Track which actions get recorded in CloudTrail

[aidansteele]

Could use an IAM role with zero permissions, so no costs are incurred. Though I think some services might only record successful API calls. We should also compare results to any public docs from AWS

[aidansteele]

Seems there's some potentially interesting stuff available in the CloudTrail web console UI.

Here's a JSON dump of some stuff: https://gist.github.com/aidansteele/bc5138da10ce2d664c4b66a5aeaa3104

This was accessed from https://ap-southeast-2.console.aws.amazon.com/cloudtrail/home using this query console.log(JSON.stringify($("#preload").data()))

[rupertbg]

isWarriorEagleAccessible isS3StarAccessible I have so many questions

[aidansteele]

• Which services just have numeric IPs in CT logs
• Which services have reliable user agents
• Which services record VPC endpoint usage
• Which services use service-linked roles
• Which use regular roles
• which don’t even use roles

[0xdabbad00]

This ticket is similar to https://github.com/willbengtson/trailblazer-aws

[aidansteele]

Oh nice, thanks for the pointer @0xdabbad00!

Do you happen to recall if there are APIs where only successful invocations are recorded? Or am I imagining that?

[0xdabbad00]

There are a lot of failure situations that don't make it to AWS, such as if your format the call incorrectly, botocore will detect the mistake before the request is sent, which means it won't be recorded (since no call arrived). I assume (but this could very likely be wrong) that any call that makes it to AWS and is normally recorded, will be recorded.