TLS1.0/1.1 - how to find the requests

0

Afternoon all, I received an email saying I had connections with a few S3 buckets so I know the 3 however I can't understand how to get more data. The 3 buckets all have logging on so I have an s3 bucket with the logs, but the 2 ways they say are;

  1. Log Insights. - For this it appears I need to have the actual logs goto cloudwatch logs as I don't see a way of selecting the S3 admin that has the logs.

  2. CloudTrail / Lake. This looks even easier, the doc here - https://aws.amazon.com/blogs/mt/using-aws-cloudtrail-lake-to-identify-older-tls-connections-to-aws-service-endpoints/ I thought was the answer, but I am stuck and it maybe just the data store part. There is just that 1 line, create a data store, but I did create one, I believe the 'events' should be cloudtrail and not configuration items. Then for data events I have tried S3, s3 access points (as I am sure its one of those) and when I copy the sample query for TLS calls I get an invalid query. I even tried other sample ones and all do the same thing, immediate red x.

The sample query is here; SELECT eventSource, COUNT(*) AS numOutdatedTlsCalls FROM $EDS_ID WHERE tlsDetails.tlsVersion IN ('TLSv1', 'TLSv1.1') AND eventTime > '2023-01-17 00:00:00' GROUP BY eventSource ORDER BY numOutdatedTlsCalls DESC

So any help on the best way to get that info is appreciated.

asked a year ago447 views
1 Answer
2
Accepted Answer

Hey, lraymond@ can you confirm you're updating the $EDS_ID placeholder in your query with your event data store ID? i.e.

SELECT eventSource, COUNT(*) AS numOutdatedTlsCalls FROM '84d60cfd-1b4f-4e75-a235-example' WHERE tlsDetails.tlsVersion IN ('TLSv1', 'TLSv1.1') AND eventTime > '2023-01-17 00:00:00' GROUP BY eventSource ORDER BY numOutdatedTlsCalls DESC
AWS
Matt_H
answered a year ago
  • :facepalm: - I was clearly overlooking that one! I thought that was more an environment variable as the left side has the event data store drop down, but now realize what/why!

    I appreciate the read and such a quick reply, saved me a lot of time on this one!

  • You're welcome!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions