1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
Set-AWSCredentials LAB
$CloudTrailQueue = 'https://sqs.us-east-1.amazonaws.com/999999999999/CloudTrail'
$InterestingEvents = @{
'RunInstances' = 'https://sqs.us-east-1.amazonaws.com/999999999999/Instances';
'ModifyInstanceAttribute' = 'https://sqs.us-east-1.amazonaws.com/999999999999/Instances';
'TerminateInstances' = 'https://sqs.us-east-1.amazonaws.com/999999999999/Instances';
'CreateUser' = 'https://sqs.us-east-1.amazonaws.com/999999999999/Users';
'DeleteUser' = 'https://sqs.us-east-1.amazonaws.com/999999999999/Users';
}
#First, let's get a batch of up to 10 messages from the queue
$SQSMessages = Receive-SQSMessage $CloudTrailQueue -VisibilityTimeout 60 -MaxNumberOfMessages 10
Write-Host "Found" $SQSMessages.Count "messages in the queue."
$SQSMessages | % {
Try {
$SQSMessage = $_
#Second, let's unpack the SQS message to get the SNS message
$SNSMessage = $SQSMessage.Body | ConvertFrom-Json
#Third, we unpack the SNS message to get the original CloudTrail message
$CloudTrailMessage = $SNSMessage.Message | ConvertFrom-Json
#Fourth, we download the cloud trail log file from S3 and save it to the temp folder
$Null = Read-S3Object -BucketName $CloudTrailMessage.s3Bucket -Key $CloudTrailMessage.s3ObjectKey[0] -File "$env:TEMP\CloudTrail.json.gz"
#Fifth, we uncompress the CloudTrail JSON file. I'm using winzip here.
Start-Process -Wait -FilePath 'C:\Program Files\WinZip\winzip32.exe' '-min -e -o CloudTrail.json.gz' -WorkingDirectory $env:TEMP
#Read the JSON file from disk
$CloudTrailFile = Get-Content "$env:TEMP\\CloudTrail.json" -Raw | ConvertFrom-Json
#Loop over all the records in the log file
$CloudTrailFile.Records | % {
$CloudTrailRecord = $_
#Check each event against our hash table of interesting events
$QueueUrl = $InterestingEvents[$CloudTrailRecord.eventName]
If($QueueUrl -ne $null){
Write-Host "Found event " $CloudTrailRecord.eventName
#If this event is interesting, write to the corresponding queue
$Response = Send-SQSMessage -QueueUrl $QueueUrl -MessageBody ($CloudTrailRecord | ConvertTo-Json)
}
}
#Finally, remove the message from the queue so we don't process it again
Remove-SQSMessage -QueueUrl $CloudTrailQueue -ReceiptHandle $SQSMessage.ReceiptHandle -Force
}
Catch
{
#Log errors to the console
Write-Host "Oh No!" $_
}
Finally
{
#Clean up the temp folder
If(Test-Path "$env:TEMP\CloudTrail.json.gz") {Remove-Item "$env:TEMP\CloudTrail.json.gz"}
If(Test-Path "$env:TEMP\CloudTrail.json") {Remove-Item "$env:TEMP\CloudTrail.json"}
}
}
|