AWS Cloudtrail Pack
This is a pack that allows for processing of AWS Cloudtrail logs. The pack includes masking sensitive fields, unrolling the json, parsing and extracting the json.
4 minute read
Edge Delta Pipeline Pack for CloudTrail
Overview
The CloudTrail pack ensures ingestion and appropriate processing of AWS CloudTrail data. This pipeline provides insights into user activities and API calls across your AWS account. With this pipeline, you can monitor, detect anomalies, and generate metrics from CloudTrail logs, enabling proactive security and operational insights.
Pack Description
1. mask-access-key-id
This Mask node masks sensitive information in CloudTrail logs by searching for patterns that match the given regular expression for accessKeyId. An access key ID is a unique identifier used to make programmatic requests to AWS services. Masking it helps prevent unauthorized access and ensures compliance with data protection regulations.
- name: mask-access-key-id
type: mask
pattern: accessKeyId\":\s\"(?P<accesskeyid>[0-9A-Za-z]+)\"
mask: '*******************'
2. mask-assumed-role
This Mask node masks the assumed role ID in the assumedRoleId field using the provided regular expression. An assumed role ID is used in AWS IAM to temporarily assume roles, providing limited access to resources. Masking it helps in maintaining the privacy and security of role usage.
- name: mask-assumed-role
type: mask
pattern: 'assumedRoleId\": \"(?P<assumedroleid>[0-9a-zA-Z-:_]+)\"'
3. mask-session
This Mask node masks session tokens by finding and replacing text that matches the provided regex pattern for sessionToken. A session token is part of temporary security credentials provided by AWS to access services securely. Masking it prevents unauthorized access and leakage of security credentials.
- name: mask-session
type: mask
pattern: '\"sessionToken\": \"([^\"]+)\"'
4. json_unroll
The Unroll JSON node unrolls structured JSON data from the Records field in each CloudTrail log and creates a new log for each record found within the Records array. Each new log features a Record field at the top level, which contains the data of the original Records entry.
- name: json_unroll
type: json_unroll
field_path: Records
new_field_name: Record
5. parse_json_attributes
The Parse JSON node parses the JSON attributes from the specified field path in CloudTrail logs and converts them into standalone attributes. This transformation makes accessing and querying individual fields easier. Node failures are routed to the Fails output path of the pack.
- name: parse_json_attributes
type: parse_json_attributes
field_path: item.attributes
6. extract_json_field
The Extract JSON Field node extracts the value of the eventName field from the Record and creates a new field to hold this value. If extraction fails, the log is still kept (keep_log_if_failed: true). In CloudTrail logs, the eventName specifies the action that was performed, such as DescribeInstances or CreateBucket. Node failures are routed to the Fails output path of the pack.
- name: extract_json_field
type: extract_json_field
field_path: Record.eventName
keep_log_if_failed: true
7. route
The Route node routes CloudTrail logs based on specified conditions. Logs are evaluated using a regex pattern to determine if they match the eventName for specific AWS operations (Get, Describe, List). If the condition is met, the log is routed to the not_important_event path, and processing stops for that log (exit_if_matched: true). The not important path sends logs to the get describe list output path of the Compound node. Logs that are not filtered out (i.e. important logs) are routed to …
- name: route
type: route
paths:
- path: not-important-events
condition: regex_match(item["attributes"]["Record"]["eventName"], "^(Get|Describe|List)")
exit_if_matched: true
Example Input
Consider the following extract of a CloudTrail log, it only shows two events in the log: Record 0 and Record 1.
Note: Sensitive information has been replaced with dummy data.
{
"Records": [
"0": {
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"invokedBy": "securityhub.amazonaws.com"
},
"eventTime": "2024-07-17T09:48:41Z",
"eventSource": "config.amazonaws.com",
"eventName": "DescribeEventAggregates",
"awsRegion": "us-west-2",
"sourceIPAddress": "13.71.17.166",
"userAgent": "config.amazonaws.com",
"requestParameters": {
"roleArn": "arn:aws:iam::123456789012:role/ABCDEFGHIJKLM123456789",
"roleSessionName": "AWSConfig-BucketConfigCheck"
},
"responseElements": {
"credentials": {
"accessKeyId": "A1B2C3D4E5F6G7H8I9J0",
"expiration": "Jul 10, 171717 8:10:24 AM",
"sessionToken": "ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLM"
},
"assumedRoleUser": {
"assumedRoleId": "A1B2C3D4E5F6G7H8I9J0:AWSConfig-BucketConfigCheck",
"arn": "arn:aws:iam::123456789012:role/ABCDEFGHIJKLM123456789/AWSConfig-BucketConfigCheck"
}
},
"requestID": "abcd1234-efgh-5678-ijkl-9012mnopqrst",
"eventID": "mnop5678-abcd-1234-efgh-5678ijklqrst",
"readOnly": "true",
"resources": [
"0": {
"accountId": "123456789012",
"type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::123456789012:role/ABCDEFGHIJKLM123456789"
}
"length": 1,
],
"eventType": "AwsApiCall",
"managementEvent": "true",
"recipientAccountId": "123456789012",
"sharedEventID": "01234567-89ab-cdef-edcb-a9876543210f",
"eventCategory": "Management"
},
"1": {
"eventVersion": "1.08",
"userIdentity": {
"type": "SAMLUser",
"invokedBy": "config.amazonaws.com"
},
"eventTime": "2024-07-17T09:48:41Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "GetBucketAcl",
"awsRegion": "us-west-2",
"sourceIPAddress": "78.28.127.254",
"userAgent": "config.amazonaws.com",
"requestParameters": {
"roleArn": "arn:aws:iam::987654321098:role/ZYXWVUTSRQPONML9876543210",
"roleSessionName": "AWSConfig"
},
"responseElements": {
"credentials": {
"accessKeyId": "B2C3D4E5F6G7H8I9J0A1",
"expiration": "Jul 10, 171717 8:10:24 AM",
"sessionToken": "ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGHJKLMNPQRSTUVWXYZ23456789ABCDEFGXYZ12"
},
"assumedRoleUser": {
"assumedRoleId": "B2C3D4E5F6G7H8I9J0A1:AWSConfig",
"arn": "arn:aws:iam::987654321098:role/ZYXWVUTSRQPONML9876543210/AWSConfig"
}
},
"requestID": "wxyz9876-vuts-5432-rqpo-8765nmlkjihgfedc",
"eventID": "qrst6789-efgh-1234-abcd-6789mnopuvwx",
"readOnly": "true",
"resources": [
"0": {
"accountId": "098765432109",
"type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::987654321098:role/ZYXWVUTSRQPONML9876543210"
}
"length": 1,
],
"eventType": "AwsApiCall",
"managementEvent": "true",
"recipientAccountId": "098765432109",
"sharedEventID": "01234567-89ab-bcde-dcba-9876543210fe",
"eventCategory": "Management"
},
...
