使用 get_object 从 S3 获取的 cloudtrail 日志的过滤输出
Filter output of cloudtrail logs obtained using get_object from S3
我正在使用 Lambda 函数来跟踪我的实例启动和停止时间。
我确实设置了我的踪迹 - 用于管理事件 - 我的 S3 存储桶附加了适当的权限。
我使用 get_object 从 S3 读取数据。下面的代码。
Get_object 以字典的形式返回给我数据。我的下一步是过滤此数据 - 其中“eventName”:“StopInstances”或“StartInsances”。如果有人可以告诉如何做到这一点。我尝试了各种字典方法,但没有任何效果。
lambda 处理程序代码:
def lambda_handler(event, context):
object_key = 'event_history_j.json'
bucket = 'demo-cloudtrail-logs-ec2'
client = boto3.client('s3')
data = client.get_object(Bucket = bucket , Key = object_key)['Body'].read()
return data
这个输出:
{"Records": [
{ "eventVersion": "1.07",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ARO",
"arn": "arn:aws",
"accountId": "0123456",
"accessKeyId": "ABCDEFGH",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ARO",
"arn": "JDHJDJDHJS",
"accountId": "0123456",
"userName": "XYZ@ABC.COM"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-04-22T23:16:28Z",
"mfaAuthenticated": "JDJDHFD"
}
}
},
"eventTime": "2022-04-22T23:34:46Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-0039483"
},
{
"instanceId": "i-92399"
}
]
},
"force": DJDIJ
},
"responseElements": {
"requestId": "FJDSJFJDFJFDJDJ",
"instancesSet": {
"items": [
{
"instanceId": "i-0039483",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
},
{
"instanceId": "i-92399",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
}
]
}
},
"requestID": "758b",
"eventID": "68228982",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "01234567",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
},
{
"eventVersion": "1.07",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA",
"arn": "XYZ",
"accountId": "01234567",
"accessKeyId": "ABCDEFGH",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EWUDHAKFJ",
"arn": "SJDSJDJSND",
"accountId": "01234567",
"userName": "ADKJDJAFDJFHDK"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-04-22T23:16:28Z",
"mfaAuthenticated": "TRUE"
}
}
},
"eventTime": "2022-04-22T23:34:43Z",
"eventSource": "compute-optimizer.amazonaws.com",
"eventName": "GetEC2InstanceRecommendations",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instanceArns": [
"aSKSKASKASAA"
],
"maxResults": 0,
"accountIds": [
"273273273728"
]
},
"responseElements": null,
"requestID": "cb106ba",
"eventID": "d8f6",
"readOnly": true,
"eventType": "SJSDKDSK",
"managementEvent": true,
"recipientAccountId": "283283829382983",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
},
........
我无法使用 Pandas 和其他库。
我用来分隔事件的代码 -
key = 'event_history_j.json'
bucket = 'demo-cloudtrail-logs-ec2'
client = boto3.client('s3')
data = client.get_object(Bucket = bucket , Key = key)['Body'].read()
a = json.loads(data)
data2 = a["Records"]
# step2: prepare data of stop and start instances
data3 = []
for i in range(len(data2)):
if data2[i]['eventName'] == "StopInstances":
data3.append(data2[i])
elif data2[i]['eventName'] == "StartInstances":
data3.append(data2[i])
else:
pass
它可以优化,但它的工作解决方案..!!
我正在使用 Lambda 函数来跟踪我的实例启动和停止时间。
我确实设置了我的踪迹 - 用于管理事件 - 我的 S3 存储桶附加了适当的权限。 我使用 get_object 从 S3 读取数据。下面的代码。 Get_object 以字典的形式返回给我数据。我的下一步是过滤此数据 - 其中“eventName”:“StopInstances”或“StartInsances”。如果有人可以告诉如何做到这一点。我尝试了各种字典方法,但没有任何效果。
lambda 处理程序代码:
def lambda_handler(event, context):
object_key = 'event_history_j.json'
bucket = 'demo-cloudtrail-logs-ec2'
client = boto3.client('s3')
data = client.get_object(Bucket = bucket , Key = object_key)['Body'].read()
return data
这个输出:
{"Records": [
{ "eventVersion": "1.07",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ARO",
"arn": "arn:aws",
"accountId": "0123456",
"accessKeyId": "ABCDEFGH",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ARO",
"arn": "JDHJDJDHJS",
"accountId": "0123456",
"userName": "XYZ@ABC.COM"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-04-22T23:16:28Z",
"mfaAuthenticated": "JDJDHFD"
}
}
},
"eventTime": "2022-04-22T23:34:46Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-0039483"
},
{
"instanceId": "i-92399"
}
]
},
"force": DJDIJ
},
"responseElements": {
"requestId": "FJDSJFJDFJFDJDJ",
"instancesSet": {
"items": [
{
"instanceId": "i-0039483",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
},
{
"instanceId": "i-92399",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
}
]
}
},
"requestID": "758b",
"eventID": "68228982",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "01234567",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
},
{
"eventVersion": "1.07",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA",
"arn": "XYZ",
"accountId": "01234567",
"accessKeyId": "ABCDEFGH",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EWUDHAKFJ",
"arn": "SJDSJDJSND",
"accountId": "01234567",
"userName": "ADKJDJAFDJFHDK"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-04-22T23:16:28Z",
"mfaAuthenticated": "TRUE"
}
}
},
"eventTime": "2022-04-22T23:34:43Z",
"eventSource": "compute-optimizer.amazonaws.com",
"eventName": "GetEC2InstanceRecommendations",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instanceArns": [
"aSKSKASKASAA"
],
"maxResults": 0,
"accountIds": [
"273273273728"
]
},
"responseElements": null,
"requestID": "cb106ba",
"eventID": "d8f6",
"readOnly": true,
"eventType": "SJSDKDSK",
"managementEvent": true,
"recipientAccountId": "283283829382983",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
},
........
我无法使用 Pandas 和其他库。
我用来分隔事件的代码 -
key = 'event_history_j.json'
bucket = 'demo-cloudtrail-logs-ec2'
client = boto3.client('s3')
data = client.get_object(Bucket = bucket , Key = key)['Body'].read()
a = json.loads(data)
data2 = a["Records"]
# step2: prepare data of stop and start instances
data3 = []
for i in range(len(data2)):
if data2[i]['eventName'] == "StopInstances":
data3.append(data2[i])
elif data2[i]['eventName'] == "StartInstances":
data3.append(data2[i])
else:
pass
它可以优化,但它的工作解决方案..!!