Key fields
CloudTrail events share a common and unified log schema, that notably includes the following fields of interest:
Field name | Description |
---|---|
eventTime |
Event timestamp in UTC . |
awsRegion |
The AWS region the request was made to, such as us-east-1 . |
eventSource |
The service the request was made to. Such as s3.amazonaws.com for S3 buckets, sts.amazonaws.com for the Security Token Service (STS) for temporary credentials request, etc. |
eventName |
The request action, matching one of the AWS API for that service. For example, AssumeRole , ListBuckets , SendCommand , etc. |
errorCode |
The error code and human-readable error message associated with an event if (and only if) the operation failed. |
readOnly |
Whether the operation induced a change or is a read-only operation (true or false ). |
userIdentity |
Information about the principal that made the request. * userIdentity.type : the type of the identity. Possible types: - Root : account root user. - IAMUser : IAM user. - AssumedRole : temporary security credentials obtained with a role by making a call to the AWS STS ’s AssumeRole API. - Role : - FederatedUser : temporary security credentials for a federated user (Active Directory , AWS Directory Service , etc.), obtained via a call to the AWS STS ’s GetFederationToken API. - AWSAccount : An account from another tenant / AWS account. - AWSService : AWS account that belongs to an AWS service. * [Optional] userIdentity.userName : Human readable name of the identity that made the call. Generally only available for IAMUser or Root identity. * [Optional] userIdentity.arn : ARN of the entity (user or role) that made the call. * [Optional] userIdentity.principalId : Unique identifier for the entity that made the call. For temporary security credentials, this value includes the session name. For instance, for AssumedRole events, the principalId is the unique identifier that contains the role ID and the role session name returned in the AssumeRole event’s responseElements.assumedRoleUser.assumedRoleId . * [Optional] userIdentity.accountId : The account that owns the entity that granted permissions for the request * [Optional] userIdentity.accessKeyId : The eventual access key ID that was used to make the request. Access key IDs beginning with AKIA are long-term credentials (for an IAM user or the AWS account root user) while access key IDs beginning with ASIA are temporary credentials (created using AWS STS operations). * [Optional] userIdentity.sessionContext : Populated for requests made with temporary security credentials to contain information about the session that was created. userIdentity.sessionContext.creationDate : when the session was created. userIdentity.sessionContext.mfaAuthenticated : whether the initial credentials were authenticated MFA. userIdentity.sessionContext. : userIdentity.sessionContext.sourceIdentity : the original identity (user or role) making the request (with type , arn , userName sub-fields). |
sourceIPAddress |
The IP address that the request was made from. For requests from services within AWS, only the DNS name of the service (for example ec2.amazonaws.com ) is displayed. |
userAgent |
The User-Agent associated with the request was made. |
sessionCredentialFromConsole |
Whether the operation was conducted through the web console (true or false ). |
resources |
A list of resource(s) accessed / impacted by the operation associated with the event. For each resource, the following fields may be available: - type : resource type identifier (in the format: AWS::<AWS_SERVICE_NAME>::<AWS_DATA_TYPE_NAME> ). - ARN : ARN of the resource. - accountId : account that owns the resource. |
requestParameters |
The parameters, if any, that were sent with the request. For example, requestParameters.bucketName , requestParameters.userName , etc. |
responseElements |
The response element(s) for actions that make changes (create, update, or delete actions). For example, responseElements.user.createDate , responseElements.accessKey.accessKeyId , etc. |
Notable API / events
eventSource |
eventName |
Type | Description |
---|---|---|---|
sts.amazonaws.com |
GetCallerIdentity |
Reconnaissance | Return details about the IAM user or role whose credentials are used to call the operation. |
iam.amazonaws.com |
ListUsers |
Reconnaissance | Enumerate the IAM users in the AWS account, that match the optional specified path prefix requestParameters.pathPrefix . |
iam.amazonaws.com |
ListRoles |
Reconnaissance | Enumerate the IAM roles in the AWS account, that match the optional specified path prefix requestParameters.pathPrefix . |
iam.amazonaws.com |
ListGroups |
