It’s all a Schema

by Posted on

With all the discussion of Prower, CIS Benchmarks, and Wazuh, it seems we need to have a way to retrieve all the current AWS services and event names. (They seem to be replicating like rabbits.)

One CAN wade through the AWS Eventbridge rules catalogs and extract these, but that seems tedious, or research the various AWS documents or search the internet, all of which are as easy as training a cat.

Then I meet Eamonn Faherty, not physically, via his github repository and the python module, aws_cloud_trail_events_schema. The use of which is neatly documented at https://github.com/eamonnfaherty/aws-cloudtrail-events-schema.

I’ll not go in-depth on things that are already documented in a far better fashion than I could manage. Still, I will produce a script to extract all the AWS Services to a file, thence extract all their event names to a series of lists, ready to be processed in other scripts for various purposes.

I’ll run this on my space heater machine, Ubuntu 22.10, python3, python-pip3, and the AWS CLI v2 installed and configured. We will store the results of the script in a directory called aws-events off of the executing directory.

The code block is as follows:

=========  Script to extract all aws services and event names ======

#Setup for installing cloudtrails schema
#
# crawls 2022/11/14
#
# Assuming ubuntu > 22.04 with aws cli v2 installed / configured, python3 and pip3.
#
#!/bin/bash
 echo "Installing Required Modules"
if [ ! -d /home/ubuntu/.local/bin/cloudtrail-schmea ]; then
pip3 install aws-cloudtrail-events-schema
fi 
echo "Generating Current Services and events listing(s)"
if [ ! -d ./aws-events ]; then
mkdir ./aws-events
fi
cd aws-events
cloudtrail-schema > ./awsservices.txt
sed -i "1d" ./awsservices.txt
sed -i 's/\(.\{2\}\)//' ./awsservices.txt
sort -o ./awsservices.txt ./awsservices.txt
# We have a clean and sort list of current aws services.
#
echo "Extracting service events to configuration files"
echo "See ./aws-events/<SERVICENAME>.lst"
while IFS= read -r serviceevents
do
        cloudtrail-schema "$serviceevents" > ./"$serviceevents".lst
        sed -i "1d" ./"$serviceevents".lst
        sed -i 's/\(.\{2\}\)//' ./"$serviceevents".lst
        sort -o ./"$serviceevents".lst ./"$serviceevents".lst
done < ./awsservices.txt
#

Once the script is complete, one only has to change the directory to the aws-events directory and review the services and their event names.

Published by crawls