{"id":34079913,"url":"https://github.com/eamonnfaherty/aws-cloudtrail-events-schema","last_synced_at":"2025-12-14T11:04:31.208Z","repository":{"id":57413203,"uuid":"168702689","full_name":"eamonnfaherty/aws-cloudtrail-events-schema","owner":"eamonnfaherty","description":"The structure of the events from CloudTrail are similar to responses seen when using boto3. Boto3 is powered by the botocore library. The botocore library contains a data directory that describes the API calls (requests and responses). This library allows you to interact with the data directories of botocore to see the API request and responses. This is to help you write custom AWS Config rules and or CloudCustodian policies.","archived":false,"fork":false,"pushed_at":"2020-10-13T16:08:14.000Z","size":13,"stargazers_count":20,"open_issues_count":2,"forks_count":8,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-09-25T08:26:06.051Z","etag":null,"topics":["aws","cloudcustodian","cloudtrail","cloudwatch"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eamonnfaherty.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-02-01T13:37:23.000Z","updated_at":"2025-04-18T15:11:11.000Z","dependencies_parsed_at":"2022-09-07T03:00:41.540Z","dependency_job_id":null,"html_url":"https://github.com/eamonnfaherty/aws-cloudtrail-events-schema","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/eamonnfaherty/aws-cloudtrail-events-schema","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eamonnfaherty%2Faws-cloudtrail-events-schema","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eamonnfaherty%2Faws-cloudtrail-events-schema/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eamonnfaherty%2Faws-cloudtrail-events-schema/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eamonnfaherty%2Faws-cloudtrail-events-schema/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eamonnfaherty","download_url":"https://codeload.github.com/eamonnfaherty/aws-cloudtrail-events-schema/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eamonnfaherty%2Faws-cloudtrail-events-schema/sbom","scorecard":{"id":363730,"data":{"date":"2025-08-11","repo":{"name":"github.com/eamonnfaherty/aws-cloudtrail-events-schema","commit":"e6f769e1a5ec9db0f54f0d7a7d431dc3ef056ef9"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.9,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":1,"reason":"Found 1/10 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating python:3.7.2-alpine3.8 to python:3.7.2-alpine3.8@sha256:6930a0325f40f1e2b501b48b5b122278bc578521e2d6b19aaf82b06222020420","Warn: pipCommand not pinned by hash: Dockerfile:3","Info: 0 out of 1 containerImage dependencies pinned","Info: 0 out of 1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T11:23:28.676Z","repository_id":57413203,"created_at":"2025-08-18T11:23:28.676Z","updated_at":"2025-08-18T11:23:28.676Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27726965,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-14T02:00:11.348Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloudcustodian","cloudtrail","cloudwatch"],"created_at":"2025-12-14T11:04:29.493Z","updated_at":"2025-12-14T11:04:31.201Z","avatar_url":"https://github.com/eamonnfaherty.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Background\nThe AWS platform allows you to log API calls using [AWS CloudTrail](https://aws.amazon.com/cloudtrail).\n\nYou can use tools like [AWS Config](https://aws.amazon.com/config/) and [CaptialOne's CloudCustodian](https://github.com/cloud-custodian/cloud-custodian) \nto create security controls that react to these events.