Cloudtrail

The Cloudtrail Optimizer in Observo AI allows users to process AWS Cloudtrail events.

Purpose

A transform tailormade for Cloudtrail. It includes options to:

  • Drop events based on eventnames by matching it with supplied regexes. Usually it helps to reduce volume to drop eventnames with List, Get and such by using a regex like List*|Get*|Describe*

  • Applying sensitive data masking in Observo AI automatically redacts credentials and identifiers from logs to enhance security, support compliance such as SOC 2, PCI-DSS, HIPAA, and optimize operations by safely reducing log volume and protecting downstream systems.

  • Specify exact keys to remove from each CloudTrail event, helping reduce payload size and eliminate unnecessary or sensitive fields before downstream processing.

  • Perform aggregations on incoming Cloudtrail events by using more fine-grained aggregation policies.

Usage

Select Cloudtrail Optimizer transform. Add Name (required) and Description (optional).

General Configuration:

  • Bypass Transform: Defaults to disable. When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications.

  • Add Filter Conditions: Defaults to disable. When enabled, it allows events to filter through conditions. Only events that meet the true condition will be processed; all others will bypass this transform. Based on AND/OR conditions, "+Rule" or "+Group" buttons.

Cloudtrail Optimizer:

Filter By Event Names (pulldown):

  • Enabled (True): Enable or disable this transform.

  • Regex for Eventnames: Input regex that will be used to filter out events based on event names. Click the Add button to add a new field. Click on Trash Can Icon to delete entry.

    Examples:

    List*

    Get*

    Describe*

Mask Sensitive Data (pulldown):

  • Enabled (True): Enable or disable this transform.

  • Mask Access Keys (True): Masks Access Keys

  • Mask Assume RoleIds (True): Masks Assume RoleIds

Event Serializer (pulldown):

  • Enabled (True): Enable or disable this transform.

  • Keys to remove: Specify keys that will be removed from each Cloudtrail event. Click the Add button to add a new field. Click on Trash Can Icon to delete entry.

    Examples:

    additionalEventData

    requestParameters

    tlsDetails

    userIdentity.accessKeyId

Aggregation (pulldown):

  • Enabled (True): Enable or disable this transform.

  • Field names to Aggregate By: A comma separate list of columns to group by and merge. Add button to add a new field. Click on Trash Can Icon to delete entry.

    Examples:

    eventName

    sourceIPAddress

    requestParameters

    responseElements

    eventCategory

  • Max Events: The maximum number of events to group together. Default: 100.

  • Flush Time(seconds): The maximum amount of time in seconds to wait before flushing events to Destination. Defaults: 30.

  • Aggregation Methods: Set of event fields to evaluate and add/set. Click Add button to add new field as a key-value pair, with the following inputs:

    • Field Name: The name of the field whose value is being aggregated.

    • Aggregation Method: The method used to aggregate the values of the field. For example, if the field is an integer, you can sum the values, or keep the maximum value. If the field is a string, you can concatenate the values, or keep the shortest or longest value.

      Here are the possible methods:

      • Append value to array

      • Concatenate string separated by space

      • Concatenate string separated by newline

      • Concatenate string without any separator

      • Keep first value

      • Keep last value

      • Create flattened array of unique values

      • Keep maximum value

      • Keep minimum value

      • Sum values

      • Keep shortest array

      • Keep longest array

Examples

Let’s use the following AWS Cloudtrail Data Snippet to separately validate the Filter By Event Names, Mask Sensitive Data, and Aggregation.

