Source code for hutch.security.parsers.cloudtrail

"""Provides parsers for extraction of fields from AWS cloudtrail data."""

import json

import jmespath

from hutch.security.parsers.exceptions import FieldNotFoundException


[docs]def user_identity(trail: str) -> str: """Attempts to extract a valid user identity from a trail. :param trail: An AWS CloudTrail trail as JSON. :return: The extracted user identity. """ haystack = json.loads(trail) # If we have a source identity, we should preference it. source_identity = jmespath.search( "userIdentity.sessionContext.sourceIdentity", haystack, ) if source_identity is not None: return source_identity # Otherwise, try and parse a user from the principal. principal_id = jmespath.search("userIdentity.principalId", haystack) if principal_id is not None: return principal_id.split(":")[1] raise FieldNotFoundException("Could not extract a user identity from trail")
[docs]def asg_name(trail: str) -> str: """Attempts to extract an Auto Scaling Group name from a trail. :param trail: An AWS CloudTrail trail as JSON. :return: The extracted ASG name. """ haystack = json.loads(trail) # Auto Scaling group names are pulled from tags. tags = jmespath.search( "requestParameters.tagSpecificationSet.items[].tags[]", haystack, ) if tags: for tag in tags: if tag["key"] == "aws:autoscaling:groupName": return tag["value"] raise FieldNotFoundException( "Could not extract an Auto Scaling Group name from trail" )