I need to analyse all cloudtrail events within an account (actually multiple accounts, but restricting it to one for now) - however I don't have direct access to the S3 bucket where events are stored.
I need to find all events initiated by any role that fits a pattern. The reason for this is that I need to calculate the guard duty costs associated with the application that is making the API calls.
I have a script which works (it's just thrown together at the moment), however it's VERY slow as it's analysing millions of cloudtrail events.
Is there a better way to get the data I need?
import boto3
from datetime import datetime
import json
session = boto3.Session(profile_name='<profile_name_here>')
client = session.client('cloudtrail')
total_events = 0
target_events = 0
start_time = datetime(2020, 1, 22)
guard_duty_cost = 0.0000044
paginator = client.get_paginator('lookup_events')
response_iterator = paginator.paginate(
StartTime = start_time,
MaxResults = 1000
)
y = 1
for response in response_iterator:
events = response['Events']
print('Processing response {}'.format(y))
y += 1
for event in events:
total_events += 1
cloudtrail_event = event['CloudTrailEvent']
cloudtrail_event_json = json.loads(cloudtrail_event)
user_identity = cloudtrail_event_json['userIdentity']
if 'sessionContext' in user_identity:
user_name = user_identity['sessionContext']['sessionIssuer']['userName']
if '<target_role_pattern>' in user_name:
target_events += 1
total_cost = guard_duty_cost * total_events
target_cost = guard_duty_cost * target_events
print('Total number of events since {} is {} - cost EUR {}'.format(start_time, total_events, total_cost))
print('Number of target events since {} is {} - cost EUR {}'.format(start_time, target_events, target_cost))
