Analyze AWS CloudTrail log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action. This include information such as the date and time of the action and the request parameters that were used. CloudTrail log files aren’t an ordered stack trace of the public API calls, so they don’t appear in any specific order.
The following example shows a CloudTrail log entry that demonstrates the CreateCluster action.
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn": "arn:aws:iam::111122223333:user/username", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "username" }, "eventTime": "2018-05-28T19:16:43Z", "eventSource": "eks.amazonaws.com", "eventName": "CreateCluster", "awsRegion": "region-code", "sourceIPAddress": "205.251.233.178", "userAgent": "PostmanRuntime/6.4.0", "requestParameters": { "resourcesVpcConfig": { "subnetIds": [ "subnet-a670c2df", "subnet-4f8c5004" ] }, "roleArn": "arn:aws:iam::111122223333:role/AWSServiceRoleForAmazonEKS-CAC1G1VH3ZKZ", "clusterName": "test" }, "responseElements": { "cluster": { "clusterName": "test", "status": "CREATING", "createdAt": 1527535003.208, "certificateAuthority": {}, "arn": "arn:aws:eks:region-code:111122223333:cluster/test", "roleArn": "arn:aws:iam::111122223333:role/AWSServiceRoleForAmazonEKS-CAC1G1VH3ZKZ", "version": "1.10", "resourcesVpcConfig": { "securityGroupIds": [], "vpcId": "vpc-21277358", "subnetIds": [ "subnet-a670c2df", "subnet-4f8c5004" ] } } }, "requestID": "a7a0735d-62ab-11e8-9f79-81ce5b2b7d37", "eventID": "eab22523-174a-499c-9dd6-91e7be3ff8e3", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
Log Entries for Amazon EKS Service Linked Roles
The Amazon EKS service linked roles make API calls to AWS resources. CloudTrail log entries with username: AWSServiceRoleForAmazonEKS and username: AWSServiceRoleForAmazonEKSNodegroup appears for calls made by the Amazon EKS service linked roles. For more information about Amazon EKS and service linked roles, see Using service-linked roles for Amazon EKS.
The following example shows a CloudTrail log entry that demonstrates a ` DeleteInstanceProfile` action that’s made by the AWSServiceRoleForAmazonEKSNodegroup service linked role, noted in the sessionContext.
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AROA3WHGPEZ7SJ2CW55C5:EKS", "arn": "arn:aws:sts::111122223333:assumed-role/AWSServiceRoleForAmazonEKSNodegroup/EKS", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA3WHGPEZ7SJ2CW55C5", "arn": "arn:aws:iam::111122223333:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup", "accountId": "111122223333", "userName": "AWSServiceRoleForAmazonEKSNodegroup" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-02-26T00:56:33Z" } }, "invokedBy": "eks-nodegroup.amazonaws.com" }, "eventTime": "2020-02-26T00:56:34Z", "eventSource": "iam.amazonaws.com", "eventName": "DeleteInstanceProfile", "awsRegion": "region-code", "sourceIPAddress": "eks-nodegroup.amazonaws.com", "userAgent": "eks-nodegroup.amazonaws.com", "requestParameters": { "instanceProfileName": "eks-11111111-2222-3333-4444-abcdef123456" }, "responseElements": null, "requestID": "11111111-2222-3333-4444-abcdef123456", "eventID": "11111111-2222-3333-4444-abcdef123456", "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
