Falco cloudtrail can't parse SQS messages from s3 notifications

[taxidis]

Describe the bug

I have a bucket that receives all cloudtrail events from multiple accounts. I have setup notifications from bucket to SNS on ObjectCreate:* and added a subscription from SNS to an SQS queue.

I used "useS3SNS": true on init config. but I get the following error:

Fri Dec  8 16:03:12 2023: Opening event source 'aws_cloudtrail'
Fri Dec  8 16:03:12 2023: Opening 'aws_cloudtrail' source with plugin 'cloudtrail'
Fri Dec  8 16:03:12 2023: An error occurred in an event source, forcing termination...
Fri Dec  8 16:03:12 2023: Closing event source 'aws_cloudtrail'
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: received SQS message that did not have a Type property

The related helm values.

  plugins:
    - name: cloudtrail
      library_path: libcloudtrail.so
      init_config: '{"sqsDelete": true, "s3DownloadConcurrency": 16, "useS3SNS": true}'
      open_params: "sqs://cloudtrail-bucket-new-file"

The SQS messages are like this:

{
  "Records": [
    {
      "eventVersion": "2.1",
      "eventSource": "aws:s3",
      "awsRegion": "eu-west-1",
      "eventTime": "2023-12-08T15:59:15.977Z",
      "eventName": "ObjectCreated:Put",
      "userIdentity": {
        "principalId": "AWS:{redacted}:regionalDeliverySession"
      },
      "requestParameters": {
        "sourceIPAddress": "x.x.x.x"
      },
      "responseElements": {
        "x-amz-request-id": "{redacted}",
        "x-amz-id-2": "{redacted}"
      },
      "s3": {
        "s3SchemaVersion": "1.0",
        "configurationId": "new_log_file",
        "bucket": {
          "name": "my-cloudtrail-logs",
          "ownerIdentity": {
            "principalId": "{redacted}"
          },
          "arn": "arn:aws:s3:::my-cloudtrail-logs"
        },
        "object": {
          "key": "AWSLogs/{object_path}",
          "size": 846,
          "eTag": "{redacted}",
          "versionId": "{redacted}",
          "sequencer": "{redacted}"
        }
      }
    }
  ]
}

Expected behaviour Parse sqs messages and log files.

Environment

• Falco version: 0.36.2
• System info: { "machine": "x86_64", "nodename": "falco-cloudtrail-795988f67c-qxkdv", "release": "5.15.117", "sysname": "Linux", "version": "# 1 SMP Sat Aug 5 00:48:44 UTC 2023" }
• Cloud provider or hardware configuration: AWS
• OS:
• Installation method: Kubernetes
• Cloudtrail plugin version: 0.9.0

[taxidis]

The issue was on SNS settings. Needed to set "Raw message delivery" to Disabled.