in CloudTrailRemediation/CloudTrailRemediation.py [0:0]
def lambda_handler(event, context):
"""Summary
Args:
event (TYPE): Description
context (TYPE): Description
Returns:
TYPE: Description
"""
# Extract user info from the event
trailArn = event['detail']['requestParameters']['name']
try:
userName = event['detail']['userIdentity']['userName']
except KeyError:
# User is federated/assumeRole
userName = event['detail']['userIdentity']['sessionContext']['sessionIssuer']['userName']
userArn = event['detail']['userIdentity']['arn']
accessKeyId = event['detail']['userIdentity']['accessKeyId']
region = event['region']
account = event['account']
eventTime = event['detail']['eventTime']
userAgent = event['detail']['userAgent']
sourceIP = event['detail']['sourceIPAddress']
logData = {'trailArn': trailArn, 'userName': userName, 'userArn': userArn, 'accessKeyId': accessKeyId, 'region': region, 'account': account, 'eventTime': eventTime, 'userAgent': userAgent, 'sourceIP': sourceIP}
# Priority action
startTrail(trailArn)
# Alerting
result = sendAlert(logData)
# Forensics
realTable = verifyLogTable()
result = forensic(logData, realTable)
# Logging
result = logEvent(logData, realTable)
return result