gpt4 book ai didi

python - 使用 Python 解析 CloudTrail 日志

转载 作者:行者123 更新时间:2023-12-01 02:35:59 27 4
gpt4 key购买 nike

我正在开发一个 lambda 函数,该函数从 CloudTrail 获取事件并分析它们。

我有这个脚本:

 s3.download_file(bucket, key, download_path)
with gzip.open(download_path, "r") as f:
data = json.loads(f.read())
print json.dumps(data)
for event in data['Records']:
if event['eventName'] in event_list:
dateEvent = datetime.strptime(event['eventTime'], "%Y-%m-%dT%H:%M:%SZ")
for element in event['userIdentity']:
for session in element[0]['sessionContext']:
username = session['userName']
role = session['arn']

我无法从事件中获取 userNamearn 的值。我收到此错误:

string indices must be integers: TypeError
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 34, in lambda_handler
for session in element[0]['sessionContext']:
TypeError: string indices must be integers

如何做到这一点?正确的做法是什么?

这是 json 字符串:

 "userIdentity": {
"principalId": "aaaaaaaaaaaaaaaaaaaa",
"accessKeyId": "aaaaaaaaaaaaaaaaaaaaa",
"sessionContext": {
"sessionIssuer": {
"userName": "aaaaaaaaaaaaa",
"type": "Role",
"arn": "arn:aws:iam::aaaaaaaaaaaaaaaaaa:role/aaaaaaa",
"principalId": "aaaaaaaaaaaaaaaaaa",
"accountId": "aaaaaaaaaaaaaaaaaaa"
},
"attributes": {
"creationDate": "2017-09-14T15:03:08Z",
"mfaAuthenticated": "false"
}
},
"type": "AssumedRole",
"arn": "aaaaaaaaaaaaaaaaaaaaaaaa",
"accountId": "aaaaaaaaaaaaaaaaaa"
},

最佳答案

userIdentity 元素可能有也可能没有 sessionContext 元素,因为这些元素仅在该事件期间使用临时 IAM 凭证时才存在。

没有 sessionContextuserIdentity 元素如下所示:

"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJ45Q7YFFAREXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alice"
}

但是带有 sessionContext 元素的 userIdentity 看起来像这样:

"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"creationDate": "20131102T010628Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIDPPEZS35WEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
}
}
}

...如果没有发生角色联合,它甚至可能看起来像这样。

"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice",
"sessionContext": {"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2014-03-06T15:15:06Z"
}}
}

那么回到你的代码:

for element in event['userIdentity']:
for session in element[0]['sessionContext']:
username = session['userName']
role = session['arn']

element[0] 不存在,因为 sessionContext 不是列表。

如果您想获取使用的或假定的用户名和角色 ARN,我认为这可行。它考虑了直接通过 IAMUser 或通过 AssumedRole 完成的事件。

user_identity = event['userIdentity']

# check to see if we have a sessionContext[sessionIssuer]
if 'sessionIssuer' in user_identity.get('sessionContext', {}):
user_name = user_identity['sessionContext']['sessionIssuer']['userName']
arn = user_identity['sessionContext']['sessionIssuer']['arn']
else:
user_name = user_identity['userName']
arn = user_identity['arn']
<小时/>

作为处理循环的一部分:

for event in data['Records']:
if event['eventName'] in event_list:
dateEvent = datetime.strptime(event['eventTime'], "%Y-%m-%dT%H:%M:%SZ")
user_identity = event['userIdentity']

# check to see if we have a sessionContext[sessionIssuer]
if 'sessionIssuer' in user_identity.get('sessionContext', {}):
user_name = user_identity['sessionContext']['sessionIssuer']['userName']
arn = user_identity['sessionContext']['sessionIssuer']['arn']
else:
user_name = user_identity['userName']
arn = user_identity['arn']

关于python - 使用 Python 解析 CloudTrail 日志,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46222463/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com