Example Output
Consider the following log emitted from the CloudTrail pack.
Note: This example is not derived from the example above but the input log had the same structure.
It consists of a simple body:
PutEvaluations
As well as a detailed Attributes field:
{
Record: {
awsRegion: us-west-2
eventCategory: Management
eventID: uvwx7890-ghij-4321-bacd-7890qrstyz
eventName: PutEvaluations
eventSource: sts.amazonaws.com
eventTime: 2024-07-17T09:44:25Z
eventType: AwsApiCall
eventVersion: 1.08
managementEvent: true
readOnly: true
recipientAccountId: 001122334455
requestID: ijkl4321-dcba-8765-zywx-5432vutsrqpo
requestParameters: {
roleArn: arn:aws:iam::112233445566:role/ABCDEF123456XYZ7890
roleSessionName: AWSConfig-Describe
}
resources: {
0: {
ARN: arn:aws:iam::112233445566:role/ABCDEF123456XYZ7890
accountId: 001122334455
type: AWS::IAM::Role
}
}
responseElements: {
assumedRoleUser: {
arn: arn:aws:iam::112233445566:role/ABCDEF123456XYZ7890/AWSConfig-Describe
assumedRoleId: ******
}
credentials: {
accessKeyId: ******
expiration: Jul 10, 171717 8:10:24 AM
sessionToken: ******
}
}
sharedEventID: 12345678-9abc-cdef-f123-4567890abcde
sourceIPAddress: 204.135.13.87
userAgent: streams.metrics.cloudwatch.amazonaws.com
userIdentity: {
invokedBy: streams.metrics.cloudwatch.amazonaws.com
type: AWSService
}
}
}
Sample Input
{"Records":[{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","invokedBy":"config.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"ec2.amazonaws.com","eventName":"GetBucketAcl","awsRegion":"us-west-2","sourceIPAddress":"103.142.136.83","userAgent":"securityhub.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::581720508682:role/aws-controltower-ConfigRecorderRole","roleSessionName":"AWSConfig-Describe"},"responseElements":{"credentials":{"accessKeyId":"HXS325V4U5VN1V2J2JC2","expiration":"Sep5,1919198:05:24PM","sessionToken":"wvyAurFrJMFDuCuG5VFveojrX8BvO1AgesjWkgmc2lZyuQ1Nk4cjqvIf7Zo+scWqMDydYj3GCa254u1sIW/L5DuvJlNER+9/Zcu4r5hbhKNNiUT85BDE9FEp2skTF2P7Tkc/7WF3fC/LNZX+4QWTmrBwo0S0nsoNi4e35knb0DQpylmgC6q+RVKBzi7EVAjzeu50MXN+/t3X0tbSoZHs+3tr82HFtc8g6egbJEd4qI1v/ksqfQc3C51PkAvVThpAQY9uHqNpD7NvCwyHY1JVto72xkwwgC450Ph48Fx7fFyqudFas8fI1JUHm9f9vUdszMImAJgXDny1HGIiAxWpzfDBl31heUbtDVOqMbJstFA5FbwZqp+hAcUeceRo8ZZ99M5R0w2/JOxp9nD+YfoSHwRjq1dABD/bqIBG/sXG0tCqwtbrNyrEiNcb31mMmN6T2BDh4v65fljVZ7AcN+8xnkO4W80VumboZFoA5eRDefCmTnrGF11reHJBy1qZrS6TcN2xtSXo6BXcu+F8q1r5xzfI5vo1LkV9QQy3v616SpCOy3a1PAGCzcCjudIpZJWDBX5GAsYl3YFPp0Gq8csexYJ41iehd2PgZp/vExA05PAIVxpFxMPAcvj5L0okQzHl71IepnWIZPvdm0JgASTUP3zqNcPNPuc+4A6p7q8kEsCbbswIN+Fd2bzMlmdYKS0Gn5DpAe7h4mSaG1mrGCQT60nX3EiMTJEPIJmeaN8zufcxaY0/BNOBwfjZA72K1sDuueedYvVlgQLJygVLpSsTPvd0uOdXxaqKrUvtFdr9hbKlhb1uGiaGUiUURBWbGhMECVWCVDlkZAmtoDXN9xLxkqAbdvKy"},"assumedRoleUser":{"assumedRoleId":"HXS325V4U5VN1V2J2JC2:AWSConfig-Describe","arn":"arn:aws:iam::581720508682:role/aws-controltower-ConfigRecorderRole/AWSConfig-Describe"}},"requestID":"37444b3b-d8e3-4df2-91f1-aa9f4842d6d5","eventID":"5d791146-1f56-43e8-8250-78f27a6655e0","readOnly":"true","resources":[{"accountId":"581720508682","type":"AWS::IAM::Role","ARN":"arn:aws:iam::581720508682:role/aws-controltower-ConfigRecorderRole"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"581720508682","sharedEventID":"a5aef047-7de5-4db5-886c-7c2c36b86537","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","invokedBy":"config.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"ec2.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-west-2","sourceIPAddress":"48.160.112.237","userAgent":"streams.metrics.cloudwatch.