CloudTrail - sourceIPAddress field in CloudTrail management event

Question

Below is the event I received in S3 logs generated by CloudTrail:

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AID...HVRL",
        "arn": "arn:aws:iam::233333337:user/Administrator",
        "accountId": "233333337",
        "accessKeyId": "abcd",
        "userName": "Administrator"
    },
    "eventTime": "2019-06-26T21:49:54Z",
    "eventSource": "acm.amazonaws.com",
    "eventName": "GetCertificate",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "64.xx.xx.224",
    "userAgent": "aws-sdk-go/1.20.3 (go1.12.6; darwin; amd64)",
    "requestParameters": {
        "certificateArn": "arn:aws:acm:us-east-2:233333337:certificate/23fffff-1fff4-bfff-6fffff"
    },
    "responseElements": {
        "certificateChain": "-----BEGIN CERTIFICATE-----\nMIID2zCCA...ZYIQ\u003d\u003d\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDrzC......Nh7d1A6k8\u003d\n-----END CERTIFICATE-----\n",
        "certificate": "-----BEGIN CERTIFICATE-----\nMIIDpTC......8ilqQHRR80CEg\u003d\u003d\n-----END CERTIFICATE-----\n"
    },
    "requestID": "55600533-985c-11e9-8a21-a3d9a1ca5215",
    "eventID": "a50a8e95-972a-44aa-9c74-ddf59b12ccc8",
    "eventType": "AwsApiCall",
    "recipientAccountId": "285774445527"
}

after submitting AWS SDK request to AWS Cert manager from my Mac laptop,

but,

ifconfig on my MAC laptop does not show 64.xx.xx.224

but the event log has

"sourceIPAddress" as "64.xx.xx.224"

What does sourceIPAddress indicate in this event?

Were you doing it from a corporate network? What is displayed if you go to http://www.myipaddress.com/show-my-ip-address/? — John Rotenstein, Jun 27 '19 at 02:41
@JohnRotenstein It doesn't give the IP address from your referred link — overexchange, Jun 27 '19 at 15:44

score 3 · Accepted Answer · answered Jun 28 '19 at 01:01

3

The IP address is the one from which the request originated, as seen by AWS.

Computers on a network typically have a local IP address (192.x or 10.x). When requests exit to the Internet, they will "appear" to come from the IP address associated with the router gateway. So, all traffic within a company will typically appear to come from the same IP address. Even traffic on a home network will go out on one public IP address.

The UserAgent does indicate that you used the GO SDK on a Mac, so it probably is your request. Therefore, trust it that your requests do "appear" to be coming from that IP address.

answered Jun 28 '19 at 01:01

John Rotenstein

241,921
22
380
470

Is this nat setup? – overexchange Jun 28 '19 at 02:13
Yes. CloudTrail will capture the source IP as seen by Amazon servers in the public internet. NAT devices can translate your IP between private/public networks and therefore change the visible IP address. Another (completely different) way to verify this behavior is to store the requestID from your SDK call and then compare it with the CloudTrail event. They should match. – Gaston May 28 '20 at 01:28

CloudTrail - sourceIPAddress field in CloudTrail management event

1 Answers1