AWS Cloudtrail Data Snippet (8 Log entries)
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2e42934c-5c4a-407c-8151-86e0185443cf",
    "eventName": "AssumeRole",
    "eventSource": "sts.amazonaws.com",
    "eventTime": "2022-01-03T19:07:22Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "2f2ee951-56be-40d1-93b7-8b9da7d3d312",
    "requestParameters": {
        "roleArn": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
        "roleSessionName": "AWSConfig-Delivery"
    },
    "resources": [
        {
            "accountId": "123456789122",
            "ARN": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
            "type": "AWS::IAM::Role"
        }
    ],
    "responseElements": {
        "assumedRoleUser": {
            "arn": "arn:aws:sts::123456789122:assumed-role/aws-controltower-ConfigRecorderRole/AWSConfig-Delivery",
            "assumedRoleId": "AROAZPN3N44NFG4PENWKW:AWSConfig-Delivery"
        },
        "credentials": {
            "accessKeyId": "ASIAZPERN54NFDW3QDR3",
            "expiration": "Jan 3, 2022 8:07:22 PM",
            "sessionToken": "IQoJb3JpZ2luX2VjEFsaCXVzLXdlc3QtMiJIMEYCIQDnD7QGLWQ0M39zE7+1bpBcWfrcNQd+QJagYIb3/FwsqgIhALxcRucOS3Ff77BlhabQ20ot0WaQvZrj2fQtYPbOdi9DKtUCCGQQABoMNjUwOTkyNTQ1NTYyIgz1SDhpV6ywmesr5P4qsgIvyIZDgkCafSHCaCVsKj/VPXQkOnsmX5ntBzoGHYoo5ItgEEpy4iAPmgimr6rtvj5vQvNxpyDNuGs1MunooY0U2lsdtjNrQWKpCaXeRzfdZc0BELe/CdWR+6UQMLkmEvnuvID8qyzTiECZQr3Pe+dASYKd5sffDO/vtmOg5AfEsaiEat8bYcMVoM/8w0530kTm/uCywd3KO+sq/CrD3ID3D5UKcIzGnAHuUXIpP9iqVlxrnw196lBlL0ohXiRbMFYORr4xXFvrlPwC69VQ/SiXSKKqUPvGlmzekEcwm/61u0FCX+ixwhoVhoDzvmSYCk+/zLteSVxk6HWed2ReUvQmI2ZzyL02cPAgVXY4uGB3qHy6eTxMv6lDs6Ug8pGDDIVtCWwG2soX85N1aIlKvoQynY0w6pLNjgY6vgGNFYoUEHz+ycg/1hflPAXBKvI9KBXKGNJa4+NU1o3K7EVv8Ihw43boB/9STPFjr4KSGiXFKvDH5YLwk6yxtnsctUmRFYNbZn3RbiHCEWswpYK9ScUGqK9CngljR4u5WNFs0++J72otOcfAVhwioEblgYhktPC3v559koXJfdFa93n6ar1FA5osxidtigA/8fZC7LhjEEozpjO2+8E2gkB1HF2NRZs5hyky+kOkk9dtpekoCDJ1UoPHtmWuAAUr"
        }
    },
    "sharedEventID": "d8e78384-0f80-4db0-ac59-3e3c50d8b69b",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "userIdentity": {
        "invokedBy": "config.amazonaws.com",
        "type": "AWSService"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "responseElements": null,
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "additionalEventData": {
        "AuthenticationMethod": "AuthHeader",
        "bytesTransferredIn": "0",
        "bytesTransferredOut": "91",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "SignatureVersion": "SigV4",
        "x-amz-id-2": "Jq6c50tbWBjlN+Ol/gXiZdzqln69rorG6diVL4YPUScLJfrVwWyK6SyAjE6DY7cQ2/k94kUqqdU="
    },
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "responseElements": null,
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "accountId": "123456789122",
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "accountId": "650992545562",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2022-01-03T20:25:23Z",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventName": "GetEventSelectors",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "responseElements": null,
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "readOnly": "true",
    "eventType": "AwsApiCall",
    "managementEvent": "true",
    "recipientAccountId": "123456789122",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "accountId": "123456789122",
