aws / aws-cloudtrail-processing-library Goto Github PK

The AWS CloudTrail Processing Library helps Java developers to easily consume and process log files from AWS CloudTrail.

License: Apache License 2.0

Java 100.00%

aws-cloudtrail-processing-library's Introduction

AWS CloudTrail Processing Library

The AWS CloudTrail Processing Library is a Java client library that makes it easy to build an application that reads and processes CloudTrail log files in a fault tolerant and highly scalable manner.

Features

Provides functionality to continuously download CloudTrail log files in a fault tolerant and scalable manner.
Serializes the events in JSON format to Plain Old Java Objects (POJO).
Provides interfaces to implement your own business logic for selecting which events to process, processing events, handling errors, and handling log processing status updates.

Getting Started

Minimum Requirements

AWS Java SDK 1.12.261: To use the AWS CloudTrail Processing Library, you'll need the AWS Java SDK.
Java 1.8: The AWS CloudTrail Processing Library requires Java 1.8 (Java SE 8) or later.

Documentation

To learn how to use the AWS CloudTrail Processing Library to build a CloudTrail log processor in Java, read the documentation:

Using the CloudTrail Processing Library in the AWS CloudTrail User Guide.
AWS CloudTrail Processing Library Reference

Building From Source

After you've downloaded the code from GitHub, you can build it using Apache Maven. To disable GPG signing in the build, use this command:

mvn clean install -Dgpg.skip=true

Release Notes

Release 1.6.2 (Nov 30, 2023)

Added support for modeling EdgeDeviceDetails

Release 1.6.1 (May 19,2023)

Added support for test scenario for UserType IdentityCenterUser

Release 1.6.0 (May 8,2023)

Updated CloudTrailEvent version to 1.12
Added support for UserIdentity

Release 1.5.2 (Sep 6, 2022)

Update AWS Java SDK (S3/SQS) version to 1.12.261.

Release 1.5.1 (July 26, 2022)

Update AWS Java SDK (S3/SQS) version to 1.12.x

Release 1.5.0 (Jan 26, 2022)

Added support for implementing custom S3 manager.
Added event logging to log file parsing-related exceptions.
Added support for parsing optional errorCode field in insightDetails.
Updated account ID parsing regex to accept non-numerical values.

Release 1.4.0 (Jan 11, 2021)

Added support for parsing the following new top-level optional fields:
- addendum
- edgeDeviceDetails
- tlsDetails
- sessionCredentialFromConsole
Updated the CloudTrail event version to 1.08.

Release 1.3.0 (Jul 30, 2020)

Added support for parsing new section, attributions, in insightContext.
Added support for parsing new fields, baselineDuration, in statistics section in insightContext.
Added thread configuration for s3 client, sqs client, and sqs reader to enable performance tuning.
Updated minimum required Java SE version to 1.8.

Release 1.2.0 (Nov 20, 2019)

Added support for a new eventCategory attribute to indicate whether an event is a management, data, or Insights event.
Added support for Insights events, including new attributes like insightDetails or insightContext.
Updated the CloudTrail event version to 1.07.

Release 1.1.3 (Oct 18, 2018)

Added support for automatically deleting the initial SNS validation message sent whenever an SNS topic for a trail is configured or updated. In previous releases, these messages had to be manually deleted.

Release 1.1.2 (May 16, 2018)

Patch Release 1.1.1

Release 1.1.1 (Nov 30, 2017)

Added support for Boolean identification of management events.
Updated the CloudTrail event version to 1.06.

Release 1.1.0 (Jun 1, 2017)

Add support for different formats for SQS messages from the same SQS queue to identify CloudTrail log files. This includes the following:
- Notifications that CloudTrail sends to an SNS topic.
- Notifications that Amazon S3 sends to an SNS topic.
- Notifications that Amazon S3 sends directly to the SQS queue.
Add support for the new deleteMessageUponFailure property. Use this property to delete messages that the CloudTrail Processing Library can't process, such as the following:
- Parsing message failure:
  - File is not JSON.
  - Notification is not an s3:ObjectCreated:Put event.
  - CloudTrail digest files, and other formats such as .jpeg or txt are unsupported.
- Consuming log failure, such as processing events in a log file.

