHES or excluding specific known users from the output.
Did that help?
08-01-2019 01:47 AM
Hi @APaul
Looking into CloudTrail's options for the type field, I don't see an option for "Consolepassword" :
All types though do not differentiate consoel vs. API operation, just where did it come from, i.e. other account, AD, IAM, assumed role etc.
I think using JSON rule for eventtype might be more beneficial. More info on AWS page, look for eventType:
AwsApiCall – An API was called.
AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.
AwsConsoleSignin – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.
So consider doing:
event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.eventType = "AwsApiCall"
In addition, you can add a filter to include specific email addresses with MATCHES or excluding specific known users from the output.
Did that help?
08-05-2019 12:34 AM
Hi @SRohatyn ,
Thanks a lot for your valuable inputs and related reference links. I am able to get the result with little modification.
event where cloud.type = 'aws' AND operation = 'CreateSnapshot' AND json.rule != (( $.userAgent = 'signin.amazonaws.com' ) OR ($.userAgent = 'console.amazonaws.com' ))
This is giving me the desired results. A big thanks for your help.
08-05-2019 12:37 AM
You're very welcome. Thanks for the update with what works for you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
