使用Python解析CloudTrail日志

Question

我正在研究一个从CloudTrail获取事件并分析它们的lambda函数。

我有这样的脚本：

s3.download_file(bucket, key, download_path) 
     with gzip.open(download_path, "r") as f: 
      data = json.loads(f.read()) 
      print json.dumps(data) 
      for event in data['Records']: 
       if event['eventName'] in event_list: 
        dateEvent = datetime.strptime(event['eventTime'], "%Y-%m-%dT%H:%M:%SZ") 
        for element in event['userIdentity']: 
         for session in element[0]['sessionContext']: 
          username = session['userName'] 
          role = session['arn'] 

我不能走出事件的userName和arn值。我得到这个错误：

string indices must be integers: TypeError 
Traceback (most recent call last): 
File "/var/task/lambda_function.py", line 34, in lambda_handler 
for session in element[0]['sessionContext']: 
TypeError: string indices must be integers 

如何使这项工作？什么是正确的方式？

这里是JSON字符串：

"userIdentity": { 
       "principalId": "aaaaaaaaaaaaaaaaaaaa", 
       "accessKeyId": "aaaaaaaaaaaaaaaaaaaaa", 
       "sessionContext": { 
        "sessionIssuer": { 
         "userName": "aaaaaaaaaaaaa", 
         "type": "Role", 
         "arn": "arn:aws:iam::aaaaaaaaaaaaaaaaaa:role/aaaaaaa", 
         "principalId": "aaaaaaaaaaaaaaaaaa", 
         "accountId": "aaaaaaaaaaaaaaaaaaa" 
        }, 
        "attributes": { 
         "creationDate": "2017-09-14T15:03:08Z", 
         "mfaAuthenticated": "false" 
       } 
      }, 
     "type": "AssumedRole", 
     "arn": "aaaaaaaaaaaaaaaaaaaaaaaa", 
     "accountId": "aaaaaaaaaaaaaaaaaa" 
    }, 

Answer 1

的userIdentity元件可以或可以不具有一个sessionContext元件，因为如果该事件期间使用临时IAM凭证那些只存在。

没有sessionContext一个userIdentity元素看起来是这样的：

"userIdentity": { 
    "type": "IAMUser", 
    "principalId": "AIDAJ45Q7YFFAREXAMPLE", 
    "arn": "arn:aws:iam::123456789012:user/Alice", 
    "accountId": "123456789012", 
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE", 
    "userName": "Alice" 
} 

但是随着sessionContext元素看起来像这样的userIdentity：

"userIdentity": { 
    "type": "AssumedRole", 
    "principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", 
    "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName", 
    "accountId": "123456789012", 
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE", 
    "sessionContext": { 
     "attributes": { 
     "creationDate": "20131102T010628Z", 
     "mfaAuthenticated": "false" 
     }, 
     "sessionIssuer": { 
     "type": "Role", 
     "principalId": "AROAIDPPEZS35WEXAMPLE", 
     "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed", 
     "accountId": "123456789012", 
     "userName": "RoleToBeAssumed" 
     } 
    } 
} 

...或者，甚至有可能是这样的如果没有发生角色联合。

"userIdentity": { 
    "type": "IAMUser", 
    "principalId": "EX_PRINCIPAL_ID", 
    "arn": "arn:aws:iam::123456789012:user/Alice", 
    "accountId": "123456789012", 
    "accessKeyId": "EXAMPLE_KEY_ID", 
    "userName": "Alice", 
    "sessionContext": {"attributes": { 
     "mfaAuthenticated": "false", 
     "creationDate": "2014-03-06T15:15:06Z" 
    }} 
} 

所以回到你的代码：

for element in event['userIdentity']: 
    for session in element[0]['sessionContext']: 
     username = session['userName'] 
     role = session['arn'] 

element[0]不存在，因为sessionContext是不是列表。

如果你想获取使用或假定的用户名和角色ARN，我认为这将工作。它考虑到直接通过IAMUser或通过AssumedRole完成的事件。

user_identity = event['userIdentity'] 

# check to see if we have a sessionContext[sessionIssuer] 
if 'sessionIssuer' in user_identity.get('sessionContext', {}): 
    user_name = user_identity['sessionContext']['sessionIssuer']['userName'] 
    arn = user_identity['sessionContext']['sessionIssuer']['arn'] 
else: 
    user_name = user_identity['userName'] 
    arn = user_identity['arn'] 

---

正如你处理循环的一部分：

for event in data['Records']: 
    if event['eventName'] in event_list: 
     dateEvent = datetime.strptime(event['eventTime'], "%Y-%m-%dT%H:%M:%SZ") 
     user_identity = event['userIdentity'] 

     # check to see if we have a sessionContext[sessionIssuer] 
     if 'sessionIssuer' in user_identity.get('sessionContext', {}): 
      user_name = user_identity['sessionContext']['sessionIssuer']['userName'] 
      arn = user_identity['sessionContext']['sessionIssuer']['arn'] 
     else: 
      user_name = user_identity['userName'] 
      arn = user_identity['arn']