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::424216157562:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO","roleSessionName":"AWSConfig-BucketConfigCheck"},"responseElements":{"credentials":{"accessKeyId":"NHBSJAGSDBXTAI50UXXT","expiration":"Sep5,1919198:05:24PM","sessionToken":"7oHr8KO+Xok0CfUvmcEqvGu67XmgaotUqOYzrQF92Iz+V7qpmwmAeQYPnFdwbULpQqRZ6EQ2tbs+kI09hPgz+0u1UE695t2uh8iu3Z++bzZnk9GITSTjpDde/LK4qMPei/FZK2b/kvjtKf83EQJL7NP/QzaTp8HHeQQ7DTt/O3wOTLyjNxHQF1yGSWYXmdGJy/3BfUFeGjMO4XIFOG/YPV12DZCzfT9vuiGLK9FGgKBNvFnRVWgk1hgtFGVyHiQ/SfpfwMVWT2h7ALoegfTp4pxVkV06S2egZPHkhFEFKAfkusyzYdOQM4uVugemJQ+UAU0v7V9PyC8cEYTsIEpz0X5m8mcAAAXnVrtO76WbB9o+GMJ2PEMlib85eKEBiY+GJsVpbfFMLERXVamgFNBa3WNDdAO5U4elcENtrQWH010Gh1m1G0IGZuWN0D9dpi2F7BLd8VI46Mga3F753tHFY/bt12tM6drrIZEh7ygl2RAcPbM0jhlOXFycvFsuMUHM2FOQA/+S/4tPGyVUD7oJSP6tS1VpDs2Vyc0cS8SN2qcDujBeexKil2Ati73scJe11LXxftwkQrso3L2lcWNLQMnwO8FxPeiQGjgVn7wHWrSCV8d5kVniTdyi7+U9ArG36hEW8ZDag5WNjygKutMKkf2xNRRcxsxz2ccAASY1ZvmSTCSkZJjNcwr7z6qZwzJyU5CcuaoVTKRjsegyEpnBcBQeXAITK7gBsAhsoU7sG2wZ6GIjkBKtaRMTB353TvBJDZxF0geqp4JPOIMMayfhOeYm8LoUuffRaveLf9JRUIunzgzHDEN4+zNA89hKakJJ5ikXYF4IxRM4l8MZkJLoodZ9fdYY"},"assumedRoleUser":{"assumedRoleId":"NHBSJAGSDBXTAI50UXXT:AWSConfig-BucketConfigCheck","arn":"arn:aws:iam::424216157562:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO/AWSConfig-BucketConfigCheck"}},"requestID":"32ac69e4-2170-4075-8e86-4243123c80d0","eventID":"bc71e681-57a0-467d-a0be-f57009207996","readOnly":"false","resources":[{"accountId":"424216157562","type":"AWS::IAM::Role","ARN":"arn:aws:iam::424216157562:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"424216157562","sharedEventID":"2ddda16f-2140-44db-8403-2376d734fdf5","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","invokedBy":"cloudtrail.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"config.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-west-2","sourceIPAddress":"232.223.219.32","userAgent":"securityhub.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::458281459667:role/aws-controltower-ConfigRecorderRole","roleSessionName":"AWSConfig-Describe"},"responseElements":{"credentials":{"accessKeyId":"AA4TTGA061C1J5C3L66D","expiration":"Sep5,1919198:05:24PM","sessionToken":"jS3ALUu0GA3xdVCvuo0RHUPbk7Vye5CK/mHLeCbSzzzRL23skV1lkuavYKNwJs5y4Z+P1V4KDceTY60vg7fjxyHH7rTRXAlrSCgU2twhoXYgFE5CUObog54gmlXV0PnFGDXOdZYTxLEonKjRzAWyx3zcKw+82YeHCNsvELQljiidHS5kb+JDwgYR9qfQaRI5N5R4DaV18+EV4JXkGsKiwlcoUdTJ1h1RGVb4dLz22QGdJXtdHdFdr4l9Q1eOB3U25eegIp6dCIAXayYrBSsqTqQTgnsL16S54pOWQThEhQrz8Bd8Rh1iWBceg8uQyWGgPbQ0UcA6F/DWVWUXfN1trz7CsxS3eiZz6XChqdReKyOruq7I/ek9K1Ls/VLDCiiGjpiel+PKBtmuU9DiFi9aSZQcUNxAXvun8N+Su7fo3hjcb62HDq7xJWIJB45+EuEdCltkrJ2X61wJlt2mQn+UXIhRkTH5wdccvFMmq6vAnbk8tFCOTx4vJLhGxiYUBDHnGjF9DDwoAPxoVI+Y+bllh/OIpJIpAQZEaFWaEeVWESUQdx7xgDW7DQ3bmboQ5898N6XbCYyh+VOV1K08Vc34b9el50pYeW53kwhEKV0GSHp1kesLbUHdtIT1/YPhJt/wQJ9U4DAQsap+kiyXu7UVWghwxZG3TYwotnUFdHnu8riT47ILIxyWAxFWzjgG22HYPu5dSTAFmjTvdDjePl51ihqb7Qn3mwplj+ECbPcUmeZWOXqCSYs4FPmGQrRLzIR8cjfy4u7qlxhN4HadQNJ7kAye2kMm+gwVobZJlKzincTN+auLegame7xcOIwadV6TnDy9ShQGw7DsJrJ/DAhN8H/+yZgc"},"assumedRoleUser":{"assumedRoleId":"AA4TTGA061C1J5C3L66D:AWSConfig-Describe","arn":"arn:aws:iam::458281459667:role/aws-controltower-ConfigRecorderRole/AWSConfig-Describe"}},"requestID":"0ebdcc5a-a2f7-4e2e-ad3a-1af746c38867","eventID":"b0d7fe4c-e4ec-4d25-9fbe-d4d7949a35fe","readOnly":"false","resources":[{"accountId":"458281459667","type":"AWS::IAM::Role","ARN":"arn:aws:iam::458281459667:role/aws-controltower-ConfigRecorderRole"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"458281459667","sharedEventID":"b40ff88e-60e9-402a-9548-5e485d00989e","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AWSService","invokedBy":"lambda.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"sts.amazonaws.com","eventName":"PutEvaluations","awsRegion":"us-west-2","sourceIPAddress":"47.248.29.61","userAgent":"streams.metrics.cloudwatch.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::955281127031:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO","roleSessionName":"CLOUDWATCH_LOGS_DELIVERY_SESSION"},"responseElements":{"credentials":{"accessKeyId":"RJOYCARB41UBJ8S5M19L","expiration":"Sep5,1919198:05:24PM","sessionToken":"CUEnrvtupNoCfWKaiZbAekburyqcNOmaouqDQmnSuCGVfq5ewZ+tKV173kqsFtelHeLPO1i1Q8oEUzA7oOWgQEmhy2t2VNCDcnmRx5hLPz6665DUNRC2fi+PzfAchuA9z8CHSAQqoa6aeUZQVdH7gdeQlLTZqwT+bjpIjonmIv+MkeivGOTDl7R4VXEZatkZiJHnXo4eSC3xOJ6ZdAXa8RYWXBWiYfYm4V3mwbnGM/Xzu8O4CoPqhu8moyBhwXOrziEuLWwaUXWg4FdZeYJM2CRMV7BGElLJhJq6yRf1GZrLGoyXn9VWTw6UOdygK/7L3TXj2JO6ZTL44r3iRkQS+k/i4TK+v7V1WR7vvorilHZsRpH/rYaXH4mAZNNWFN0b4Ms/eF9CSpUI46gR4iLFpZtsRjo5nz4VfurtsnPYlUNXZu51Ui8/J3Cu/NrmhZ8mWg1wlcOuW4B2zjgS4f38k8e7d7qHmqSA04aO04Fqs0hdjq8mXWEc9SXvJiE0guMeREKuBK3nKn6FXscA/sxAAJ/LvAb301zcTZlT831nyGUzqX+lTTIgU4AiXxRP8FfnGDo7STy2pZX1RVAFJrlsJCPXo4zgzaEqcNt9VLcSs7WQbm1NJQOpf9z7s7iCF5T070H6vQa2V25rrvGumLiy+ZlztWrj+g1VkiJDw07B8kDLrEQlfl11HXnyqEgzpMpxhfabiEj6E8FDXPXkDtjFeAkSkVbkF6dIHvAUginB+QH1lLy4hOicvR54ztf/YhpqxGLXjhNqNjynb1FLNPO+As5LTsUj9vkZ3dm/pJVjjZbbPAejf4uIi8qpUfOtLwUQTMVBLdO19ABQJXlsy+aNOcvLCV6R"},"assumedRoleUser":{"assumedRoleId":"RJOYCARB41UBJ8S5M19L:CLOUDWATCH_LOGS_DELIVERY_SESSION","arn":"arn:aws:iam::955281127031:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO/CLOUDWATCH_LOGS_DELIVERY_SESSION"}},"requestID":"64a84ab7-c1da-4af2-afe0-a77e8edef47c","eventID":"99d72aa3-40a9-4148-b8da-b8e77e881b91","readOnly":"true","resources":[{"accountId":"955281127031","type":"AWS::IAM::Role","ARN":"arn:aws:iam::955281127031:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"955281127031","sharedEventID":"a704ca1f-af25-4188-aca2-52605ad9809b","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","invokedBy":"streams.metrics.cloudwatch.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"sts.amazonaws.com","eventName":"DescribeEventAggregates","awsRegion":"us-west-2","sourceIPAddress":"32.85.208.98","userAgent":"lambda.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::724673628078:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO","roleSessionName":"AWSConfig"},"responseElements":{"credentials":{"accessKeyId":"A9YKJTB368165APKOT98","expiration":"Sep5,1919198:05:24PM","sessionToken":"os7c2ierxoqM0eXCey+jL60DBpaZf13D7msXujdB7nAJ93hpbYHEr2N63o9B+/NCmIge4FAou0HCPoT0uB4NaMhemuHSGMQEzPEw2skcspGvP3iXS1a4nCEbAFxI7v28SZPxQvwK+7SZ69G8HIfUCuyjfZkuozxZyUe/pS1W/zp28CbTFD4z/yijAtxebanDrMMXwOOpuKJjKKfToImd8zby2VQ85yqI+rUjtB0vloywjaud1HCPaA/blg8Um9QLo2jhUQu+cdLTUmP43fSb5QcGxt0uFfaqXs59DRTwJ6fBtrondYtKk6icolLhsM/bahf/lJ7cXox82V1tM3JZkScooBKU9U9hpiZX/GCtgn29Hp3+bEsGIJM7KVs5BIt91bKd29uVOgBOuANeGP9M2BRImNMgq+/dVqmpyrJQUPOxvrnCuE8LfDwRKc9LArEEWms/22bnu5hbu4VYdmvg3VMRlFSmxuMJXC5cmP99YFwdjrd1ykhZNsBvomzzzrmGTUnqESaV6TNg3q2hDXHrWlu6SjlgVuvneHSi/Hs5oRvt60aX2B/rfYtaO1Re/LRkTEnvlqo/XFMrspqLj6WSY8/2MAF+2MgZXMB4gZjLPqXRNlY8+jMeaFispDhkLeQ3L70lF6E5WcUFtV4chqzwetbCwjCi0ce1oOOAAg2wtvxNkARhV4dtKiTTqFRA/KoHELPYP5WbO87FZxNlxVnJjGhAvmcDy2yCavkFYLMAqkQN8zWLB3J5hhzv1DZ+1T7QYIzn2zT+c/rTbp5Qta+lurkekAEWVByBN+SlZrBF0QDzR3SrhQ1xdbYH7H/zKFIL2/U509q3D2cMRjvubp1Eq3txsHHL"},"assumedRoleUser":{"assumedRoleId":"A9YKJTB368165APKOT98:AWSConfig","arn":"arn:aws:iam::724673628078:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO/AWSConfig"}},"requestID":"edf411a2-2bd2-40b2-b7c8-0bc60f8b8caa","eventID":"74bc1995-1d67-4e99-a3db-0328b31b6c69","readOnly":"false","resources":[{"accountId":"724673628078","type":"AWS::IAM::Role","ARN":"arn:aws:iam::724673628078:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"724673628078","sharedEventID":"11824e39-cafa-4eae-b343-4bb68fe77a21","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"SAMLUser","invokedBy":"streams.metrics.cloudwatch.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"signin.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-west-2","sourceIPAddress":"177.153.8.249","userAgent":"streams.metrics.cloudwatch.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::376446277668:role/aws-controltower-CloudWatchLogsRole","roleSessionName":"AWSConfig-notify"},"responseElements":{"credentials":{"accessKeyId":"S0EZH8EDEVEGA43WVF7T","expiration":"Sep5,1919198:05:24PM","sessionToken":"W++pgfhHspeKJHapyyKm8791y4UwLBKnJdH/Sy469+2GsKXl4XcYxe/jhzNpDkX6WdYTUx0PyXLEV8vUDtQksYLYpWFaLyB0BQjD9xT+iF6tFdhAklPWGuZ6ed5sMSWQYU4PqidmPgKqPShn/h1RU1K96cc+R5CKOz+Gh4Zhj9kVMXr8jXYzWdAelvHQS3uqnkj8fpLhT77rEHM5XcsHGJ90EJeLnCc2SkTi0LRt5GOtLf9mNUe7Jqaxam2HQ9kB7Z42mz3tUMe2KrE6+weCkieCTxEzkLlXs/H/ePVVF+yIGqhS11jRxVSCcAWOFYMzTCzWg+V8ehfeP4+VuJuCVo8o6rHXKlMjToMtSOAA7CEeL3L0f6wxBlluHVX9dN7zvyVk5c6UVAJsw8SuM3dXQ67w6gMIDTdTEOY3o224xt/Q2BGm/NYQXmrHAQKDmzgPc8uV2jVgs1VA9usLZmn3iYqYwSmd9okl9ka3wzEcJMKajpoq1Xc7yB3FubUdQe7jeGA6pRGKKPk+jFBOGLh7xBYvVzYK2btRz/XUZgAwLuKQGq9mlWS+H/GfZi/2aMMg7N24WcuxMzLAkuHzlmWb4BeSG6oQhUWgViJI5qZFArkAIG13S2u4mIjOfuXIzCQLAxXOE8va2td4QkfInBfhvkNdQ90ZW6FGwn7PORCZ5btSZSyF9H02uzRumamniFO9naiJSGUj5F+7GKYnkNsArCHD2q2CbBPRnelUAnw6w7SOLgn3IngVuauSyDEBh3Dfv7M2QfRp3KOE67ka39Aqos4qmGBTFqARbi65f6sBlkjvrsnxVQudKzZpw8V9VpbCUZtdOuMBipqUax8LDRYtfvO3OKjZ"},"assumedRoleUser":{"assumedRoleId":"S0EZH8EDEVEGA43WVF7T:AWSConfig-notify","arn":"arn:aws:iam::376446277668:role/aws-controltower-CloudWatchLogsRole/AWSConfig-notify"}},"requestID":"0fff4b50-7d10-46f7-8d70-0112b3439eae","eventID":"696608a3-62b6-4dab-8fa2-182abc6e922b","readOnly":"false","resources":[{"accountId":"376446277668","type":"AWS::IAM::Role","ARN":"arn:aws:iam::376446277668:role/aws-controltower-CloudWatchLogsRole"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"376446277668","sharedEventID":"fa7b3ee0-2e40-46f1-9d2a-69b7f3f29513","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AWSService","invokedBy":"config.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"signin.amazonaws.com","eventName":"PutEvaluations","awsRegion":"us-west-2","sourceIPAddress":"178.216.147.27","userAgent":"streams.metrics.cloudwatch.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::541610269611:role/aws-controltower-ConfigRecorderRole","roleSessionName":"AWSConfig-notify"},"responseElements":{"credentials":{"accessKeyId":"ABQVTNIVAYTTLLAT6C2E","expiration":"Sep5,1919198:05:24PM","sessionToken":"uYm38o1fmXhhgRzBuZQsEBKUoKuoZEuwhhqbywDCSXZlwOjTiA5pVZbbESqTdkPQv8d+AEncuI2XGXdqdHdY4N+foo1RMdBHrg0TESC6Y/hcREwTT2X1WE9lx8jXfEfQNwj7ghVRM7LPf6pUPNrs2NhJxbdJRN4xUR+Wxb1yMO5EFyvMiGwtNN+ptO6OPsJWbvOFHJNTUolvbpKaCqPf4dS/25CiCCzvlub0rYbgs0OqWT7eTJcNCJiBdxkHDeaZa2j86p8s7GmQjJ6GgEMkUvGTzjpWSb9eifuyqZNwoTYFbEDJIBq9G7wu2DBbTNdJquH6lQtubq4tZBT6mB954yi62kdY7foyIuo3BmmWLV42qPVvK80GdsgXNWLwnNLxaOQ9OlaKHei+pmj3KUBuhI9CuS25KIRI0OxVxHJFd4+5P56ftONDFryTc3OTGQm1+tXOQfY/q49GiE9EzFr9ziCO1/YFop2SwxsnTPmIBYagUqR6aRU6k7fz7MtzaV636AfYzkzoDoUlA6xLva3BZmFGInUOdfBG1OV2m2o5WDRzcsklsl+9MJ/bzv1xbnpjpRbLy4GJ2GNNx1UbMAVg3xY6OeOhQ3ttL3mwd/MgMSQqlyNuteccu3TS2GMu5Y2Ehqrx2TZqvSEaoKyfVgiBGWLhqCazz39b/qBkZtKXrQkljrMfZu+rS/2Si+iOAtx5Fk/bB04urzjMyoZ4MhTV/+8591upL5JIhFz2SC7qa9zu1sHCmlgqg60tTQI8hb8XiAMC7TIhspN8MFDnhBNq1PzXVy72ICM0K6cygtzHBY4nEHMe0Pe9ZW2lRjhp0+0zu2NBnBHhgpueG/8lftwfsnckK1gZ"},"assumedRoleUser":{"assumedRoleId":"ABQVTNIVAYTTLLAT6C2E:AWSConfig-notify","arn":"arn:aws:iam::541610269611:role/aws-controltower-ConfigRecorderRole/AWSConfig-notify"}},"requestID":"20bd6714-5c82-4e6e-8864-2ac9580459df","eventID":"890a6952-0968-42ef-8156-e18d4c4804fd","readOnly":"false","resources":[{"accountId":"541610269611","type":"AWS::IAM::Role","ARN":"arn:aws:iam::541610269611:role/aws-controltower-ConfigRecorderRole"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"541610269611","sharedEventID":"a123fd16-3276-4393-8400-7fb1395d09e4","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AWSService","invokedBy":"cloudtrail.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"sts.amazonaws.com","eventName":"PutEvaluations","awsRegion":"us-west-2","sourceIPAddress":"106.219.190.104","userAgent":"lambda.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::428952461452:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO","roleSessionName":"AWSConfig-Describe"},"responseElements":{"credentials":{"accessKeyId":"OCBTISRCHBND1QMX04VF","expiration":"Sep5,1919198:05:24PM","sessionToken":"7sNyp/vRrthWt948Kjc6aQzuJ2XC6iqhoKFj9yaYQQfbzntUAs9YeLuPrJKOabFyYnAw39hC5pof1D9zgIkvcldVwtYJQ9boSoIWbmbPgx8yX2QwmJi2Zd5H/iJc+WTu40ERrNyA3DDpsXvWyI5TtXFHYM3H6Q5krjS2ysv9yhnQE5JX3rAt+byjrjVjwXvD9lxNmszkHIFMoDkij9ZveW/Fo/0chBjEh1f35mlv0xqYpLAFq8XsjMMueppwyx3GpYygutI6U5nEwOxJk99scpKWcmT8GzVql7r7msFKwERUN5DbamPuG+r89MD0vM9sXX/cXVAAoP9Ca1dy9I/Huw3w224d4zDBqTs19nAXkr9+D+fVr3bc6F9jk1sG4xUxaWuV1XYBy8HutRkbBib5Tf5Z6zZwPiXTDayYKoffm+D3o0G1kVzp+7lC2Gq/EZG+Kf6BKmdxIV09/dHWCz5bCGkqkAZn1AKRjnwvnFSlFDOqXtod62dt11z33h+72xSkJp439mwBb1z70msHwlcIReMQxt9zAuLx7F/EsnBpoKl577A5pgJK4bVgmonArXSDIgDrjeIGT53iSNQuc01AOAdTqjlfCfCnrKxK/6ZptPyEtXcoJ2+24bbzJIPP3W/4IDlyLtkYR6AD0gsbz5VKpK6UrcWSTSy1zCIhkP8NHIbFAtkBWoEVefr42LbBsykXrHMMUhOz2Q5MfQTDFvUwXsDWPZ86beGpiPZQinrZ3+I+kr+N1DIrEubIjLEM93mWUtOBxfjjeveGcHdXzvKrdL22Mid9PbJnK5HaWgrgYJDL0ota1cD3uwd+E/Gx6QFEDkn1SBQ9O1aHrW7CqNvdVex7G74O"},"assumedRoleUser":{"assumedRoleId":"OCBTISRCHBND1QMX04VF:AWSConfig-Describe","arn":"arn:aws:iam::428952461452:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO/AWSConfig-Describe"}},"requestID":"84f639ba-9457-4112-b007-f49d0d2bfa8f","eventID":"7a8e4eb6-b215-497c-a8be-343d3547217a","readOnly":"true","resources":[{"accountId":"428952461452","type":"AWS::IAM::Role","ARN":"arn:aws:iam::428952461452:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"428952461452","sharedEventID":"d6b0693a-65c0-4023-b3ca-2491f1622d1d","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","invokedBy":"securityhub.