in packages/utilities/s3-audit-helper/lib/index.ts [80:184]
public static createGlueAuditTable(
scope: Construct,
bucket: IMdaaBucket,
database: IDatabase,
accounts: string[],
regions: string[],
): S3Table {
const location = `s3://${bucket.bucketName}/AWSLogs`;
const cloudTrailTable = new S3Table(scope, 'CloudTrailGlueTable', {
columns: [
{ name: 'eventversion', type: Schema.STRING },
{
name: 'useridentity',
type: Schema.struct([
{ name: 'type', type: Schema.STRING },
{ name: 'principalid', type: Schema.STRING },
{ name: 'arn', type: Schema.STRING },
{ name: 'accountid', type: Schema.STRING },
{ name: 'invokedby', type: Schema.STRING },
{ name: 'accesskeyid', type: Schema.STRING },
{ name: 'userName', type: Schema.STRING },
{
name: 'sessioncontext',
type: Schema.struct([
{
name: 'attributes',
type: Schema.struct([
{ name: 'mfaauthenticated', type: Schema.STRING },
{ name: 'creationdate', type: Schema.STRING },
]),
},
{
name: 'sessionissuer',
type: Schema.struct([
{ name: 'type', type: Schema.STRING },
{ name: 'principalId', type: Schema.STRING },
{ name: 'arn', type: Schema.STRING },
{ name: 'accountId', type: Schema.STRING },
{ name: 'userName', type: Schema.STRING },
]),
},
]),
},
]),
},
{ name: 'eventtime', type: Schema.STRING },
{ name: 'eventsource', type: Schema.STRING },
{ name: 'eventname', type: Schema.STRING },
{ name: 'awsregion', type: Schema.STRING },
{ name: 'sourceipaddress', type: Schema.STRING },
{ name: 'useragent', type: Schema.STRING },
{ name: 'errorcode', type: Schema.STRING },
{ name: 'errormessage', type: Schema.STRING },
{ name: 'requestparameters', type: Schema.STRING },
{ name: 'responseelements', type: Schema.STRING },
{ name: 'additionaleventdata', type: Schema.STRING },
{ name: 'requestid', type: Schema.STRING },
{ name: 'eventid', type: Schema.STRING },
{
name: 'resources',
type: Schema.array(
Schema.struct([
{ name: 'ARN', type: Schema.STRING },
{ name: 'accountId', type: Schema.STRING },
{ name: 'type', type: Schema.STRING },
]),
),
},
{ name: 'eventtype', type: Schema.STRING },
{ name: 'apiversion', type: Schema.STRING },
{ name: 'readonly', type: Schema.STRING },
{ name: 'recipientaccountid', type: Schema.STRING },
{ name: 'serviceeventdetails', type: Schema.STRING },
{ name: 'sharedeventid', type: Schema.STRING },
{ name: 'vpcendpointid', type: Schema.STRING },
],
dataFormat: DataFormat.CLOUDTRAIL_LOGS,
database: database,
tableName: 'cloudtrail_audit',
bucket: bucket,
description: 'CloudTrail Glue table',
s3Prefix: `AWSLogs`,
partitionKeys: [
{ name: 'timestamp', type: Schema.STRING },
{ name: 'region', type: Schema.STRING },
{ name: 'account', type: Schema.STRING },
],
});
const cfnTable = cloudTrailTable.node.defaultChild as CfnTable;
cfnTable.addOverride('Properties.TableInput.Parameters', {
EXTERNAL: 'TRUE',
'projection.enabled': 'true',
'projection.timestamp.type': 'date',
'projection.timestamp.range': '2021/01/01,NOW',
'projection.timestamp.format': 'yyyy/MM/dd',
'projection.timestamp.interval': '1',
'projection.timestamp.interval.unit': 'DAYS',
'projection.account.type': 'enum',
'projection.account.values': accounts.join(','),
'projection.region.type': 'enum',
'projection.region.values': regions.join(','),
'storage.location.template': location + '/${account}/CloudTrail/${region}/${timestamp}',
});
return cloudTrailTable;
}