Cloudtrail console resources missing from event record

Question

I need to get all the resources referenced by the action per each AWS event record. I use Python and cloudaux/boto. The documentation states a "resources" field: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html (although it does say it's optional).

In some Cloudtrail events, like Attach Role Policy as in the picture below, I can see the "resources referenced" in the console, but they are missing from the event record and when I fetch it via the API.

Is there any way to get them programmatically? The alternative would be to compute them manually from the request parameters / response, but it's structured differently for each type of event.

score 0 · Accepted Answer · answered Dec 12 '22 at 05:14

The CloudTrail LookupEvents API has resources for each event (where it is available) in the response. You will need to set LookupAttributes in the request body if you want to filter for specific event(s) in the response.

API reference

Boto3 reference

Here is a sample request/response (this was generated using the CLI, but it should be similar with API/boto3):

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AttachRolePolicy

{
    "Events": [
        {
            "EventId": "aaaa-aaaa-aaa",
            "EventName": "AttachRolePolicy",
            "ReadOnly": "false",
            "AccessKeyId": "AAAAAAAAA",
            "EventTime": "2022-12-12T04:55:30+00:00",
            "EventSource": "iam.amazonaws.com",
            "Username": "aaaa",
            "Resources": [
                {
                    "ResourceType": "AWS::IAM::Policy",
                    "ResourceName": "arn:aws:iam::aws:policy/AutoScalingConsoleReadOnlyAccess"
                },
                {
                    "ResourceType": "AWS::IAM::Role",
                    "ResourceName": "SampleRole"
                }
            ],
            "CloudTrailEvent": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AAAAAAAAA\",\"arn\":\"arn:aws:iam::1234567890:user/AAAAAAAAA\",\"accountId\":\"1234567890\",\"accessKeyId\":\"AAAAAAAAA\",\"userName\":\"kaustubh\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2022-12-12T04:52:13Z\",\"mfaAuthenticated\":\"true\"}}},\"eventTime\":\"2022-12-12T04:55:30Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"AttachRolePolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"AWS Internal\",\"userAgent\":\"AWS Internal\",\"requestParameters\":{\"roleName\":\"SampleRole\",\"policyArn\":\"arn:aws:iam::aws:policy/AutoScalingConsoleReadOnlyAccess\"},\"responseElements\":null,\"requestID\":\"aaaa-aaaa-aaa\",\"eventID\":\"aaaa-aaaa-aaa\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"1234567890\",\"eventCategory\":\"Management\",\"sessionCredentialFromConsole\":\"true\"}"
        }
    ]
}

That doesn't solve my question - as I mentioned I'm aware of this field but it is missing in certain events (like the AttachedRolePolicy in the picture), even though it still shows in the UI. — Idan, Dec 12 '22 at 18:17
@Idan the above sample response is taken from the API response for an actual `AttachRolePolicy` CloudTrail event (after removing potentially sensitive data like account ID). The API response should have the Resources field. — Kaustubh Khavnekar, Dec 12 '22 at 19:21
@Idan To further clarify, if the Resources are shown in the UI, they should show up in the API response for `LookupEvents` as well. Can you add a specific example to your question where this is not the case? — Kaustubh Khavnekar, Dec 12 '22 at 19:26
I think the actual issue is in some events, the `resources` show up inside the `CloudTrailEvent.resources` response object in addition to the root `Resources` object, which is what I was looking at before. In others it's only in the `Resources`. — Idan, Dec 12 '22 at 20:23
Further I just found something even more confusing. Some events like `GetBucketAcl` have the opposite scenario - `CloudTrailEvent.resources` filled but their `root.Resources` field is empty! And the structure of the two is different: the root `Resources` has the fields `ResourceType, ResourceName`, and `CloudTrailEvent.resources` has `accountId, type and ARN`. At least in the examples I saw, maybe it's even more variable than that. That's super confusing! — Idan, Dec 12 '22 at 21:58
The two documentations for these are https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Resource.html and https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html. One is said to be "resources referenced by an event" and the other "resources accessed in the event", thought it's really unclear as to what are the differences between the two. — Idan, Dec 12 '22 at 22:08

Cloudtrail console resources missing from event record

1 Answers1