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"ec2.amazonaws.com","eventName":"PutEvaluations","awsRegion":"us-west-2","sourceIPAddress":"192.242.93.174","userAgent":"console.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::597981703144:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO","roleSessionName":"AWSConfig-notify"},"responseElements":{"credentials":{"accessKeyId":"YQ6J874DKLGXAACY1X7Q","expiration":"Sep5,1919198:05:24PM","sessionToken":"l92s0ih2Nf2HVGIcqOKHJfKIfBS6Q6apaKTab/4/X1YIYKLXWQ+wLcHcP4Km9HGC2Jq8wprfkPoYin4HWHOBM9DvcQ6/okraTy2nUNbppgIqAIOC8atGM3KJpmqWEju0f4Lf83fgKRmjgQNYrZl1cK4YcmB78DUsp7XXvwjeLGDTwJNJg/ihwpOQAVilgcDdCbP98DrQCq2OKE+zmko8ywSCEq7UlSzH5t4mcDaRqMvP3C8ouQxiZFPgOflQBed2IfdolOkeIBQKQDUzIsrD2vSwwhKzosJcWiyqxuXmRRXdXlVdP4jhqNiuVfClZQRuV/KwArTucGVLDAei4pbOLCPhM9CmPg19WBNXk+JTlAwQ5vA9ayVri9PLMfl/toHB62Sgb/5SU1F8vaEvRqhi4wKASLfw+qjgj4N/fVIqIcoxtAcJxaXyg6SKdhFyiE1SYOZc1s75mZ5Gm0BnBKSHrZA9EdTW8NR33BXYLRjuHeeo0+uyQLvv15Pwn/nLuA0jfQ44VAeXnFL0Zn+z+6nVAlwNxlDiFFjsdwSrpGluihu3SDVUxmHkfRjxHSDDoNICOgb/FHoGNG+o/kzlqg5W0RTbIRN89XjpWvePJQOMjp8E/dZ3nTTccpbqF+z4JdVQY13O4HF60jY7DinloIzIX4F3ktHynbXvPNsebXJiLOKzEGxl9UAHPeKovjwQ/6Kgfe1F+yaF5eSzhXWSAeW8mVkwmVKA/j+qXXyQbwbyxBxp2hoqNAFnUrTQXFpIaBbu9xppiqsb0TakJtli7Ri2OjbYzb+h1n9R4bXH12fotOUHhIkxz1F831o+JEcgCT+p0vFEGnn3XppPnP+NILcCSsPYanhS"},"assumedRoleUser":{"assumedRoleId":"YQ6J874DKLGXAACY1X7Q:AWSConfig-notify","arn":"arn:aws:iam::597981703144:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO/AWSConfig-notify"}},"requestID":"c47eb840-513b-40b8-a7f8-ae06f9856d3c","eventID":"180d6315-8777-4159-bda2-86ae212bd6c6","readOnly":"false","resources":[{"accountId":"597981703144","type":"AWS::IAM::Role","ARN":"arn:aws:iam::597981703144:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"597981703144","sharedEventID":"8b692abe-6694-4200-9f6f-ead24f16b108","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"SAMLUser","invokedBy":"cloudtrail.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"ec2.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-west-2","sourceIPAddress":"37.246.59.107","userAgent":"streams.metrics.cloudwatch.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::400440452736:role/aws-controltower-ConfigRecorderRole","roleSessionName":"AWSConfig-Describe"},"responseElements":{"credentials":{"accessKeyId":"BOHWXO324RYKW3G6Z6K1","expiration":"Sep5,1919198:05:24PM","sessionToken":"uKyy1guyiQWiYtTfqznTqlbLYySHriLiAe8ZaG9iltucaQRwAffWAA6hPRh9fsX9mYxLMfUuKGwfxzsRwm+tT58uMibjvjFSi0wa6YJ/UE7Po2M5xqAkf7DhShZQFfgkAFOhl8QSU7dylCXLvBeYZimhQk5akVT15X8Ftwf1pof3gki7wKsRp0evUg5VAFgBb3FuR2XgSuSEk7p+csQu8TORouj/ogMLX3Jl5iiCOPB4HIHCBZppcpsOYtDhzEwcDCeNHecaorXwNx3ZokGIGzenEqYdlersQpFeLuOxLDPN9gX0C+Rcxej3RctLkI7ytOMT0gLVk7OS04c3z5jamK2+GLy6UldIAGQgahqGDkswTWNfC8x/N2Zqanm9H5gm6kp6hgQ7bUpqmnvm15jXxzprwmVoQhkqGsTFyABJLmp0jMvdgn5odi15yL7kMNfPyqxl0iseOGSYfPjYsnTdusddLBtls1zgCbgd97zK9jy2mi6aNAP3CW3RqczdTC9KoM08ulABLtscg6rLrU//BEE0oAJweKV/IENRT1LFkZqLJl3cEwQsZW/Y81TsIPYYTgsMJ93KyU6LY3WyIWOWsrWDW3Gea58BEdpUIoheW/Z0QRG7srmmRTqyHrraW0/QSBXE1traTXVqpTBqC4xCu8EGpVP8iCYS07DPgZOI4WPsa1E5/Oh2wMuuTQldDPJjOlLzGHFeN1XVGrQuKTfXKrg9B2z0aucdy5fQf57d8owNNtC1YEzFVBKK8j6tTxaVsizniTOTjqIDgpZMr7hYVF1UNHlQK9Qt28vACZIZCU1nehw1awL7OWK4iHvNwbXX92yDj9HcTapOZNWm7gyTtRolx99l"},"assumedRoleUser":{"assumedRoleId":"BOHWXO324RYKW3G6Z6K1:AWSConfig-Describe","arn":"arn:aws:iam::400440452736:role/aws-controltower-ConfigRecorderRole/AWSConfig-Describe"}},"requestID":"2d979dd2-33f1-4c1b-81d6-e8c9abd92c0a","eventID":"e10a18ff-2af6-4849-9a63-dba488118901","readOnly":"true","resources":[{"accountId":"400440452736","type":"AWS::IAM::Role","ARN":"arn:aws:iam::400440452736:role/aws-controltower-ConfigRecorderRole"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"400440452736","sharedEventID":"1a8f26e7-b437-4688-8665-34c31cb3f130","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AWSService","invokedBy":"lambda.