\n\n## The problem \nThere is not much documentation on the structure of the events. \n\n## What is this?\nThe structure of the events from CloudTrail are similar to responses seen when using boto3. \nBoto3 is powered by the botocore library. \nThe botocore library contains a data directory that describes the API calls (requests and responses).\nThis library allows you to interact with the data directories of botocore to see the API request and responses.\nThis is to help you write custom AWS Config rules and or CloudCustodian policies.\n\n## Examples\nRunning ```cloudtrail-schema``` with no arguements will list the services/sources:\n```yaml\nServices:\n- acm\n- acm-pca\n- alexaforbusiness\n- amplify\n- apigateway\n- apigatewaymanagementapi\n- apigatewayv2\n```\n\nRunning ```cloudtrail-schema iam``` with a service will list the operations/events:\n```yaml\nOperations:\n- AddClientIDToOpenIDConnectProvider\n- AddRoleToInstanceProfile\n- AddUserToGroup\n- AttachGroupPolicy\n- AttachRolePolicy\n- AttachUserPolicy\n- ChangePassword\n```\n\nRunning with a service and event ```cloudtrail-schema iam.CreatePolicy.output``` give the following output:\n```\nDescription\n------\n\u003cp\u003eCreates a new managed policy for your AWS account.\u003c/p\u003e \u003cp\u003eThis operation creates a policy version with a version identifier of \u003ccode\u003ev1\u003c/code\u003e and sets v1 as the policy's default version. For more information about policy versions, see \u003ca href=\"http://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html\"\u003eVersioning for Managed Policies\u003c/a\u003e in the \u003ci\u003eIAM User Guide\u003c/i\u003e.\u003c/p\u003e \u003cp\u003eFor more information about managed policies in general, see \u003ca href=\"http://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html\"\u003eManaged Policies and Inline Policies\u003c/a\u003e in the \u003ci\u003eIAM User Guide\u003c/i\u003e.\u003c/p\u003e\n\n\nResult\n------\n{\n \"policy\": {\n \"policyName\": {\n \"type\": \"string\",\n \"max\": 128,\n \"min\": 1,\n \"pattern\": \"[\\\\w+=,.@-]+\"\n },\n \"policyId\": {\n \"type\": \"string\",\n \"max\": 128,\n \"min\": 16,\n \"pattern\": \"[\\\\w]+\"\n },\n \"arn\": {\n \"type\": \"string\",\n \"documentation\": \"\u003cp\u003eThe Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.\u003c/p\u003e \u003cp\u003eFor more information about ARNs, go to \u003ca href=\\\"http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html\\\"\u003eAmazon Resource Names (ARNs) and AWS Service Namespaces\u003c/a\u003e in the \u003ci\u003eAWS General Reference\u003c/i\u003e. \u003c/p\u003e\",\n \"max\": 2048,\n \"min\": 20\n },\n \"path\": {\n \"type\": \"string\",\n \"pattern\": \"((/[A-Za-z0-9\\\\.,\\\\+@=_-]+)*)/\"\n },\n \"defaultVersionId\": {\n \"type\": \"string\",\n \"pattern\": \"v[1-9][0-9]*(\\\\.[A-Za-z0-9-]*)?\"\n },\n \"attachmentCount\": {\n \"type\": \"integer\"\n },\n \"permissionsBoundaryUsageCount\": {\n \"type\": \"integer\"\n },\n \"isAttachable\": {\n \"type\": \"boolean\"\n },\n \"description\": {\n \"type\": \"string\",\n \"max\": 1000\n },\n \"createDate\": {\n \"type\": \"timestamp\"\n },\n \"updateDate\": {\n \"type\": \"timestamp\"\n }\n }\n}\n```\n\n\n### Writing a CloudCustodian policy\nWhen you view a event response using this tool you can translate it easily into a a CloudCustodian policy:\n\n```\n# cloudtrail-schema iam.CreatePolicy.output\n\nDescription\n------\n\u003cp\u003eCreates a new managed policy for your AWS account.