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "accountId": "650992545562",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2022-01-03T20:25:20Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "ListMultiRegionAccessPoints",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": "0",
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "Jq6c50tbWBjlN+Ol/gXiZdzqln69rorG6diVL4YPUScLJfrVwWyK6SyAjE6DY7cQ2/k94kUqqdU=",
        "bytesTransferredOut": "91"
    },
    "requestID": "VRYACFF14PJ4VC6X",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "readOnly": "true",
    "eventType": "AwsApiCall",
    "managementEvent": "true",
    "recipientAccountId": "123456789122",
    "vpcEndpointId": "vpce-a0d039c9",
    "eventCategory": "Management"
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2e42934c-5c4a-407c-8151-86e0185443cf",
    "eventName": "AssumeRole",
    "eventSource": "sts.amazonaws.com",
    "eventTime": "2022-01-03T19:07:22Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "2f2ee951-56be-40d1-93b7-8b9da7d3d312",
    "requestParameters": {
        "roleArn": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
        "roleSessionName": "AWSConfig-Delivery"
    },
    "resources": [
        {
            "accountId": "123456789122",
            "ARN": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
            "type": "AWS::IAM::Role"
        }
    ],
    "responseElements": {
        "assumedRoleUser": {
            "arn": "arn:aws:sts::123456789122:assumed-role/aws-controltower-ConfigRecorderRole/AWSConfig-Delivery",
            "assumedRoleId": "AROAZPN3N44NFG4PENWKW:AWSConfig-Delivery"
        },
        "credentials": {
            "accessKeyId": "ASIAZPERN54NFDW3QDR3",
            "expiration": "Jan 3, 2022 8:07:22 PM",
            "sessionToken": "IQoJb3JpZ2luX2VjEFsaCXVzLXdlc3QtMiJIMEYCIQDnD7QGLWQ0M39zE7+1bpBcWfrcNQd+QJagYIb3/FwsqgIhALxcRucOS3Ff77BlhabQ20ot0WaQvZrj2fQtYPbOdi9DKtUCCGQQABoMNjUwOTkyNTQ1NTYyIgz1SDhpV6ywmesr5P4qsgIvyIZDgkCafSHCaCVsKj/VPXQkOnsmX5ntBzoGHYoo5ItgEEpy4iAPmgimr6rtvj5vQvNxpyDNuGs1MunooY0U2lsdtjNrQWKpCaXeRzfdZc0BELe/CdWR+6UQMLkmEvnuvID8qyzTiECZQr3Pe+dASYKd5sffDO/vtmOg5AfEsaiEat8bYcMVoM/8w0530kTm/uCywd3KO+sq/CrD3ID3D5UKcIzGnAHuUXIpP9iqVlxrnw196lBlL0ohXiRbMFYORr4xXFvrlPwC69VQ/SiXSKKqUPvGlmzekEcwm/61u0FCX+ixwhoVhoDzvmSYCk+/zLteSVxk6HWed2ReUvQmI2ZzyL02cPAgVXY4uGB3qHy6eTxMv6lDs6Ug8pGDDIVtCWwG2soX85N1aIlKvoQynY0w6pLNjgY6vgGNFYoUEHz+ycg/1hflPAXBKvI9KBXKGNJa4+NU1o3K7EVv8Ihw43boB/9STPFjr4KSGiXFKvDH5YLwk6yxtnsctUmRFYNbZn3RbiHCEWswpYK9ScUGqK9CngljR4u5WNFs0++J72otOcfAVhwioEblgYhktPC3v559koXJfdFa93n6ar1FA5osxidtigA/8fZC7LhjEEozpjO2+8E2gkB1HF2NRZs5hyky+kOkk9dtpekoCDJ1UoPHtmWuAAUr"
        }
    },
    "sharedEventID": "d8e78384-0f80-4db0-ac59-3e3c50d8b69b",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "userIdentity": {
        "invokedBy": "config.amazonaws.com",
        "type": "AWSService"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "responseElements": null,
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "additionalEventData": {
        "AuthenticationMethod": "AuthHeader",
        "bytesTransferredIn": "0",
        "bytesTransferredOut": "91",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "SignatureVersion": "SigV4",
        "x-amz-id-2": "Jq6c50tbWBjlN+Ol/gXiZdzqln69rorG6diVL4YPUScLJfrVwWyK6SyAjE6DY7cQ2/k94kUqqdU="
    },
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "responseElements": null,
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}