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"config.amazonaws.com","eventName":"ListStacks","awsRegion":"us-west-2","sourceIPAddress":"202.48.164.90","userAgent":"console.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::646760282123:role/aws-controltower-ForwardSnsNotificationRole","roleSessionName":"AWSConfig"},"responseElements":{"credentials":{"accessKeyId":"I457IW6GE2OUKCQUYT6E","expiration":"Sep5,1919198:05:24PM","sessionToken":"+/gH6MC1emC15ySC+6fYwo2BjVoSRDgqbJOmvRY1x3ZmL0bv2W+Qou5L1isKu/Z9niJ/sRBmItW/49IKw9ObVPd2duFdkYVQWLaXtstZ7czdJqB6SFYDjb4NVNT/9p3x/fTpSYcSY6UemW0RwHA/QWe76pK3uE3UmPKSIivw+0ghYs9iiGOA8tup7MgR7BcLJBXSqVYdzLgGVpFbfcr/XbaQtn+rTAifNDPa2HIIsWcan9Ge49FiIzcupo0eVlmZK7VnK7hnupMrLhy3HWe6BK0PNqqesdwJ1UKsfo3uFP9rT0SPe2DSmpCtAHclA1hlD82Yf7h5Qi4kNU/WIj5Su4aIb8j2jFxKQjvdLY2tT36M44og2M8dVXS/p+3+OWIroCCh3cj8OULNuemxh/i6MOnrpbp6OiZHHCPFIS3TFVz2EaZDbfRLzJoov87eZfJr+fwXhOWEm+0nhctnkJzeDBQRMPvACW/Yl3WiChgevOzIeZyVlNaNVORQPlKfyyzLfLOrDHtv/L0296K0/IRlVRxAIIzpzqSHAW4rIsMxt51NMkNiSSgtGdKcVt71vQXz5nqiv7cATwbysrWiO17zKFs4tE9mAM7YLOkwBHsUAJeWhqfuunfGPniL3PXy6vjg7clCJnyKAdH31jXbub9u9i4UISurBtbgoijpgcWLnKRdzlEWPDng6JtvQSG4JxxcRiveyGAtHaU2Vz4Kb4cRLtIDMC3OoxoNay5jZCnRvZc4IOFRa5IDXRlIu02Cxeb3GLtp4vYKbBIWNNuVESr3t4Snl6dDvmozCTvPdU/5GiRQ4fP4zPTQ/wAJuORyM/OuUGU6Dpp4v1Izxaabno1qyPs8fi6N"},"assumedRoleUser":{"assumedRoleId":"I457IW6GE2OUKCQUYT6E:AWSConfig","arn":"arn:aws:iam::646760282123:role/aws-controltower-ForwardSnsNotificationRole/AWSConfig"}},"requestID":"cde74f55-c444-4ad7-871a-4ed9dd55ed6e","eventID":"4052c341-c40a-481d-bdf3-a2397dfbf4c3","readOnly":"false","resources":[{"accountId":"646760282123","type":"AWS::IAM::Role","ARN":"arn:aws:iam::646760282123:role/aws-controltower-ForwardSnsNotificationRole"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"646760282123","sharedEventID":"8bbc73e2-38f3-4b46-9dea-9639f9dd1be2","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","invokedBy":"securityhub.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"signin.amazonaws.com","eventName":"PutEvaluations","awsRegion":"us-west-2","sourceIPAddress":"231.59.80.14","userAgent":"console.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::951132273424:role/aws-controltower-ForwardSnsNotificationRole","roleSessionName":"CLOUDWATCH_LOGS_DELIVERY_SESSION"},"responseElements":{"credentials":{"accessKeyId":"ZOCS0UNYTATW9LAS0YEN","expiration":"Sep5,1919198:05:24PM","sessionToken":"PAxNCfMaMjnfKJJH3R+gUuTY8dKmPXHIo3oH9Dva6nEGADPUz0gKESlubY4VaJFOplSu/TkipoJKdgzFV53P25StNZb/wf8dOPudCim9TszY1sf5kUzOd3/DmF1bIfszrTLaJjrfsWLHFyfWdvTPx/1uc8yUuIXzKwIodpYRFNChSmH/70RcMY9lpLP3Tl+ZHtAdaHELQAmOjzQcGm/KiUIwjR01f+o5PUYRizlwYJpJqOm7SmSuLSTIJlY0U0jNtqscqDNSjQ4twJROweY2TAz7T8GyViqxJie6Ovy2YwGYBN7nQkhlTc3P9RtBcjT/52yuj+7smF2v00aIeWdRlCHzeCQeBznhrwUYDn3xTAPBaED7BOzD/jXvFTDv1SgJjJTMEpnaOtuxxT1dRWV2xa15F9BtzKgvV47PCVjXVotCYF4uXf6KhW7D15ARGA1X8MZWG0ShRBDxIWpZ5tvX13hkCy1Z4s9z7a3asTAKjYt2C9xD3WeZNMBOR1hxmyhdQpGxyJ4knCHXA5sGn/uV5G3/BYaKv6VhpmnfjBXFOblVvlFcsLdU5WSIzhoHASNTuKdn/Uj004dEoA2q123mxOOIo4eJ/gTEvAbf4KTpPEL+cJp3BE8MVBYc/NiZJyE4YQsQ/Or4Rkzu7dZm3w8D2PQJxKbyJx67NK/QsqOe/+NL2dcxlpRLrzXdJ6pePhsFFlwKChzjNEajteKRzDz+oEx6ckeXRashXuNNLsaZlbhPf/eTmcG9Ud2POfoHSeJ7qEDOPpUNxq3vpVK9keHOTfEE0wl/3tUnkXYflKywghM9AU+UNxMABRAOi1oJ99I2Xo+c7wkL4HEsERFz3Xf1e+pSpjsi"},"assumedRoleUser":{"assumedRoleId":"ZOCS0UNYTATW9LAS0YEN:CLOUDWATCH_LOGS_DELIVERY_SESSION","arn":"arn:aws:iam::951132273424:role/aws-controltower-ForwardSnsNotificationRole/CLOUDWATCH_LOGS_DELIVERY_SESSION"}},"requestID":"5a8101f7-707d-4460-8eb8-75d3e5edeea4","eventID":"94775637-2dcb-413a-8c80-e7ec89c8140a","readOnly":"false","resources":[{"accountId":"951132273424","type":"AWS::IAM::Role","ARN":"arn:aws:iam::951132273424:role/aws-controltower-ForwardSnsNotificationRole"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"951132273424","sharedEventID":"56351b74-f8ee-4666-8bbb-ae1907a59750","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AWSService","invokedBy":"securityhub.