About userAgent value in CloudTrail logs
Share Everywhere
Table of contents
Khi query CloudTrail logs với Athena, sẽ xuất hiện những record kiểu như sau:
1.08,"{type=IAMUser, principalid=xxxxxxxxxx, arn=arn:aws:iam::<accound-id>:user/test, accountid=<accound-id>, invokedby=null, accesskeyid=xxxxxxxxx, username=test, sessioncontext={attributes={mfaauthenticated=true, creationdate=2022-01-18T04:21:20Z}, sessionissuer={type=null, principalid=null, arn=null, accountid=null, username=null}}}",2022-01-18T08:10:38Z,elasticloadbalancing.amazonaws.com,DescribeTargetGroups,ap-northeast-1,54.64.212.247,"EC2ConsoleFrontend, aws-internal/3 aws-sdk-java/1.12.100 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.312-b07 java/1.8.0_312 vendor/Oracle_Corporation cfg/retry-mode/standard",,,null,null,,2f2a1253-c840-413f-ac2f-ca9c6b4e224c,5ecfee31-8640-485e-889f-dea6cead0d8c,,AwsApiCall,12/1/2015,TRUE,8.30427E+11,,,,ap-northeast-1,2022
Ta thấy rằng column useragent có giá trị dạng như sau:
EC2ConsoleFrontend, aws-internal/3 aws-sdk-java/1.12.100 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.312-b07 java/1.8.0_312 vendor/Oracle_Corporation cfg/retry-mode/standard
=> Agent này có nghĩa là gì?
Trả lời:
As per the cloudtrail documentation [1], useragent field denotes the agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI.
Since the value from your query mentined AWS Internal, I believe this is an action that is initiated by AWS services in the backend.
References:
[1] CloudTrail record contents – https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
Bạn thấy bài viết này như thế nào?