\u003c/p\u003e \u003cp\u003eThis operation creates a policy version with a version identifier of \u003ccode\u003ev1\u003c/code\u003e and sets v1 as the policy's default version. For more information about policy versions, see \u003ca href=\"http://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html\"\u003eVersioning for Managed Policies\u003c/a\u003e in the \u003ci\u003eIAM User Guide\u003c/i\u003e.\u003c/p\u003e \u003cp\u003eFor more information about managed policies in general, see \u003ca href=\"http://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html\"\u003eManaged Policies and Inline Policies\u003c/a\u003e in the \u003ci\u003eIAM User Guide\u003c/i\u003e.\u003c/p\u003e\n\n\nResult\n------\n{\n \"policy\": {\n \"policyName\": {\n \"type\": \"string\",\n \"max\": 128,\n \"min\": 1,\n \"pattern\": \"[\\\\w+=,.@-]+\"\n },\n \"policyId\": {\n \"type\": \"string\",\n \"max\": 128,\n \"min\": 16,\n \"pattern\": \"[\\\\w]+\"\n },\n \"arn\": {\n \"type\": \"string\",\n \"documentation\": \"\u003cp\u003eThe Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.\u003c/p\u003e \u003cp\u003eFor more information about ARNs, go to \u003ca href=\\\"http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html\\\"\u003eAmazon Resource Names (ARNs) and AWS Service Namespaces\u003c/a\u003e in the \u003ci\u003eAWS General Reference\u003c/i\u003e. \u003c/p\u003e\",\n \"max\": 2048,\n \"min\": 20\n },\n \"path\": {\n \"type\": \"string\",\n \"pattern\": \"((/[A-Za-z0-9\\\\.,\\\\+@=_-]+)*)/\"\n },\n \"defaultVersionId\": {\n \"type\": \"string\",\n \"pattern\": \"v[1-9][0-9]*(\\\\.[A-Za-z0-9-]*)?\"\n },\n \"attachmentCount\": {\n \"type\": \"integer\"\n },\n \"permissionsBoundaryUsageCount\": {\n \"type\": \"integer\"\n },\n \"isAttachable\": {\n \"type\": \"boolean\"\n },\n \"description\": {\n \"type\": \"string\",\n \"max\": 1000\n },\n \"createDate\": {\n \"type\": \"timestamp\"\n },\n \"updateDate\": {\n \"type\": \"timestamp\"\n }\n }\n}\n\n```\n\nYou use the argument to decide the mode.events.source and mode.events.event:\n\nsource: iam.amazonaws.com\nevent: CreatePolicy\n\nFull example:\n\n```yaml\npolicies:\n - name: iam-has-allow-all-policy\n description: |\n Notify when a policy is created using allow all\n resource: iam-policy\n mode:\n type: cloudtrail\n events:\n - source: iam.amazonaws.com\n event: CreatePolicy\n ids: \"responseElements.policy.policyId\"\n\n```\n\nThe json returned from the app can be used to write filters. The json returned\nis the same as the structure available from responseElements. You can write the \nfollowing policy as an example:\n\nRunning: ```cloudtrail-schema ec2.CreateVpcPeeringConnection.output``` results in\n\n```\nDescription\n------\n\u003cp\u003eRequests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection. The accepter VPC can belong to another AWS account and can be in a different Region to the requester VPC. The requester VPC and accepter VPC cannot have overlapping CIDR blocks.\u003c/p\u003e \u003cnote\u003e \u003cp\u003eLimitations and rules apply to a VPC peering connection. For more information, see the \u003ca href=\"http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-basics.html#vpc-peering-limitations\"\u003elimitations\u003c/a\u003e section in the \u003ci\u003eVPC Peering Guide\u003c/i\u003e.\u003c/p\u003e \u003c/note\u003e \u003cp\u003eThe owner of the accepter VPC must accept the peering request to activate the peering connection. The VPC peering connection request expires after 7 days, after which it cannot be accepted or rejected.\u003c/p\u003e \u003cp\u003eIf you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC peering connection has a status of \u003ccode\u003efailed\u003c/code\u003e.