layer0 icon indicating copy to clipboard operation
layer0 copied to clipboard
verified publisher icon quintilesims

api-refactor: l0 admin logs are not capturing some events

Open jparsons04 opened this issue 7 years ago • 0 comments

Context

l0 admin logs was originally designed with the idea that CloudTrail events (generated from the l0 api to AWS) should be captured. Currently, we use a specific filter pattern when searching the CloudWatch log streams that come from CloudTrail, filterPattern := fmt.Sprintf("{ $.userIdentity.sessionContext.sessionIssuer.userName = \"l0-%s-ecs-role\" }", a.Config.Instance()).

The problem

The current issue is that this filter pattern actually leaves out certain types of events that don't follow the pattern. Take for instance a DeleteCluster event. The CloudTrail log for an event like this looks like this:

{
    "eventVersion": "1.04",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAJ7IKV375HBALS2GEK",
        "arn": "arn:aws:iam::856306994068:user/l0/l0-jlpalbtest/l0-jlpalbtest-user",
        "accountId": "856306994068",
        "accessKeyId": "AKIAJ64AZLBBCZKVQTWQ",
        "userName": "l0-jlpalbtest-user"
    },
    "eventTime": "2018-04-05T22:01:44Z",
    "eventSource": "ecs.amazonaws.com",
    "eventName": "DeleteCluster",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "52.207.146.46",
    "userAgent": "aws-sdk-go/1.12.67 (go1.9.1; linux; amd64)",
    "requestParameters": {
        "cluster": "l0-jlpalbtest-demo4967d6bb"
    },
    "responseElements": {
        "cluster": {
            "clusterArn": "arn:aws:ecs:us-east-1:856306994068:cluster/l0-jlpalbtest-demo4967d6bb",
            "pendingTasksCount": 0,
            "registeredContainerInstancesCount": 0,
            "status": "INACTIVE",
            "runningTasksCount": 0,
            "statistics": [],
            "clusterName": "l0-jlpalbtest-demo4967d6bb",
            "activeServicesCount": 0
        }
    },
    "requestID": "edca5d9f-391c-11e8-9dba-d566a7a43b2d",
    "eventID": "220364cc-fdb3-4437-bae7-b8d223b6da9f",
    "eventType": "AwsApiCall",
    "recipientAccountId": "856306994068"
}

$.userIdentity.sessionContext.sessionIssuer.userName = \"l0-jlpalbtest-ecs-role\" in this context isn't does not capture this event, but it should capture it. It really should filter instead on $.userIdentity.userName = \"l0-jlpalbtest-user\".

Solution

The filter pattern should be modified to look for event matching either pattern: filterPattern := fmt.Sprintf("{ $.userIdentity.sessionContext.sessionIssuer.userName = \"l0-%s-ecs-role\" || $.userIdentity.userName = \"l0-%s-user\" }", a.Config.Instance(), a.Config.Instance())

jparsons04 avatar Apr 05 '18 23:04 jparsons04