Filter By Event Names

Scenario: Drop events based on event names by matching it with supplied regexes. Here we reduce the volume by dropping event names with List, Get using a regex - List*|Get*|Describe*

Enabled: Toggled on

List*

Get*

Describe*

Results: Events containing List, Get or Describe are dropped.

AWS Cloudtrail Data drops to 2 Log entries
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2e42934c-5c4a-407c-8151-86e0185443cf",
    "eventName": "AssumeRole",
    "eventSource": "sts.amazonaws.com",
    "eventTime": "2022-01-03T19:07:22Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "2f2ee951-56be-40d1-93b7-8b9da7d3d312",
    "requestParameters": {
        "roleArn": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
        "roleSessionName": "AWSConfig-Delivery"
    },
    "resources": [
        {
            "ARN": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
            "accountId": "123456789122",
            "type": "AWS::IAM::Role"
        }
    ],
    "responseElements": {
        "assumedRoleUser": {
            "arn": "arn:aws:sts::123456789122:assumed-role/aws-controltower-ConfigRecorderRole/AWSConfig-Delivery",
            "assumedRoleId": "AROAZPN3N44NFG4PENWKW:AWSConfig-Delivery"
        },
        "credentials": {
            "accessKeyId": "ASIAZPERN54NFDW3QDR3",
            "expiration": "Jan 3, 2022 8:07:22 PM",
            "sessionToken": "IQoJb3JpZ2luX2VjEFsaCXVzLXdlc3QtMiJIMEYCIQDnD7QGLWQ0M39zE7+1bpBcWfrcNQd+QJagYIb3/FwsqgIhALxcRucOS3Ff77BlhabQ20ot0WaQvZrj2fQtYPbOdi9DKtUCCGQQABoMNjUwOTkyNTQ1NTYyIgz1SDhpV6ywmesr5P4qsgIvyIZDgkCafSHCaCVsKj/VPXQkOnsmX5ntBzoGHYoo5ItgEEpy4iAPmgimr6rtvj5vQvNxpyDNuGs1MunooY0U2lsdtjNrQWKpCaXeRzfdZc0BELe/CdWR+6UQMLkmEvnuvID8qyzTiECZQr3Pe+dASYKd5sffDO/vtmOg5AfEsaiEat8bYcMVoM/8w0530kTm/uCywd3KO+sq/CrD3ID3D5UKcIzGnAHuUXIpP9iqVlxrnw196lBlL0ohXiRbMFYORr4xXFvrlPwC69VQ/SiXSKKqUPvGlmzekEcwm/61u0FCX+ixwhoVhoDzvmSYCk+/zLteSVxk6HWed2ReUvQmI2ZzyL02cPAgVXY4uGB3qHy6eTxMv6lDs6Ug8pGDDIVtCWwG2soX85N1aIlKvoQynY0w6pLNjgY6vgGNFYoUEHz+ycg/1hflPAXBKvI9KBXKGNJa4+NU1o3K7EVv8Ihw43boB/9STPFjr4KSGiXFKvDH5YLwk6yxtnsctUmRFYNbZn3RbiHCEWswpYK9ScUGqK9CngljR4u5WNFs0++J72otOcfAVhwioEblgYhktPC3v559koXJfdFa93n6ar1FA5osxidtigA/8fZC7LhjEEozpjO2+8E2gkB1HF2NRZs5hyky+kOkk9dtpekoCDJ1UoPHtmWuAAUr"
        }
    },
    "sharedEventID": "d8e78384-0f80-4db0-ac59-3e3c50d8b69b",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "userIdentity": {
        "invokedBy": "config.amazonaws.com",
        "type": "AWSService"
    }
}

Mask Sensitive Data

Scenario: An organization uses Observo AI to ingest AWS CloudTrail logs and applies sensitive data masking to redact credentials and role identifiers before routing logs to analytics and storage platforms, ensuring security and compliance.

Results:

  1. Enhanced Security

    • Access Keys and Assume Role IDs are stripped before they ever hit downstream systems

    • Reduces blast radius if a log leak or misconfiguration occurs

  2. Compliance Alignment

    • Ensures PII and credential data do not leave your trusted zones in clear text.

