For organization trails Cloudtrail uses a S3 path as follows:
bucket_name/prefix_name/AWSLogs/O-ID/Account ID/CloudTrail/Region/YYYY/MM/DD/file_name.json.gz. 2
Sometimes it is necessary to search for events in several accounts at the same time.
Feature
Introduce support for accounts with an additional parameter S3AccountList. This parameter is a comma separated list of account IDs.
Application logic should be:
Open path is s3://bucket_name/prefix_name/AWSLog/O-ID/Account ID/ => same as before
Open path is s3://bucket_name/prefix_name/AWSLogs/O-ID/
If S3AccountList is set => iterate over all accounts in this list, iterate over all regions and open according to S3Interval parameter
If S3AccountList is not set => get all account ID's in the bucket (ListObjects(Paginator) call with delimiter "/"), iterate over this list, iterate over all regions and open files according to S3Interval
Known limitation:
When S3AccountList and S3Interval are not set, getting all events over all accounts, regions and the entire period could take quite some time or even run into time outs (depending on the size of the organization).
Alternatives
Getting events per account manually and merge same later with mergecap.
Additional context
If there are no objections to this request, I will prepare a commit for it.
Motivation
For organization trails Cloudtrail uses a S3 path as follows:
bucket_name/prefix_name/AWSLogs/O-ID/Account ID/CloudTrail/Region/YYYY/MM/DD/file_name.json.gz. 2Sometimes it is necessary to search for events in several accounts at the same time.
Feature
Introduce support for accounts with an additional parameter
S3AccountList. This parameter is a comma separated list of account IDs.Application logic should be:
s3://bucket_name/prefix_name/AWSLog/O-ID/Account ID/=> same as befores3://bucket_name/prefix_name/AWSLogs/O-ID/S3AccountListis set => iterate over all accounts in this list, iterate over all regions and open according toS3IntervalparameterS3AccountListis not set => get all account ID's in the bucket (ListObjects(Paginator) call with delimiter "/"), iterate over this list, iterate over all regions and open files according toS3IntervalKnown limitation:
When
S3AccountListandS3Intervalare not set, getting all events over all accounts, regions and the entire period could take quite some time or even run into time outs (depending on the size of the organization).Alternatives
Getting events per account manually and merge same later with
mergecap.Additional context
If there are no objections to this request, I will prepare a commit for it.
Related PR #422