我正在开发一个 lambda 函数,该函数从 CloudTrail 获取事件并分析它们。
我有这个脚本:
s3.download_file(bucket, key, download_path)
with gzip.open(download_path, "r") as f:
data = json.loads(f.read())
print json.dumps(data)
for event in data['Records']:
if event['eventName'] in event_list:
dateEvent = datetime.strptime(event['eventTime'], "%Y-%m-%dT%H:%M:%SZ")
for element in event['userIdentity']:
for session in element[0]['sessionContext']:
username = session['userName']
role = session['arn']
我无法从事件中获取 userName 和 arn 的值。我收到此错误:
string indices must be integers: TypeError
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 34, in lambda_handler
for session in element[0]['sessionContext']:
TypeError: string indices must be integers
如何做到这一点?正确的做法是什么?
这是 json 字符串:
"userIdentity": {
"principalId": "aaaaaaaaaaaaaaaaaaaa",
"accessKeyId": "aaaaaaaaaaaaaaaaaaaaa",
"sessionContext": {
"sessionIssuer": {
"userName": "aaaaaaaaaaaaa",
"type": "Role",
"arn": "arn:aws:iam::aaaaaaaaaaaaaaaaaa:role/aaaaaaa",
"principalId": "aaaaaaaaaaaaaaaaaa",
"accountId": "aaaaaaaaaaaaaaaaaaa"
},
"attributes": {
"creationDate": "2017-09-14T15:03:08Z",
"mfaAuthenticated": "false"
}
},
"type": "AssumedRole",
"arn": "aaaaaaaaaaaaaaaaaaaaaaaa",
"accountId": "aaaaaaaaaaaaaaaaaa"
},
最佳答案
userIdentity 元素可能有也可能没有 sessionContext 元素,因为这些元素仅在该事件期间使用临时 IAM 凭证时才存在。
没有 sessionContext 的 userIdentity 元素如下所示:
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJ45Q7YFFAREXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alice"
}
但是带有 sessionContext 元素的 userIdentity 看起来像这样:
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"creationDate": "20131102T010628Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIDPPEZS35WEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
}
}
}
...如果没有发生角色联合,它甚至可能看起来像这样。
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice",
"sessionContext": {"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2014-03-06T15:15:06Z"
}}
}
那么回到你的代码:
for element in event['userIdentity']:
for session in element[0]['sessionContext']:
username = session['userName']
role = session['arn']
element[0] 不存在,因为 sessionContext 不是列表。
如果您想获取使用的或假定的用户名和角色 ARN,我认为这可行。它考虑了直接通过 IAMUser 或通过 AssumedRole 完成的事件。
user_identity = event['userIdentity']
# check to see if we have a sessionContext[sessionIssuer]
if 'sessionIssuer' in user_identity.get('sessionContext', {}):
user_name = user_identity['sessionContext']['sessionIssuer']['userName']
arn = user_identity['sessionContext']['sessionIssuer']['arn']
else:
user_name = user_identity['userName']
arn = user_identity['arn']
作为处理循环的一部分:
for event in data['Records']:
if event['eventName'] in event_list:
dateEvent = datetime.strptime(event['eventTime'], "%Y-%m-%dT%H:%M:%SZ")
user_identity = event['userIdentity']
# check to see if we have a sessionContext[sessionIssuer]
if 'sessionIssuer' in user_identity.get('sessionContext', {}):
user_name = user_identity['sessionContext']['sessionIssuer']['userName']
arn = user_identity['sessionContext']['sessionIssuer']['arn']
else:
user_name = user_identity['userName']
arn = user_identity['arn']
关于python - 使用 Python 解析 CloudTrail 日志,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46222463/