  3. Enables smooth audits for:

    • SOC 2: Protects sensitive data exposure

    • PCI-DSS: Prevents PAN/credential storage in logs

    • ISO 27001 / HIPAA: Ensures data minimization

All Access Keys (accessKeyId) & Assume RoleIds (assumedRoleId) are masked out
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2e42934c-5c4a-407c-8151-86e0185443cf",
    "eventName": "AssumeRole",
    "eventSource": "sts.amazonaws.com",
    "eventTime": "2022-01-03T19:07:22Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "2f2ee951-56be-40d1-93b7-8b9da7d3d312",
    "requestParameters": {
        "roleArn": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
        "roleSessionName": "AWSConfig-Delivery"
    },
    "resources": [
        {
            "ARN": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
            "accountId": "123456789122",
            "type": "AWS::IAM::Role"
        }
    ],
    "responseElements": {
        "assumedRoleUser": {
            "arn": "arn:aws:sts::123456789122:assumed-role/aws-controltower-ConfigRecorderRole/AWSConfig-Delivery",
            "assumedRoleId": "*********************:AWSConfig-Delivery"
        },
        "credentials": {
            "accessKeyId": "****************",
            "expiration": "Jan 3, 2022 8:07:22 PM",
            "sessionToken": "IQoJb3JpZ2luX2VjEFsaCXVzLXdlc3QtMiJIMEYCIQDnD7QGLWQ0M39zE7+1bpBcWfrcNQd+QJagYIb3/FwsqgIhALxcRucOS3Ff77BlhabQ20ot0WaQvZrj2fQtYPbOdi9DKtUCCGQQABoMNjUwOTkyNTQ1NTYyIgz1SDhpV6ywmesr5P4qsgIvyIZDgkCafSHCaCVsKj/VPXQkOnsmX5ntBzoGHYoo5ItgEEpy4iAPmgimr6rtvj5vQvNxpyDNuGs1MunooY0U2lsdtjNrQWKpCaXeRzfdZc0BELe/CdWR+6UQMLkmEvnuvID8qyzTiECZQr3Pe+dASYKd5sffDO/vtmOg5AfEsaiEat8bYcMVoM/8w0530kTm/uCywd3KO+sq/CrD3ID3D5UKcIzGnAHuUXIpP9iqVlxrnw196lBlL0ohXiRbMFYORr4xXFvrlPwC69VQ/SiXSKKqUPvGlmzekEcwm/61u0FCX+ixwhoVhoDzvmSYCk+/zLteSVxk6HWed2ReUvQmI2ZzyL02cPAgVXY4uGB3qHy6eTxMv6lDs6Ug8pGDDIVtCWwG2soX85N1aIlKvoQynY0w6pLNjgY6vgGNFYoUEHz+ycg/1hflPAXBKvI9KBXKGNJa4+NU1o3K7EVv8Ihw43boB/9STPFjr4KSGiXFKvDH5YLwk6yxtnsctUmRFYNbZn3RbiHCEWswpYK9ScUGqK9CngljR4u5WNFs0++J72otOcfAVhwioEblgYhktPC3v559koXJfdFa93n6ar1FA5osxidtigA/8fZC7LhjEEozpjO2+8E2gkB1HF2NRZs5hyky+kOkk9dtpekoCDJ1UoPHtmWuAAUr"
        }
    },
    "sharedEventID": "d8e78384-0f80-4db0-ac59-3e3c50d8b69b",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "userIdentity": {
        "invokedBy": "config.amazonaws.com",
        "type": "AWSService"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "responseElements": null,
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "****************",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "additionalEventData": {
        "AuthenticationMethod": "AuthHeader",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "SignatureVersion": "SigV4",
        "bytesTransferredIn": "0",
        "bytesTransferredOut": "91",
        "x-amz-id-2": "Jq6c50tbWBjlN+Ol/gXiZdzqln69rorG6diVL4YPUScLJfrVwWyK6SyAjE6DY7cQ2/k94kUqqdU="
    },
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "responseElements": null,
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "****************",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "responseElements": null,
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "****************",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "additionalEventData": {
        "AuthenticationMethod": "AuthHeader",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "SignatureVersion": "SigV4",
        "bytesTransferredIn": "0",
        "bytesTransferredOut": "91",
        "x-amz-id-2": "Jq6c50tbWBjlN+Ol/gXiZdzqln69rorG6diVL4YPUScLJfrVwWyK6SyAjE6DY7cQ2/k94kUqqdU="
    },
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "responseElements": null,
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "****************",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2e42934c-5c4a-407c-8151-86e0185443cf",
    "eventName": "AssumeRole",
    "eventSource": "sts.amazonaws.com",
    "eventTime": "2022-01-03T19:07:22Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "2f2ee951-56be-40d1-93b7-8b9da7d3d312",
    "requestParameters": {
        "roleArn": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
        "roleSessionName": "AWSConfig-Delivery"
    },
    "resources": [
        {
            "ARN": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
            "accountId": "123456789122",
            "type": "AWS::IAM::Role"
        }
    ],
    "responseElements": {
        "assumedRoleUser": {
            "arn": "arn:aws:sts::123456789122:assumed-role/aws-controltower-ConfigRecorderRole/AWSConfig-Delivery",
            "assumedRoleId": "*********************:AWSConfig-Delivery"
        },
        "credentials": {
            "accessKeyId": "****************",
            "expiration": "Jan 3, 2022 8:07:22 PM",
            "sessionToken": "IQoJb3JpZ2luX2VjEFsaCXVzLXdlc3QtMiJIMEYCIQDnD7QGLWQ0M39zE7+1bpBcWfrcNQd+QJagYIb3/FwsqgIhALxcRucOS3Ff77BlhabQ20ot0WaQvZrj2fQtYPbOdi9DKtUCCGQQABoMNjUwOTkyNTQ1NTYyIgz1SDhpV6ywmesr5P4qsgIvyIZDgkCafSHCaCVsKj/VPXQkOnsmX5ntBzoGHYoo5ItgEEpy4iAPmgimr6rtvj5vQvNxpyDNuGs1MunooY0U2lsdtjNrQWKpCaXeRzfdZc0BELe/CdWR+6UQMLkmEvnuvID8qyzTiECZQr3Pe+dASYKd5sffDO/vtmOg5AfEsaiEat8bYcMVoM/8w0530kTm/uCywd3KO+sq/CrD3ID3D5UKcIzGnAHuUXIpP9iqVlxrnw196lBlL0ohXiRbMFYORr4xXFvrlPwC69VQ/SiXSKKqUPvGlmzekEcwm/61u0FCX+ixwhoVhoDzvmSYCk+/zLteSVxk6HWed2ReUvQmI2ZzyL02cPAgVXY4uGB3qHy6eTxMv6lDs6Ug8pGDDIVtCWwG2soX85N1aIlKvoQynY0w6pLNjgY6vgGNFYoUEHz+ycg/1hflPAXBKvI9KBXKGNJa4+NU1o3K7EVv8Ihw43boB/9STPFjr4KSGiXFKvDH5YLwk6yxtnsctUmRFYNbZn3RbiHCEWswpYK9ScUGqK9CngljR4u5WNFs0++J72otOcfAVhwioEblgYhktPC3v559koXJfdFa93n6ar1FA5osxidtigA/8fZC7LhjEEozpjO2+8E2gkB1HF2NRZs5hyky+kOkk9dtpekoCDJ1UoPHtmWuAAUr"
        }
    },
    "sharedEventID": "d8e78384-0f80-4db0-ac59-3e3c50d8b69b",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "userIdentity": {
        "invokedBy": "config.amazonaws.com",
        "type": "AWSService"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "responseElements": null,
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "****************",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "additionalEventData": {
        "AuthenticationMethod": "AuthHeader",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "SignatureVersion": "SigV4",
        "bytesTransferredIn": "0",
        "bytesTransferredOut": "91",
        "x-amz-id-2": "Jq6c50tbWBjlN+Ol/gXiZdzqln69rorG6diVL4YPUScLJfrVwWyK6SyAjE6DY7cQ2/k94kUqqdU="
    },
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "responseElements": null,
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "****************",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}

