Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use sharedEventID #3

Open
0xdabbad00 opened this issue Feb 16, 2018 · 1 comment
Open

Use sharedEventID #3

0xdabbad00 opened this issue Feb 16, 2018 · 1 comment
Labels
enhancement New feature or request

Comments

@0xdabbad00
Copy link
Collaborator

In tracking cross-account role assumptions, I should use sharedEventID as explained in https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/

This should be fixed at:

cloudtracker/cloudtracker/datasources/es.py

Line 135 in 33852a6

# TODO: I should also be using sharedEventID as explained in https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/

@0xdabbad00 0xdabbad00 added the enhancement New feature or request label Feb 16, 2018
@0xdabbad00
Copy link
Collaborator Author

One minor gotcha is the sharedEventID wasn't introduced until CloudTrail eventVersion 1.03. I'm not sure when AWS started using that version of CloudTrail, but it's at least over a year old, so I think it's acceptable to make a requirement of CloudTracker be that logs to be reviewed must be at most a year old or newer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@0xdabbad00