N00b question: How to find the actual "Unauthorized API Call" that triggered the alarm

Question

N00b question: How to find the actual "Unauthorized API Call" that triggered the alarm

Closed this issue 2 years ago · 3 comments

I am not the best at navigating CloudTrail, but I am usually able to find things. However, after installing this excellent set of cloudfront scripts, I am getting notifications every so often that there is an unauthorized api call and I can't find them. Any assistance? Thank you again for creating this kit.

Answer 1 · 2022-11-11T07:33:44.000Z

Hey @peterflat,

There is no n00b question.

You can get more information about access denied on your account by using CloudWatch Logs Insights.

Using this query on the LogGroup of CloudTrail.

fields eventTime, eventName, eventSource, userIdentity.sessionContext.sessionIssuer.userName as Principal, userIdentity.invokedBy as InvokedBy, errorCode

 | filter errorCode like /(Client.UnauthorizedOperation|AccessDenied)/

Answer 2 · 2022-11-14T23:11:00.000Z

Thank you so much for the quick response! 🙏

Answer 3 · 2022-11-15T15:39:45.000Z

I've added a new dashboard, it will be easier to follow what is ringing on your account 🔔