AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Duplicate events in batch of 50 while fetching audit data through LookupEvents API of CloudTrail.

0
  • Found that the duplication event occurred consecutively.
  • Parsed each batch of 50 audit events fetched from the LookupAPI of CloudTrail and checked the duplication with eventID and found that the duplication event came from AWS itself.
  • Also collected the audit logs and stored them in the file and found that only for us-east-1 the audit logs were duplicate. 
  • Created a script to find the duplication from collected logs and also find the same results.
  • The count of duplicate events differs every time. But whenever I tried to reproduce this bug found that every time the same events fetched were duplicated.
  • No pattern found for duplicate events except the event ids of the duplicate events are the same every time.
トピック
管理とガバナンス
タグ
AWS CloudTrail
言語
English
Parth Dadhaniya
質問済み 1年前433ビュー
1回答
0

Hi There

Do you have multiple CloudTrail Trails configured in different regions? If so, you could be seeing duplicates for global service events. Examples of global service events are AWS IAM, CloudFront, and AWS STS. If these are the types of duplicate events you are seeing, make sure you are not logging "Management Events" in multiple CloudTrails. See https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events for additional info.

profile pictureAWS
エキスパート
Matt-B
回答済み 1年前
  • Parth Dadhaniya
    1年前

    Thanks for this information. But I am fetching the audit logs which are generated before CloudTrail is created. For that purpose, I am using the LookupEvents API to fetch that logs. As per my knowledge, the creation of CloudTrail and the duplicate events doesn't relate to each other.

  • Matt-B エキスパート
    1年前

    Can you post an example of a duplicate event?

  • Parth Dadhaniya
    1年前

    Sure.

    {
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "QWERTYUIOPASDFGHJKLZXCV:1cefa620-1234-1234-1234-24bddba12345",
    "arn": "arn:aws:sts::012345678912:assumed-role/test-role/1cefa620-1234-1234-1234-24bddba12345",
    "accountId": "012345678912",
    "accessKeyId": "QWERTYUIOPASDFGHJKLZXC",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "principalId": "QWERTYUIOPASDFGHJKLZXCV",
        "arn": "arn:aws:iam::012345678912:role/test-role",
        "accountId": "012345678912",
        "userName": "test-role"
      },
      "webIdFederationData": {
        
      },
      "attributes": {
        "creationDate": "2022-12-08T08:15:10Z",
        "mfaAuthenticated": "false"
      }
    }
  },
  "eventTime": "2022-12-08T08:54:43Z",
  "eventSource": "cloudtrail.amazonaws.com",
  "eventName": "LookupEvents",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "123.123.123.123",
  "userAgent": "aws-sdk-java/2.17.201 Linux/3.10.0-1160.80.1.el7.x86_64 OpenJDK_64-Bit_Server_VM/17.0.2+8-LTS Java/17.0.2 vendor/Red_Hat__Inc. io/sync http/Apache cfg/retry-mode/legacy",
  "requestParameters": {
    "startTime": "Sep 9, 2022, 12:00:00 AM",
    "endTime": "Dec 8, 2022, 7:25:01 AM",
    "nextToken": "sNhgqKEs0ota607r7N/9sIrV2UdnOUs/1WWv/FTK1q/Mp6pFL4nm9olMGfiJOfh5t+9x7bxx23uh29du3hd93=="
  },
  "responseElements": null,
  "requestID": "5da63bf5-1234-1234-1234-b6b2bf2e114c",

    continue in following comment.

  • Parth Dadhaniya
    1年前
      "eventID": "f72a6cf5-1234-1234-1234-1f5e135d0e88",
  "readOnly": true,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "012345678912",
  "eventCategory": "Management",
  "tlsDetails": {
    "tlsVersion": "TLSv1.2",
    "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
    "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
  }
}
  • Parth Dadhaniya
    1年前

    Hii there, any update from your side...?

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