Add whether the action is recorded in CloudTrail
0xdabbad00 opened this issue · 5 comments
I created a list of actions and whether they are recorded in CloudTrail: https://github.com/duo-labs/cloudtracker/blob/master/cloudtrail_supported_actions.txt
I think it would make sense to record that information somehow in your data structures so I could better make use of your project in https://github.com/duo-labs/cloudtracker
Any thoughts?
Hey Scott,
I just got back from a very extended parental leave.
Love your idea. Is your cloudtracker txt file up to date?
^ Updated URL to the cloudtracker file
No, my file is not up-to-date. I started digging into https://github.com/willbengtson/trailblazer-aws . I'm hoping soon to have a mapping of privilege <-> CloudTrail event.
@mcpeak - We've been keeping an internal mapping for a while. It doesn't use @willbengtson's trailblazer, but that would be a real neat way to do it.
Every once in a while we'll see something in cloudtrail where there's no corresponding permission in the AWS console.
Today we say elasticmapreduce:listeditors
which exists in their docs but not in their policy generator:
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-notebooks-IAM-actions.html
FYI - just switched policyuniverse to a new data format and pushed a new version to pypi. Let me know if you have any issues with it. I have a job that gathers the data every night and am working on something to PR it back to the library when there's a new service or permission.
This data is not provided in Amazon's service description files (which I am reverse engineering from the AWS Console). I'm marking this issue as "stale" and I'll continue to see if AWS can provide this in the future, but it might take a while.