\u003c/p\u003e\n\n\nResult\n------\n{\n \"vpcPeeringConnection\": {\n \"accepterVpcInfo\": {\n \"cidrBlock\": {\n \"type\": \"string\"\n },\n \"ipv6CidrBlockSet\": {\n \"type\": \"list\",\n \"member\": {\n \"shape\": \"Ipv6CidrBlock\",\n \"locationName\": \"item\"\n }\n },\n \"cidrBlockSet\": {\n \"type\": \"list\",\n \"member\": {\n \"shape\": \"CidrBlock\",\n \"locationName\": \"item\"\n }\n },\n \"ownerId\": {\n \"type\": \"string\"\n },\n \"peeringOptions\": {\n \"allowDnsResolutionFromRemoteVpc\": {\n \"type\": \"boolean\"\n },\n \"allowEgressFromLocalClassicLinkToRemoteVpc\": {\n \"type\": \"boolean\"\n },\n \"allowEgressFromLocalVpcToRemoteClassicLink\": {\n \"type\": \"boolean\"\n }\n },\n \"vpcId\": {\n \"type\": \"string\"\n },\n \"region\": {\n \"type\": \"string\"\n }\n },\n \"expirationTime\": {\n \"type\": \"timestamp\"\n },\n \"requesterVpcInfo\": {\n \"cidrBlock\": {\n \"type\": \"string\"\n },\n \"ipv6CidrBlockSet\": {\n \"type\": \"list\",\n \"member\": {\n \"shape\": \"Ipv6CidrBlock\",\n \"locationName\": \"item\"\n }\n },\n \"cidrBlockSet\": {\n \"type\": \"list\",\n \"member\": {\n \"shape\": \"CidrBlock\",\n \"locationName\": \"item\"\n }\n },\n \"ownerId\": {\n \"type\": \"string\"\n },\n \"peeringOptions\": {\n \"allowDnsResolutionFromRemoteVpc\": {\n \"type\": \"boolean\"\n },\n \"allowEgressFromLocalClassicLinkToRemoteVpc\": {\n \"type\": \"boolean\"\n },\n \"allowEgressFromLocalVpcToRemoteClassicLink\": {\n \"type\": \"boolean\"\n }\n },\n \"vpcId\": {\n \"type\": \"string\"\n },\n \"region\": {\n \"type\": \"string\"\n }\n },\n \"status\": {\n \"code\": {\n \"type\": \"string\",\n \"enum\": [\n \"initiating-request\",\n \"pending-acceptance\",\n \"active\",\n \"deleted\",\n \"rejected\",\n \"failed\",\n \"expired\",\n \"provisioning\",\n \"deleting\"\n ]\n },\n \"message\": {\n \"type\": \"string\"\n }\n },\n \"tags\": {\n \"type\": \"list\",\n \"member\": {\n \"shape\": \"Tag\",\n \"locationName\": \"item\"\n }\n },\n \"vpcPeeringConnectionId\": {\n \"type\": \"string\"\n }\n }\n}\n\n```\nYou can use this response to write a complex event filter. Everything from the detail.responseElements downwards is\nwhat was was returned from the app.\n```yaml\npolicies:\n - name: vpc-peering-cross-account-checker-real-time\n resource: peering-connection\n mode:\n type: cloudtrail\n events:\n - source: ec2.amazonaws.com\n event: CreateVpcPeeringConnection\n ids: 'responseElements.vpcPeeringConnection.vpcPeeringConnectionId'\n timeout: 90\n memory: 256\n role: arn:aws:iam::{account_id}:role/Cloud_Custodian_EC2_Lambda_Role\n description: |\n When a new peering connection is created the Accepter and Requester account\n numbers are compared and if they aren't both internally owned accounts then the\n cloud and security teams are notified to investigate and delete the peering connection.\n filters:\n - or:\n - type: event\n key: \"detail.responseElements.vpcPeeringConnection.accepterVpcInfo.ownerId\"\n op: not-in\n value_from:\n url: s3://s3bucketname/AccountNumbers.csv\n format: csv2dict\n - type: event\n key: \"detail.responseElements.vpcPeeringConnection.requesterVpcInfo.ownerId\"\n op: not-in\n value_from:\n url: s3://s3bucketname/AccountNumbers.csv\n format: csv2dict\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feamonnfaherty%2Faws-cloudtrail-events-schema","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feamonnfaherty%2Faws-cloudtrail-events-schema","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feamonnfaherty%2Faws-cloudtrail-events-schema/lists"}