Reconnaissance | Enumerate the IAM groups in the AWS account, that match the optional specified path prefix requestParameters.pathPrefix . |
iam.amazonaws.com |
ListGroupsForUser |
Reconnaissance | List the IAM groups that the specified IAM user (by requestParameters.userName ) belongs to. |
iam.amazonaws.com |
ListPolicies |
Reconnaissance | Enumerate the IAM policies in the AWS account, that match the optional specified path prefix requestParameters.pathPrefix . |
iam.amazonaws.com |
ListAttachedUserPolicies ListAttachedGroupPolicies ListAttachedRolePolicies |
Reconnaissance | List the managed policies that are attached to the specified IAM user / group / role. Notable fields: ListAttachedUserPolicies : requestParameters.userName ListAttachedGroupPolicies : requestParameters.groupName ListAttachedRolePolicies : requestParameters.roleName |
iam.amazonaws.com |
ListUserPolicies ListGroupPolicies ListRolePolicies |
Reconnaissance | List the names of the inline policies embedded in the specified IAM user / group / role. Notable fields: ListUserPolicies : requestParameters.userName ListGroupPolicies : requestParameters.groupName ListRolePolicies : requestParameters.roleName |
iam.amazonaws.com |
GetPolicy |
Reconnaissance | Get information about the specified managed policy (by requestParameters.policyArn ), including the policy’s default version and the total number of IAM users, groups, and roles to the policy is attached to. |
iam.amazonaws.com |
GetPolicyVersion |
Reconnaissance | Get information about the specified version of the specified managed policy, including the policy document. Notable fields: requestParameters.policyArn requestParameters.versionId |
s3.amazonaws.com |
ListBuckets |
Reconnaissance | List the buckets owned by the authenticated sender of the request. |
ec2.amazonaws.com |
GetConsoleScreenshot |
Reconnaissance | Take a screenshot of a running instance. Notable fields: requestParameters.instanceId requestParameters.wakeUp : whether a keystroke input should be simulated to wake up an instance in standby. |
ec2.amazonaws.com |
DescribeInstances |
Reconnaissance | Enumerate and retrieve information on all or the specified instances. Notable fields: requestParameters.instanceId : optional list of instance id(s) to enumerate. requestParameters.filter : optional filter(s). |
sts.amazonaws.com |
AssumeRole |
Privilege escalation | Return a set of temporary security credentials that can be used to access AWS resources under the privileges granted by the role. A role is a set of policies. Can be called by IAM principal (user or role). Notable fields: requestParameters.roleArn : The ARN of the role to assume. requestParameters.roleSessionName : a unique identifier (in the form of i-089eb6ce74072ae1f ) to identify the session. requestParameters.durationSeconds : the validity period of the temporary credentials. Minimum value of 900 seconds up to the maximum session duration set for the role (maximum 43200 seconds). responseElements.assumedRoleUser.arn : the ARN of the temporary security credentials, that will be logged under userIdentity.arn (for API calls made during the session). responseElements.assumedRoleUser.assumedRoleId : a unique identifier containing the role ID and the role session name, that will be logged under userIdentity.principalId (for API calls made during the session). responseElements.credentials.accessKeyId : the access key ID that identifies the temporary security credentials, that will be logged under userIdentity.accessKeyId (for API calls made during the session). responseElements.credentials.expiration : the date on which the current credentials expire. |
sso.amazonaws.com |
GetRoleCredentials |
Privilege escalation | Return a set of temporary security credentials. Similar to AssumeRole , but can (and must) be called by AWS SSO users , which are not directly IAM principals. AWS SSO users can have permission to assume IAM roles and must do so through GetRoleCredentials . Notable fields: requestParameters.roleName responseElements.credentials.roleCredentials.accessKeyId responseElements.credentials.roleCredentials.expiration |
iam.amazonaws.com |
AttachUserPolicy AttachGroupPolicy AttachRolePolicy |
Privilege escalation | Attach the specified managed policy to the specified IAM user / group / role. A policy is the most atomic level of privileges that can be granted. As a privilege escalation path, the compromised user may be a member of the impacted group or may be able to assume the impacted role. Notable fields: requestParameters.policyArn AttachUserPolicy : requestParameters.userName AttachGroupPolicy requestParameters.groupName : AttachRolePolicy : requestParameters.roleName |
iam.amazonaws.com |
PutUserPolicy PutGroupPolicy PutRolePolicy |