Note: If deleteMessageUponFailure is true, the CloudTrail Processing Library may delete messages that it can’t process. The default value is false. Learn more.

Release 1.0.4 (Jan 17, 2017)

Add support for ARN prefix to identify the ARNPrefix associated with the resource. Resource must have either ARN or ARNPrefix, but not both.
Add support for shared event ID to identify CloudTrail events from the same AWS action that is sent to different AWS accounts.
Add support for VPC endpoint ID to identify the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.
Add support for annotation to identify user provided annotation tagging delivered by CloudTrail.
Add support for identity provider to identify the principal name of the external identity provider.

Release 1.0.3 (Oct 5, 2016)

Add support for service event, additional information is provided in the serviceEventDetails file.
Add support for Resource type to identify the resource's type in a given CloudTrail event.
Update AWS Java SDK to version 1.11.
Update the latest supported CloudTrail event version to 1.05.
Update event version is not supported by CloudTrail warning logging message to debug level.

Release 1.0.1 (Oct 28, 2015)

Update AWS Java SDK to version 1.10.

Release 1.0.0 (Nov 3, 2014)

Initial release.

aws-cloudtrail-processing-library's People

Contributors

Stargazers

Watchers

aws-cloudtrail-processing-library's Issues

Message truncated in cloudtrail

Good afternoon, the message in CloudTrail appears incomplete, does anyone know how to retrieve the complete encoded message?

eg.:
"errorMessage": "You are not authorized to perform this operation. Encoded authorization failure message: yy00r41dxhsGHv2wBQ6iAaslG-_TOIqTkRzNZxyp9HZH9guY5aCjlsPBxxM8myj_Y2pLcK0jhv7-dysstqTNhwrY1EZjM1y3biI8lVziop7LkyGx6WTkA8Zcae-f5s3grzQCKwzTsANzE5v4UeuikcACczPrAxXRRloVxVvJokwXwHytymJ3UNOA_FG_1XfYvUtv9kgqE6-Yx6mrx7N5EeT0nX_e1iiNnSdSKNA9VmHITSwNaHdkAtoR_etVANZOO4wD78j5_PddNQemoiG0H9q4053r1xbHITwH-uV2HVOqzeSz-sv9Fk3GoRzQJ-w149RgOxRN3t4HX3jcOUMRfP6vOYmFaIo3llx_UZGtRpl_AtV6HvLm17kxNiK-Kg1ER8wZGVU2xRFAZhWgHstBz1ia0ZigEE9PKXZbn0RUBXM_dQkJsHgL3BhZCs27EtxWSMNkxPcOPy8_5Go2NYJ_pYOFUI9pnIZCUEz1pYRsW7ylK9QTxuG5iJpbjFGjX_SBnNA9u_hheKi8SmQ3lO6izedi_Tl5zJRTKp9B7FXrMXfbWYPupMylzVP9pSCih_fs2ZHWNPpa70U4g8IecipPm-UtYdM8svUmX0uDy-zAVgeAjFIWp52JWMfgWLvqUtGfFcz54xokwwezzDjikmVM75-GqSF4fLovXqQFC82k3wMqpblHvFFXSgXIas5pItLOK-k67b-NAQDA0BQMirjaWOzy271k7TlWp2twfMrOITcXCjYbMa35eCvSIry_bR-dYi6qSDyskAOi053KARVw1o0kZrSU8om7qG1Ppt_8rbjyn_op5lDZ6XzD63LHSgNv18rMlOMLt00rMSa4Bjt0du39rVcEv6uYl4Q4O0nmdQDk1fgLiC6IqOa1GPPvHRNHlTqeRvu-Z85JrbREHJN-ZhV8irX9qrGrnBMd...",

The artifacts deployed to Maven are fat JARs (50MB+)

The artifacts deployed to Maven repository com are fat JARs , 50MB+, instead of ~90kb.

This is not only a size issue, but inside the JARs are complete versions of all the dependencies in the tree, such as Jackson (old one), a version that conflict with my project's version (newer).
These bundled dependencies cannot be excluded by a pom's exclusion, as they are not a dependency once they are baked into the JAR.

