Query Details

AWS Cloud Trail Aws Credential Access Getpassworddata

Query

AWSCloudTrail
| where EventName == "GetPasswordData"
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events where the "GetPasswordData" action was performed. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by accessing the AWSCloudTrail data, which contains logs of AWS API calls.

  2. Filter: It filters the logs to only include events where the EventName is "GetPasswordData". This event typically involves retrieving password data for an EC2 instance.

  3. Invoke Function: It uses the invoke AWSIdentityRole() function to enrich the data with additional identity-related information.

  4. Select Columns: It selects a specific set of columns to display in the results. These columns include:

    • TimeGenerated: The timestamp of when the event was logged.
    • UserIdentityType, Identity, ActorRole: Information about the user or role that initiated the event.
    • UserIdentityAccountId, UserIdentityAccountName: Account details of the user.
    • RecipientAccountId, RecipientAccountName: Account details of the recipient.
    • AWSRegion: The AWS region where the event occurred.
    • SessionCreationDate: When the session was created.
    • UserIdentityPrincipalid, UserIdentityArn: Principal ID and ARN of the user.
    • SourceIpAddress: The IP address from which the request was made.
    • EventSource, EventTypeName, EventName: Details about the event source and type.
    • ManagementEvent, ReadOnly: Flags indicating if it's a management event and if it's read-only.
    • ErrorCode, ErrorMessage: Any error codes or messages associated with the event.
    • RequestParameters, ResponseElements: Details of the request and response.
    • Resources: Resources involved in the event.
    • SessionMfaAuthenticated: Indicates if MFA was used in the session.
    • UserAgent: The user agent string of the requester.
    • AwsEventId: The unique identifier for the AWS event.

In summary, this query is used to track and analyze instances where password data is accessed in AWS, providing detailed information about the event and the entities involved.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail

Operators

AWSCloudTrailwhere==invokeproject

Actions

GitHub