Check `cloudtrail:GetEventSelectors`

duo-labs / cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.

BSD 3-Clause "New" or "Revised" License

5.95k stars 799 forks source link

Check `cloudtrail:GetEventSelectors` #231

Open 0xdabbad00 opened 5 years ago

0xdabbad00 commented 5 years ago

SecurityAudit allows this call. Can see if lambda and s3 object access is recorded.

0xdabbad00 commented 5 years ago

See https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_GetEventSelectors.html Somewhat related to #237 in that each are about CloudTrail

0xdabbad00 commented 5 years ago

This data looks like:

{
    "EventSelectors": [
        {
            "DataResources": [
                {
                    "Type": "AWS::S3::Object",
                    "Values": [
                        "arn:aws:s3:::mybucket/",
                    ]
                }
            ],
            "IncludeManagementEvents": true,
            "ReadWriteType": "All"
        }
    ],
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cloudtrail"
}

The question for this is how much of the object events should be recorded? Is it actually important whether S3 object logging or lambda invokes are logged? Should I ensure s3 object logging is happening for all buckets?

0xdabbad00 commented 5 years ago

Data collected in #260