At this point the only workaround for me is to compile on my own and deploy to a private maven repo.

How to get the "resource name" while using the Cloudtrail processing library

In the screenshot of event history (taken from the CloudTrail web console) , the name of the bucket affected by a change is reflected under the column: Resource name . How can I retrieve this same value using the aws-cloudtrail-processing-library . The library returns the name of the bucket where CloudTrail saves the log files and not the affected bucket. Also, even after downloading the logs from the bucket, I do not see this information.

Do I need to use the the LookupAttribute as stated in the documentation for CloudTrail API ?

Library can't process cloudtrail SNS validation messages

When a cloudtrail is setup, it not only sends notification messages to the SQS queue but also validation messages like this one.

{
"Type" : "Notification",
"MessageId" : "e8ec0cb4-e3cc-5533-8e72-5f0cb6428101",
"TopicArn" : "arn:aws:sns:us-east-2:69443:ionAudit",
"Message" : "CloudTrail validation message.",
"Timestamp" : "2018-07-05T17:20:14.111Z",
"SignatureVersion" : "1",
"Signature" : "63Bsy+S5euNtWQx3eebA9wFZN+mLJbw8cD3ArhI+d8GzVJ2DDtqklDR5ktKpqrxtcyl3fU6QxGuy7BlVYCO0HHn3oASMAtYDc5UxQa0YMYomhE2vMsAyG11fksqJ/Pgr0jd/DpBT01Ue8cvW15/JuKzXj50pZLWP1oKcJ4S2qpn02tFwNMr6CwqP0/DVZs5Td/xT6n9LMm4+IoPGT2L1rIwCKOe/C2l3MKGkPUPgNnT+dADN9jxOevsaPc9aXJueZQLGkJOtlNJKvnYYLcQB+p4A==",
"SigningCertURL" : "https://sns.us-east-2.amazonaws.com/Sd002d285f9598aa1d9b.pem",
"UnsubscribeURL" : "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:3:Sudit:bc854278-4a1d-413d-8a78-1206c8e4fe57"
}

The lib throws an exception when trying to parse these messages.

2018-07-05 16:58:23,765 ERROR pool-1-thread-1 cloudtrail.processinglibrary.impl.DefaultExceptionHandler:32 - Failed to parse sqs message.
com.amazonaws.services.cloudtrail.processinglibrary.exceptions.ProcessingLibraryException: Failed to parse sqs message.
at com.amazonaws.services.cloudtrail.processinglibrary.utils.LibraryUtils.handleException(LibraryUtils.java:170)
at com.amazonaws.services.cloudtrail.processinglibrary.manager.SqsManager.parseMessage(SqsManager.java:165)
at com.amazonaws.services.cloudtrail.processinglibrary.reader.EventReader.getSources(EventReader.java:113)
at com.amazonaws.services.cloudtrail.processinglibrary.AWSCloudTrailProcessingExecutor$ScheduledJob.run(AWSCloudTrailProcessingExecutor.java:175)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: SourceSerializerChain expect JSON content
at com.amazonaws.services.cloudtrail.processinglibrary.serializer.SourceSerializerChain.getCloudTrailSource(SourceSerializerChain.java:98)
at com.amazonaws.services.cloudtrail.processinglibrary.serializer.SourceSerializerChain.getSource(SourceSerializerChain.java:73)
at com.amazonaws.services.cloudtrail.processinglibrary.manager.SqsManager.parseMessage(SqsManager.java:158)
... 9 more
Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'CloudTrail': was expecting ('true', 'false' or 'null')
at [Source: (String)"CloudTrail validation message."; line: 1, column: 11]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:673)
at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._reportInvalidToken(ReaderBasedJsonParser.java:2835)
at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1889)
at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:747)
at com.fasterxml.jackson.databind.ObjectMapper._readTreeAndClose(ObjectMapper.java:4030)
at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2539)
at com.amazonaws.services.cloudtrail.processinglibrary.utils.SNSMessageBodyExtractor.getMessageBody(SNSMessageBodyExtractor.java:37)
at com.amazonaws.services.cloudtrail.processinglibrary.serializer.CloudTrailSourceSerializer.getSource(CloudTrailSourceSerializer.java:59)
at com.amazonaws.services.cloudtrail.processinglibrary.serializer.SourceSerializerChain.getCloudTrailSource(SourceSerializerChain.java:96)

Seems like the lib should toss these messages. Or is there something I can setup so these validation messages don't go to my queue?

