Create a Rule to ingest Cloudtrail metrics for Secrets Manager whenever a secret is retrieved
I have created a cloudtrail for my secrets manager to actively monitor whenever a user retrieves a secret.
I can see that it is working in cloudtrail via the bottom snippet.
I have configured my cloudtrail as below.
I have created a rule in eventbridge to essentially accept everything
But i am not getting any events when i am retrieving a secret.
According to the AWS documentation
Events from API actions that start with the keywords List, Get, or Describe are not processed by EventBridge, with the exception of events from the following STS actions: GetFederationToken and GetSessionToken.
As a result, EventBridge won't process GetSecretValue events as it starts with the keyword Get.
However, whenever someone tries to retrieve the secret value, behind-the-scenes the secretsmanager calls KMS to decrypt the secret value. So, you can rely on KMS API events to track the secret value access.
{
"source": ["aws.kms"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["kms.amazonaws.com"],
"eventName": ["Decrypt"],
"userIdentity": {
"invokedBy": ["secretsmanager.amazonaws.com"]
}
}
}
- S3: Invalid bucket name - Bucket name must match the regex
- PermanentRedirect error while uploading to S3 bucket with aws-sdk-java
- How to install Numpy and Pandas for AWS Lambdas?
- AWS IAM Policy to prevent accidental API Gateway delete
- Run an AWS ECS task
- Terraform Error: Error locking state: Error acquiring the state lock: 2 errors occurred:
- Can I access call transcripts for voice contacts programmatically in Amazon Connect?
- Oracle 19c Automatic Indexing
- AWS ELB redirect to https exposes internal hostname
- What be causing a "Network Failure" error when I try to add AWS Cognito authorization to my API Gateway?
- How to setup email forwarding with own domain on Amazon EC2?
- cannot create cluster in AWS Amazon Elastic Container Service
- AWS load balancer for Server Sent Events (SSE) or Websockets
- Aws-elb health check failing at 302 code
- msg: No handler was ready to authenticate. 1 handlers were checked. ['HmacAuthV4Handler'] Check your credentials
- How to migrate an existing web application from Heroku to AWS
- AWS DotNet SDK Error: Unable to get IAM security credentials from EC2 Instance Metadata Service
- AWS IVS whip&whep on server
- correctly specifying Device Name for EBS volume while attaching to an ec2 instance and identifying it later using Device name
- ECS "InternalError: failed to normalize image reference"
- AWS CloudFront access denied to S3 bucket
- AWS SQS Long Polling doesn't reduce empty receives
- aws rds enable-http-endpoint not changing flag of postgres db cluster
- AWS S3 headObject not returning all metadata values in JS SDK
- Is it possible to filter metrics of AWS Cognito by user group?
- Can't install UFW on Amazon Linux server
- Unable to Connect to Amazon Redshift Serverless from Python - Connection Timeout
- How to find the aws-sdk version in v3 javascript
- Getting 403 (Forbidden) when uploading to S3 with a signed URL
- How many records should I put in a DynamoDb partition?