I am working on Lambda function to track my instances start and stop time.
I did set up my trail – for management events – and my S3 buckets have proper permissions attached.
I used get_object to read the data from S3. Code below.
Get_object is returning me data in form of dictionary. My next step is to filter this data – where “eventName”: “StopInstances” or “StartInsances”. If anyone can tell how to do that. I tried various dictionary methods but nothing worked.
Code for lambda handler:
def lambda_handler(event, context):
object_key = 'event_history_j.json'
bucket = 'demo-cloudtrail-logs-ec2'
client = boto3.client('s3')
data = client.get_object(Bucket = bucket , Key = object_key)['Body'].read()
return data
Output of this:
{"Records": [
{ "eventVersion": "1.07",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ARO",
"arn": "arn:aws",
"accountId": "0123456",
"accessKeyId": "ABCDEFGH",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ARO",
"arn": "JDHJDJDHJS",
"accountId": "0123456",
"userName": "<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6a3233302a2b282944292527">[email protected]</a>"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-04-22T23:16:28Z",
"mfaAuthenticated": "JDJDHFD"
}
}
},
"eventTime": "2022-04-22T23:34:46Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-0039483"
},
{
"instanceId": "i-92399"
}
]
},
"force": DJDIJ
},
"responseElements": {
"requestId": "FJDSJFJDFJFDJDJ",
"instancesSet": {
"items": [
{
"instanceId": "i-0039483",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
},
{
"instanceId": "i-92399",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
}
]
}
},
"requestID": "758b",
"eventID": "68228982",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "01234567",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
},
{
"eventVersion": "1.07",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA",
"arn": "XYZ",
"accountId": "01234567",
"accessKeyId": "ABCDEFGH",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EWUDHAKFJ",
"arn": "SJDSJDJSND",
"accountId": "01234567",
"userName": "ADKJDJAFDJFHDK"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-04-22T23:16:28Z",
"mfaAuthenticated": "TRUE"
}
}
},
"eventTime": "2022-04-22T23:34:43Z",
"eventSource": "compute-optimizer.amazonaws.com",
"eventName": "GetEC2InstanceRecommendations",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instanceArns": [
"aSKSKASKASAA"
],
"maxResults": 0,
"accountIds": [
"273273273728"
]
},
"responseElements": null,
"requestID": "cb106ba",
"eventID": "d8f6",
"readOnly": true,
"eventType": "SJSDKDSK",
"managementEvent": true,
"recipientAccountId": "283283829382983",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
},
........
I cant use Pandas and other libraries.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Code that I used to separate the events –
key = 'event_history_j.json'
bucket = 'demo-cloudtrail-logs-ec2'
client = boto3.client('s3')
data = client.get_object(Bucket = bucket , Key = key)['Body'].read()
a = json.loads(data)
data2 = a["Records"]
# step2: prepare data of stop and start instances
data3 = []
for i in range(len(data2)):
if data2[i]['eventName'] == "StopInstances":
data3.append(data2[i])
elif data2[i]['eventName'] == "StartInstances":
data3.append(data2[i])
else:
pass
It can be optimized but its working solution..!!
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0