N00b question: How to find the actual "Unauthorized API Call" that triggered the alarm
Closed this issue · 3 comments
peterflat commented
I am not the best at navigating CloudTrail, but I am usually able to find things. However, after installing this excellent set of cloudfront scripts, I am getting notifications every so often that there is an unauthorized api call and I can't find them. Any assistance? Thank you again for creating this kit.
z0ph commented
Hey @peterflat,
There is no n00b question.
You can get more information about access denied on your account by using CloudWatch Logs Insights.
Using this query on the LogGroup of CloudTrail.
fields eventTime, eventName, eventSource, userIdentity.sessionContext.sessionIssuer.userName as Principal, userIdentity.invokedBy as InvokedBy, errorCode
| filter errorCode like /(Client.UnauthorizedOperation|AccessDenied)/
peterflat commented
Thank you so much for the quick response! 🙏
z0ph commented