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"sts.amazonaws.com","eventName":"GetBucketAcl","awsRegion":"us-west-2","sourceIPAddress":"55.2.131.119","userAgent":"securityhub.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::710477833751:role/aws-controltower-ForwardSnsNotificationRole","roleSessionName":"AWSConfig"},"responseElements":{"credentials":{"accessKeyId":"IQ7C1IL6RNDJ2SHOYKEO","expiration":"Sep5,1919198:05:24PM","sessionToken":"uNkCG0nyuveYPWJUfHDJDrAlnaCW5p8HqPgOcct3K2xm8AvYG0LktPZQd8e6ZlnpYvVK/apKdTRsPCJpmX6RxYBlfjeA469D5KicJSL35E5xHHWaKt4Jdcoh0CdyeP7qL9FlK1o7jXjyw9/J3oFQUDdauVEPIRgGPHhYbw2n6GXsIlEgn6qkbCz8q82lso/hCr6NZ7Y9uAK/ruuwCZCXNA/1uW/11o79dUpbOb+CuXrT+T0nrXk5epiBnurY9b+cay133Avxze30ucnkQKVAaXTKeUzOEsXSRPRSd7b9kokHMMvBIhM7soM+Y17cWVNc4Vl5zX9n7e9hHG/OjLIOLPknHd/S7VE2Lp6XTE8RIjc/ziHyaNNG3ZNcMGixZXG7zq9sEAxgklYmq4JmD3aXzrGNn4xyD9BwxwZXJQ3QY8jbxwyjYmYJkT1f18qVd6MAY2oUW0Mt1z8d7y7f/TlEhQR51PFQ4zuBHUdh+bW2Kp9bZaiLAVFW6KKDNgQgI79dnH+0NENCgDJ61RflIewTG3OR8X8adDFf7GKQ43os8WjVlDpXEW/6P/4kH6S+ihvyqDjkRVfqLLe0FHGUj0s5N+4KkOawWnNqN/q1YQbhnCVD29IpfIKvBJa/jAK0PQswq0noUxM5XpQaffQyonBPg/259w7rPi0Q7NBrngoLeaZ2q7PHQkOl22gtPh7O5/b0wOwp6KXz/KmIWXJUuNgtNgJUgAqrBHJpOpOrNPI3EWvd3787VYBmV3zYjaPFgud8qr1BXSuHYI1OAkPg++wBdvtEovWgfh2luqh6icH3foWA/ecm8HlXkjrSoejTzKQeTqq3Qua7TmCt0X49keEhGxgZhXke"},"assumedRoleUser":{"assumedRoleId":"IQ7C1IL6RNDJ2SHOYKEO:AWSConfig","arn":"arn:aws:iam::710477833751:role/aws-controltower-ForwardSnsNotificationRole/AWSConfig"}},"requestID":"27ba02d3-f4f4-4ba2-a16b-488fa14a46e8","eventID":"50a51f17-ed82-452d-9fe6-eff56f5fd787","readOnly":"true","resources":[{"accountId":"710477833751","type":"AWS::IAM::Role","ARN":"arn:aws:iam::710477833751:role/aws-controltower-ForwardSnsNotificationRole"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"710477833751","sharedEventID":"e6236a2f-8e3c-4416-b725-06c5c78f7747","eventCategory":"Management"},{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","invokedBy":"streams.metrics.cloudwatch.amazonaws.com"},"eventTime":"2024-09-19T16:23:35Z","eventSource":"config.amazonaws.com","eventName":"ListStacks","awsRegion":"us-west-2","sourceIPAddress":"51.126.62.102","userAgent":"console.amazonaws.com","requestParameters":{"roleArn":"arn:aws:iam::510296235275:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO","roleSessionName":"AWSConfig-Delivery"},"responseElements":{"credentials":{"accessKeyId":"HIU09IPU1ZQ449APEBLW","expiration":"Sep5,1919198:05:24PM","sessionToken":"nhMSleCRHvoWsPot9tz2dYEwjO/tRh9HTym8peUErISzfzQHPvo88tCfiIf4tfQ3F5oYiSXSOmG3iIjz0kpNibF/TY9e4Ts6bB08I1nb/Mg4XZEjB4IKleEMa7HhIDPew62kHqlZgm79/hcq32ovmh+JqO+8i/V1Do8SZ1tw9fiz5W7aTxkqO3xR04xQWMgW6NvdS7bYrTPtzMVfRvF0QCgF01R8Ue37sieU7N71rX0JWtvxP8kwBKRg6G0tA09YtjYc614yfbJu8G9RMJ/NCr1uH0oS64jx/ItKq3sIwCDnblweMdwdToMYl4F++ohifpFEFsJP+7SRcw/W6UQzmhX0JxiE/o+smKynj6GiFxv+nKmGDr+jFVklOef8eXygYQa7IWaehFTl3286o0nWmiFFOYpPL823u6vWm8yHv4pPHVq05m1LpiMZE37LfcQPJl+vBR2GWQc0E9GGCJt53EuOqyXrq5XGtMKQ4V3gdfS/qOf1K97zyltgQHwMsV+/OxzviYrzLDgFZFUjPACTXdKuCMZgLud3xL1EozbrYcDMF/DJWbmvsUQ7w8V3XQhg6LLLMPUnyIociN7VdJk88uYuCnIT7g1JBKNjZ7Bq8dXnkFT/8n1qzhMi0xveYHMuwH/wPQaP+SNJWzK4ZYqNYARed7h3ReJM529lCjyXcBIEzNFodS7oUZCgDUv18YrupRn21AYeuo1i3/mZ6L7f4UA7bnFhQ3VLdj+7gcX3NeskBXrO3/ZV7JH2kgva6B7G7aUnafGBtt4IO7l81hX9ZOc56a0XDOzKIIounf+C3KI6oeadyIqK2+Gej5CWmZloG3wTtnR1qXVe3VCJpdZ5WEw+dcvm"},"assumedRoleUser":{"assumedRoleId":"HIU09IPU1ZQ449APEBLW:AWSConfig-Delivery","arn":"arn:aws:iam::510296235275:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO/AWSConfig-Delivery"}},"requestID":"3f578fd1-d149-4bdb-9e64-03f22d0997a4","eventID":"f910827d-2e7d-47f8-a1d2-4040cada7fc1","readOnly":"true","resources":[{"accountId":"510296235275","type":"AWS::IAM::Role","ARN":"arn:aws:iam::510296235275:role/cribl-cloudtrail-TrailLogGroupRole-LFK8G19D98LO"}],"eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"510296235275","sharedEventID":"ba1f1d67-39dd-48ad-ba29-ae14d8a84c42","eventCategory":"Management"}]}