Privilege escalation | Add (or update) an inline policy embedded in the specified IAM user / group / role. A policy is the most atomic level of privileges that can be granted. Notable fields: requestParameters.policyName requestParameters.policyDocument : policy in JSON format. PutUserPolicy : requestParameters.userName PutGroupPolicy : requestParameters.groupName PutRolePolicy : requestParameters.roleName |
iam.amazonaws.com |
CreatePolicyVersion |
Privilege escalation | Create a new version of the specified managed IAM policy, allowing the definition of new permissions (ultimately granted to IAM users, groups, or Roles the policy is linked to). Notable fields: requestParameters.policyArn requestParameters.policyDocument : policy in JSON format. requestParameters.setAsDefault : whether the new policy version should be set as default, i.e should become the operative version (true of false ). |
iam.amazonaws.com |
SetDefaultPolicyVersion |
Privilege escalation | Set the specified preexisting version of the specified policy as the policy’s default (operative) version. The policy version set will impact the IAM users, groups, or Roles the policy is linked to, potentially opening privilege escalation vectors. Notable fields: requestParameters.policyArn requestParameters.versionId |
iam.amazonaws.com |
AddUserToGroup |
Privilege escalation Persistence |
Add the specified user to the specified group. Notable fields: requestParameters.userName requestParameters.groupName |
iam.amazonaws.com |
CreateAccessKey |
Privilege escalation Persistence |
Create a new AWS secret access key for the user specified by requestParameters.userName . Notable fields: responseElements.accessKey.accessKeyId responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.userName |
iam.amazonaws.com |
CreateLoginProfile |
Privilege escalation Persistence |
Create a password for the user specified by requestParameters.userName (to allow the user to access the AWS Management Console). As a privilege escalation vector, a user ( userIdentity.userName ) can create a password for a (more privileged) user (requestParameters.userName ) to connect as the user through the management console and elevate privileges. |
iam.amazonaws.com |
UpdateLoginProfile |
Privilege escalation Persistence |
Create a password for the user specified by requestParameters.userName (to allow the user to access the AWS Management Console). As a privilege escalation vector, a user ( userIdentity.userName ) can reset the password of a (more privileged) user (requestParameters.userName ) to compromise that user and elevate privileges. |
ec2.amazonaws.com |
RunInstances |
Execution Persistence |
Create and run new EC2 instance(s). Notable fields: requestParameters.instanceType The requestParameters.instancesSet.items{} list contains (for each request instance): imageId tags{} list with a Key =Name with Value =<INSTANCE_NAME> keyName for the key credentials associated with the instance. The responseElements.instancesSet.items{} list contains (for each created instance): instanceId keyName subnetId privateIpAddress |
ssm.amazonaws.com |
SendCommand |
Execution | Run command(s) on one or more instances. Notable fields: requestParameters.instanceIds / responseElements.command.instanceIds : list of instance ids for the command execution. requestParameters.documentName / responseElements.documentName : name of the SSM document to run (such as AWS-RunShellScript or AWS-RunPowerShellScript ). requestParameters.parameters : required and optional parameters specified in the document being run (can be HIDDEN_DUE_TO_SECURITY_REASONS for shell / powershell execution). |
ssm.amazonaws.com |
StartSession |
Execution | Initiate a connection to the target instance. Notable fields: requestParameters.target : target instance id. responseElements.sessionId : identifier of the session. responseElements.streamUrl : an URL on the target instance SSM Agent used by the Session Manager client to send commands and receive output. responseElements.tokenValue : a token used to authenticate the connection (hidden in CloudTrail ). |
ssm.amazonaws.com |
ResumeSession |
Execution | Reconnect a connection after it has been disconnected (but not terminated). Notable fields: requestParameters.sessionId : identifier of the disconnected session. responseElements.sessionId : identifier of the session. responseElements.streamUrl : an URL on the target instance SSM Agent used by the Session Manager client to send commands and receive output. responseElements.tokenValue : a token used to authenticate the connection (hidden in CloudTrail ). |
ec2.amazonaws.com |
GetPasswordData |
Execution Persistence |