IllegalArgumentException: Invalid UUID string

Hi! I'm currently trying to use the DefaultEventSerializer.

In the AbstractEventSerializer:
Line 495-496 are causing an IllegalArgumentException:
private UUID convertToUUID(String str) {
return UUID.fromString(str);
}

Context:
While I am processing CloudTrail logs; sometimes (maybe like 1-2 events every hour) an event has an "requestID" value which isn't a proper UUID, or so java complains.

Line 157-158 are the lines leading up to the use of that function.
158: eventData.add(key, this.convertToUUID(this.jsonParser.nextTextValue()));

Since this value isn't of any significance to me, it isn't any real issue, but the exception is however present when used in production.

Release of 1.1.1 does not include the content stated in the release notes

Hello

I tried to figure out what was the diff. between 1.1.0 and 1.1.1 to better understand the release notes of 1.1.1, and found that no code was changed/added, nor any dependencies were updated, only minor docs change.

Were PRs/commits not pushed?

DefaultEventsProcessor is always added with no way to remove

The following line block of code will result in aws-cloudtrail-processing-library spamming the log output with event names every time an event is processed:

Builder factory = new Builder(this, configuration_).withExceptionHandler(this); cloudTrailExecutor_ = factory.build();

I believe the root cause is that the DefaultEventsProcessor is always registered for callbacks irrespective of whether or not an EventProcessor is defined.

https://github.com/aws/aws-cloudtrail-processing-library/blob/master/src/main/java/com/amazonaws/services/cloudtrail/processinglibrary/impl/DefaultEventsProcessor.java#L34

JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token

I have been working on getting CloudTrail setup so that there is a central account where an S3 bucket lies for the CloudTrail logs to be written to and a central SQS queue subscribed to SQS Topics in other accounts. This setup has been working successfully with the exception of some messages resulting in a JsonMappingException. The exact messages it:

'''
JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token
'''

This exception is occurring in the library when attempting to parse the SQS Message to determine its source. I reviewed one of the messages and found that the s3ObjectKey value is in fact a String rather than a List, which explains the exception. The library should support s3ObjectKeys being Strings if sqsMessages generates Strings for the value. The message itself does not appear to be a CloudTrail message but it would seem that the library should support parsing the messages successfully, and reject based on the fact that its not a cloud trail message, or give the user of the library the ability to reject the message.

Below is the relevant parts an example message causing the issue:

'''
"Type" : "Notification",
"MessageId" : "",
"TopicArn" : "arn:aws:sns:us-west-2:222222222222:MyTopic",
"Subject" : "[AWS Config:us-west-2] Configuration History Delivery Completed for Account 222222222222",
"Message" : "{"s3ObjectKey":"us-west-2/AWSLogs/222222222222/Config/us-west-2/2015/11/17/ConfigHistory/222222222222_Config_us-west-2_ConfigHistory_AWS::EC2::Subnet_20151117T164715Z_20151117T222216Z_1.json.gz","s3Bucket":"MyBucket","notificationCreationTime":"2015-11-17T22:38:57.729Z","messageType":"ConfigurationHistoryDeliveryCompleted","recordVersion":"1.1"}",
"Timestamp" : "2015-11-17T22:38:57.744Z",
'''

How can I feed a property file to CloudTrailProcessingLibrary and use data from that property file

Application not polling from SQS Queue

Hi,
I tried to run the sample application, SampleApp. However, it constantly returns:
pollQueue is false , and latency is 202832 milliseconds.
This seems to be from the SampleProgressReporter, and the executor never seems to go past the pollQueue phase. Any ideas on how to fix this? Thanks.

Best,
Michael Qiu