I am working on Lambda function to track my instances start and stop time.
I did set up my trail - for management events - and my S3 buckets have proper permissions attached. I used get_object to read the data from S3. Code below. Get_object is returning me data in form of dictionary. My next step is to filter this data - where "eventName": "StopInstances" or "StartInsances". If anyone can tell how to do that. I tried various dictionary methods but nothing worked.
Code for lambda handler:
def lambda_handler(event, context):
object_key = 'event_history_j.json'
bucket = 'demo-cloudtrail-logs-ec2'
client = boto3.client('s3')
data = client.get_object(Bucket = bucket , Key = object_key)['Body'].read()
return data
Output of this:
{"Records": [
{ "eventVersion": "1.07",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ARO",
"arn": "arn:aws",
"accountId": "0123456",
"accessKeyId": "ABCDEFGH",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ARO",
"arn": "JDHJDJDHJS",
"accountId": "0123456",
"userName": "[email protected]"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-04-22T23:16:28Z",
"mfaAuthenticated": "JDJDHFD"
}
}
},
"eventTime": "2022-04-22T23:34:46Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-0039483"
},
{
"instanceId": "i-92399"
}
]
},
"force": DJDIJ
},
"responseElements": {
"requestId": "FJDSJFJDFJFDJDJ",
"instancesSet": {
"items": [
{
"instanceId": "i-0039483",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
},
{
"instanceId": "i-92399",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
}
]
}
},
"requestID": "758b",
"eventID": "68228982",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "01234567",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
},
{
"eventVersion": "1.07",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA",
"arn": "XYZ",
"accountId": "01234567",
"accessKeyId": "ABCDEFGH",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EWUDHAKFJ",
"arn": "SJDSJDJSND",
"accountId": "01234567",
"userName": "ADKJDJAFDJFHDK"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-04-22T23:16:28Z",
"mfaAuthenticated": "TRUE"
}
}
},
"eventTime": "2022-04-22T23:34:43Z",
"eventSource": "compute-optimizer.amazonaws.com",
"eventName": "GetEC2InstanceRecommendations",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instanceArns": [
"aSKSKASKASAA"
],
"maxResults": 0,
"accountIds": [
"273273273728"
]
},
"responseElements": null,
"requestID": "cb106ba",
"eventID": "d8f6",
"readOnly": true,
"eventType": "SJSDKDSK",
"managementEvent": true,
"recipientAccountId": "283283829382983",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
},
........
I cant use Pandas and other libraries.
CodePudding user response:
Code that I used to separate the events -
key = 'event_history_j.json'
bucket = 'demo-cloudtrail-logs-ec2'
client = boto3.client('s3')
data = client.get_object(Bucket = bucket , Key = key)['Body'].read()
a = json.loads(data)
data2 = a["Records"]
# step2: prepare data of stop and start instances
data3 = []
for i in range(len(data2)):
if data2[i]['eventName'] == "StopInstances":
data3.append(data2[i])
elif data2[i]['eventName'] == "StartInstances":
data3.append(data2[i])
else:
pass
It can be optimized but its working solution..!!