Retrieves the encrypted administrator password for a running Windows instance. The password is encrypted with the key pair specified when the instance was launched. Notable fields: requestParameters.instanceId |
ec2.amazonaws.com |
ModifyInstanceAttribute |
Execution Persistence |
Modify the specified attribute of the specified instance. A modification of the userData attribute can be used to execute code at boot time, requiring a restart of a running instance (StopInstances then StartInstances ). Does not allow the modification of the long-terme key pair(s) associated with an instance. There is no AWS API to conduct such operation. Notable fields: requestParameters.instanceId requestParameters.attribute (userData for the user data). requestParameters.userData (specified user data). |
ec2.amazonaws.com |
SendSSHPublicKey |
Execution | Push a temporary SSH public key to the specified EC2 instance for use by the specified user. The key remains for 60 seconds. Used by the EC2 Instance Connect service for SSH access (directly or through the service web-based interface). Notable fields: requestParameters.instanceId |
lambda.amazonaws.com |
CreateFunction |
Execution Persistence |
Create a new Lambda function. Notable fields: requestParameters.functionName requestParameters.code but doesn’t include the ZipFile parameter (that contains the base64-encoded contents of the deployment package). |
lambda.amazonaws.com |
UpdateFunctionCode |
Execution Persistence |
Update an existing Lambda function’s code. Notable fields: requestParameters.functionName requestParameters.code but doesn’t include the ZipFile parameter (that contains the base64-encoded contents of the deployment package). |
s3.amazonaws.com |
PutBucketAcl |
Exfiltration | Set the ACL of the specified bucket. Note that the use of ACL for S3 is generally deprecated (in favor of using policy). Notable fields: requestParameters.bucket requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI array : URIs for the container for the entity being granted permissions. If the array contains the string http://acs.amazonaws.com/groups/global/AuthenticatedUsers or http://acs.amazonaws.com/groups/global/AllUsers , the specified bucket is made public. |
s3.amazonaws.com |
GetObject |
Data access | AWS CloudTrail supports Amazon S3 Data Events , but is not enabled by default. Retrieve objects from Amazon S3 , via the associated API. Access through the web interface (or a static website leveraging a S3 bucket ) will not be logged under CloudTrail (but can be logged in S3 server access logs ). |
ses.amazonaws.com |
GetAccount ListIdentities VerifyEmailIdentity UpdateAccountSendingEnabled |
Impact (phishing) | Obtain information about the email-sending status and capabilities of the Amazon SES account (in the current region). Return a list containing all of the identities (email addresses and domains) of the Amazon SES account (in the current region). Add an email address to the list of identities Amazon SES account (in the current region) and attempt to verify it. Enable (or disables email) sending across the entire Amazon SES account in the current AWS Region. Usage of these APIs by threat actors have been identified in the wild to conduct phishing campaigns following an identity compromise. |
iam.amazonaws.com |
CreateUser |
Persistence | Create a new AWS user in the account. Notable fields: responseElements.user.arn responseElements.user.createDate responseElements.user.userId responseElements.user.userName |
ec2.amazonaws.com |
CreateKeyPair |
Persistence | Create a key pair with the specified name in the AWS Region. Notable fields: requestParameters.keyName / responseElements.keyName responseElements.keyFingerprint responseElements.keyPairId |
ec2.amazonaws.com |
ImportKeyPair |
Persistence | Import the public key (previously created), only providing the public key to AWS. Notable fields: requestParameters.keyName / responseElements.keyName responseElements.keyFingerprint responseElements.keyPairId |
sts.amazonaws.com |
GetSessionToken |
Credentials access Persistence |
Return a set of temporary credentials for an AWS account or IAM user . The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions: - Calls to IAM API operations are prohibited unless MFA authentication information is included in the request. - Calls to STS API are prohibited (except AssumeRole and GetCallerIdentity ). Notable fields: responseElements.accessKeyId responseElements.expiration |
References
-
DATADOG - Justin Massey, Jonathan Epstein - Best practices for monitoring AWS CloudTrail logs
-
AWS - Journalisation des appels d’API Lambda avec CloudTrail
-
unit42 - Dror Alon - Compromised Cloud Compute Credentials: Case Studies From the Wild
View on GitHub