Operational Benefits:

  • Splunk usage drops by ~20–30% due to reduced log payload size.

  • No need to manually redact sensitive fields in dashboards or alerts.

  • Engineers and analysts can still see relevant context (eventName, roleSessionName, region, etc.) without the risk.

Event Serializer

Scenario: Specify exact keys to remove from each CloudTrail event, helping reduce payload size and eliminate unnecessary or sensitive fields before downstream processing.

Remove these keys from the Cloudtrail events

additionalEventData

responseElements

Results: Only the awsRegion log entry parts are kept while the additionalEventData and the responseElements log entry parts are discarded.

Keep only the awsRegion log entry parts
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2e42934c-5c4a-407c-8151-86e0185443cf",
    "eventName": "AssumeRole",
    "eventSource": "sts.amazonaws.com",
    "eventTime": "2022-01-03T19:07:22Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "2f2ee951-56be-40d1-93b7-8b9da7d3d312",
    "requestParameters": {
        "roleArn": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
        "roleSessionName": "AWSConfig-Delivery"
    },
    "resources": [
        {
            "ARN": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
            "accountId": "123456789122",
            "type": "AWS::IAM::Role"
        }
    ],
    "sharedEventID": "d8e78384-0f80-4db0-ac59-3e3c50d8b69b",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "userIdentity": {
        "invokedBy": "config.amazonaws.com",
        "type": "AWSService"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2e42934c-5c4a-407c-8151-86e0185443cf",
    "eventName": "AssumeRole",
    "eventSource": "sts.amazonaws.com",
    "eventTime": "2022-01-03T19:07:22Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "2f2ee951-56be-40d1-93b7-8b9da7d3d312",
    "requestParameters": {
        "roleArn": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
        "roleSessionName": "AWSConfig-Delivery"
    },
    "resources": [
        {
            "ARN": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
            "accountId": "123456789122",
            "type": "AWS::IAM::Role"
        }
    ],
    "sharedEventID": "d8e78384-0f80-4db0-ac59-3e3c50d8b69b",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "userIdentity": {
        "invokedBy": "config.amazonaws.com",
        "type": "AWSService"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}

Aggregation

Scenario: Perform aggregations on incoming Cloudtrail events by using more fine-grained aggregation policies. Keep Max Events to default:100 and Flush Time(seconds) to default: 30.

