Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate CloudTrail Management Events #449

Open
5 tasks done
rjbaker opened this issue May 10, 2024 · 0 comments
Open
5 tasks done

Duplicate CloudTrail Management Events #449

rjbaker opened this issue May 10, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@rjbaker
Copy link

rjbaker commented May 10, 2024
edited

Describe the bug

When deploying LZA into a management account with CloudTrail organization trail enabled, and both s3DataEvents & lambdaDataEvents enabled we would expect a single Management event selector to be created and two data event selectors.

Instead, three management event selectors are created, this produces multiple copies of CloudTrail management events, incurring additional and significant CloudTrail event data costs.

This appears to be caused by calls to organizationsTrail.addEventSelector (example) which do not pass the third options argument. As a result, the includeManagementEvents option defaults to true for each additional event selector.

Resulting configuration:

aws cloudtrail get-event-selectors --trail-name AWSAccelerator-Organizations-CloudTrail
{
    "TrailARN": "arn:aws:cloudtrail:eu-west-2:account-id:trail/AWSAccelerator-Organizations-CloudTrail",
    "EventSelectors": [
        {
            "ReadWriteType": "All",
+            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Type": "AWS::Lambda::Function",
                    "Values": [
                        "arn:aws:lambda"
                    ]
                }
            ],
            "ExcludeManagementEventSources": []
        },
        {
            "ReadWriteType": "All",
+            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Type": "AWS::S3::Object",
                    "Values": [
                        "arn:aws:s3:::"
                    ]
                }
            ],
            "ExcludeManagementEventSources": []
        },
        {
            "ReadWriteType": "All",
            "IncludeManagementEvents": true,
            "DataResources": [],
            "ExcludeManagementEventSources": []
        }
    ]
}

To Reproduce

  • (Re)Deploy or upgrade LZA to latest version.
  • Use following logging settings in global-config.yaml:
logging:
 account: LogArchive
 cloudtrail:
   enable: true
   organizationTrail: true
   organizationTrailSettings:
     multiRegionTrail: false
     globalServiceEvents: true
     managementEvents: true
     s3DataEvents: true
     lambdaDataEvents: true
     sendToCloudWatchLogs: true
     apiErrorRateInsight: false
     apiCallRateInsight: false
  • Sign into organisation management account console
  • Navigate to: CloudTrail -> Trails
  • Select: AWSAccelerator-Organizations-CloudTrail

Expected behavior

Within the AWSAccelerator-Organizations-CloudTrail trail we would expect a single management event selector to be created and two data event selectors. Management events should be recorded once within this trail.

Please complete the following information about the solution:

  • Version: 1.6.0
  • Region: eu-west-2
  • Was the solution modified from the version published on this repository? No
  • Have you checked your service quotas for the services this solution uses? Yes
  • Were there any errors in the CloudWatch Logs? No

Screenshots
Screenshot 2024-05-10 at 13 40 24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rjbaker