Check for snapshot taken using programmatic access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Check for snapshot taken using programmatic access

L0 Member

I need to write a query to check for events of a snapshot taken using programmatic access :

 

event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.userIdentity.type = "Consolepassword"

Till now I have tried to do this, and I am pretty sure "json.rule = $.userIdentity.type = "Consolepassword" is 100% incorrect.

 

I need help on the second part to check if the user is using programmatic access or console access to take a snapshot.

1 accepted solution

Accepted Solutions

L2 Linker

Hi @APaul 

 

Looking into CloudTrail's options for the type field, I don't see an option for "Consolepassword" :

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity....

 

All types though do not differentiate consoel vs. API operation, just where did it come from, i.e. other account, AD, IAM, assumed role etc.

 

I think using JSON rule for eventtype might be more beneficial. More info on AWS page, look for eventType:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-content...

AwsApiCall – An API was called.

AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.

AwsConsoleSignin – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.

 

So consider doing:

event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.eventType = "AwsApiCall"

In addition, you can add a filter to include specific email addresses with MATCHES or excluding specific known users from the output.

 

Did that help?

 

View solution in original post

3 REPLIES 3

L2 Linker

Hi @APaul 

 

Looking into CloudTrail's options for the type field, I don't see an option for "Consolepassword" :

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity....

 

All types though do not differentiate consoel vs. API operation, just where did it come from, i.e. other account, AD, IAM, assumed role etc.

 

I think using JSON rule for eventtype might be more beneficial. More info on AWS page, look for eventType:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-content...

AwsApiCall – An API was called.

AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.

AwsConsoleSignin – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.

 

So consider doing:

event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.eventType = "AwsApiCall"

In addition, you can add a filter to include specific email addresses with MATCHES or excluding specific known users from the output.

 

Did that help?

 

Hi @SRohatyn ,

 

Thanks a lot for your valuable inputs and related reference links. I am able to get the result with little modification.

event where cloud.type = 'aws' AND operation = 'CreateSnapshot' AND json.rule != (( $.userAgent = 'signin.amazonaws.com' ) OR ($.userAgent = 'console.amazonaws.com' ))

This is giving me the desired results. A big thanks for your help.

You're very welcome. Thanks for the update with what works for you.

  • 1 accepted solution
  • 5060 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!