Field names to Aggregate By (keep defaults)

eventName

sourceIPAddress

requestParameters

responseElements

responseElements

eventCategory

Results: Cloudtral logs are aggregated to a set of manageable patterns

All (8) Cloudtral logs are aggregated to a set of patterns equating to three (3) log entries
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "42dc3131-68c2-42f3-9137-d1a7146729b0",
    "eventName": "GetEventSelectors",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventTime": "2022-01-03T20:25:23Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "54ba152b-80d2-4e84-b894-6f87f52826de",
    "requestParameters": {
        "trailName": "arn:aws:cloudtrail:us-west-2:402040279551:trail/OrganizationWideTrail"
    },
    "responseElements": null,
    "sessionCredentialFromConsole": "true",
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "console.amazonaws.com",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    }
}
{
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2e42934c-5c4a-407c-8151-86e0185443cf",
    "eventName": "AssumeRole",
    "eventSource": "sts.amazonaws.com",
    "eventTime": "2022-01-03T19:07:22Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "2f2ee951-56be-40d1-93b7-8b9da7d3d312",
    "requestParameters": {
        "roleArn": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
        "roleSessionName": "AWSConfig-Delivery"
    },
    "resources": [
        {
            "ARN": "arn:aws:iam::123456789122:role/aws-controltower-ConfigRecorderRole",
            "accountId": "123456789122",
            "type": "AWS::IAM::Role"
        }
    ],
    "responseElements": {
        "assumedRoleUser": {
            "arn": "arn:aws:sts::123456789122:assumed-role/aws-controltower-ConfigRecorderRole/AWSConfig-Delivery",
            "assumedRoleId": "AROAZPN3N44NFG4PENWKW:AWSConfig-Delivery"
        },
        "credentials": {
            "accessKeyId": "ASIAZPERN54NFDW3QDR3",
            "expiration": "Jan 3, 2022 8:07:22 PM",
            "sessionToken": "IQoJb3JpZ2luX2VjEFsaCXVzLXdlc3QtMiJIMEYCIQDnD7QGLWQ0M39zE7+1bpBcWfrcNQd+QJagYIb3/FwsqgIhALxcRucOS3Ff77BlhabQ20ot0WaQvZrj2fQtYPbOdi9DKtUCCGQQABoMNjUwOTkyNTQ1NTYyIgz1SDhpV6ywmesr5P4qsgIvyIZDgkCafSHCaCVsKj/VPXQkOnsmX5ntBzoGHYoo5ItgEEpy4iAPmgimr6rtvj5vQvNxpyDNuGs1MunooY0U2lsdtjNrQWKpCaXeRzfdZc0BELe/CdWR+6UQMLkmEvnuvID8qyzTiECZQr3Pe+dASYKd5sffDO/vtmOg5AfEsaiEat8bYcMVoM/8w0530kTm/uCywd3KO+sq/CrD3ID3D5UKcIzGnAHuUXIpP9iqVlxrnw196lBlL0ohXiRbMFYORr4xXFvrlPwC69VQ/SiXSKKqUPvGlmzekEcwm/61u0FCX+ixwhoVhoDzvmSYCk+/zLteSVxk6HWed2ReUvQmI2ZzyL02cPAgVXY4uGB3qHy6eTxMv6lDs6Ug8pGDDIVtCWwG2soX85N1aIlKvoQynY0w6pLNjgY6vgGNFYoUEHz+ycg/1hflPAXBKvI9KBXKGNJa4+NU1o3K7EVv8Ihw43boB/9STPFjr4KSGiXFKvDH5YLwk6yxtnsctUmRFYNbZn3RbiHCEWswpYK9ScUGqK9CngljR4u5WNFs0++J72otOcfAVhwioEblgYhktPC3v559koXJfdFa93n6ar1FA5osxidtigA/8fZC7LhjEEozpjO2+8E2gkB1HF2NRZs5hyky+kOkk9dtpekoCDJ1UoPHtmWuAAUr"
        }
    },
    "sharedEventID": "d8e78384-0f80-4db0-ac59-3e3c50d8b69b",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "userIdentity": {
        "invokedBy": "config.amazonaws.com",
        "type": "AWSService"
    }
}
{
    "additionalEventData": {
        "AuthenticationMethod": "AuthHeader",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "SignatureVersion": "SigV4",
        "bytesTransferredIn": "0",
        "bytesTransferredOut": "91",
        "x-amz-id-2": "Jq6c50tbWBjlN+Ol/gXiZdzqln69rorG6diVL4YPUScLJfrVwWyK6SyAjE6DY7cQ2/k94kUqqdU="
    },
    "awsRegion": "us-west-2",
    "eventCategory": "Management",
    "eventID": "2d35fa10-5ec2-47ad-aa41-59f80a862266",
    "eventName": "ListMultiRegionAccessPoints",
    "eventSource": "s3.amazonaws.com",
    "eventTime": "2022-01-03T20:25:20Z",
    "eventType": "AwsApiCall",
    "eventVersion": "1.08",
    "managementEvent": "true",
    "readOnly": "true",
    "recipientAccountId": "123456789122",
    "requestID": "VRYACFF14PJ4VC6X",
    "requestParameters": {
        "Host": "123456789122.s3-control.us-west-2.amazonaws.com"
    },
    "responseElements": null,
    "sourceIPAddress": "216.164.56.230",
    "userAgent": "[AWS Console S3, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.156-94.273.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "userIdentity": {
        "accessKeyId": "ASIAZPERN54NABAEOTNF",
        "accountId": "123456789122",
        "arn": "arn:aws:sts::123456789122:assumed-role/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee/[email protected]",
        "principalId": "AROAZPERN54NES3XJZPD7:[email protected]",
        "sessionContext": {
            "attributes": {
                "creationDate": "2022-01-03T20:23:54Z",
                "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
                "accountId": "650992545562",
                "arn": "arn:aws:iam::650992545562:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee",
                "principalId": "AROAZPERN54NES3XJZPD7",
                "type": "Role",
                "userName": "AWSReservedSSO_AWSAdministratorAccess_dad148afeb116aee"
            },
            "webIdFederationData": {}
        },
        "type": "AssumedRole"
    },
    "vpcEndpointId": "vpce-a0d039c9"
}

Cloudtrail Optimizer Best Practices

Below is an overview of best practices for optimizing your CloudTrail logs with Observo AI’s Optimizer using three key techniques:

  1. Filter Event Names

  • Prioritize Critical Events:

    • Configure your optimizer to only pass through CloudTrail events that are actionable or critical for security, compliance, and operations.

    • Exclude routine or “noisy” event names (such as benign read operations that do not add analytical values.

  • Tailor to Your Use Case:

    • Use domain knowledge to create allow/deny lists for event names based on your monitoring objectives.

    • Dynamically adjust filters as your environment and threat landscape evolve.

  1. Event Serializer (Drop Unused Fields)

  • Identify Redundant Data:

    • Analyze the full CloudTrail JSON payload and determine which keys (fields) are not used for alerting or analysis.

    • Remove keys that are constant across events or that provide little variance.

  • Reduce Data Volume:

    • Dropping unnecessary keys at ingestion minimizes storage and improves downstream query performance.

    • Ensure that only the metadata critical for your analysis, such as eventName, eventTime, userIdentity, and resource identifiers, is retained.

  1. Mask Sensitive Data

  • Mask Access Keys:

    • Access keys can be used to authenticate and authorize AWS API calls. Exposure of these keys could lead to unauthorized access.

    • Best Practice: Always mask or redact access keys (accessKeyId, secretAccessKey) before sending logs to downstream systems.

  • Mask Assume Role IDs:

    • AssumeRole events include role ARNs and session names that may reveal internal IAM structure or identities.

    • Best Practice: Mask roleArn, sessionContext, and principalId fields to avoid leaking role usage patterns or sensitive identity details.

  • Audit Your Masking Settings:

    • Periodically review masking settings to ensure they meet changing security requirements and compliance obligations such as GDPR, HIPAA, FedRAMP.

  1. Aggregation

  • Smart Summarization:

    • Group similar events by key identifiers such as eventName, user or resource IDs over a defined time window.

    • Use machine learning–powered aggregation to summarize high-frequency events into a single representative record that retains counts, time ranges, and key metrics.

  • Reduce Noise & Improve Efficiency:

    • Aggregation not only reduces the log volume by merging repetitive events but also speeds up analysis by transforming detailed logs into digestible summaries.

    • Maintain the ability to drill down into aggregated data when detailed analysis is required.

Additional Recommendations:

  • Automate and Iterate

    • Set up dynamic pipelines so that filtering, key removal, and aggregation run automatically without manual intervention.

    • Regularly review and fine-tune your rules to ensure they stay aligned with evolving business needs and threat scenarios.

  • Maintain Analytical Integrity

    • While reducing data volume, verify that essential context isn’t lost—ensure that alerts, forensics, and compliance reporting remain robust.

By applying these best practices, Observo AI’s CloudTrail Optimizer helps streamline your log data—ensuring that you retain only the actionable events with essential context, reduce storage costs, and improve query performance.

Related Functions

  • GCP Flow Log Optimizer: Perform various aggregations, including smart summarization, on GCP Flow Logs data.

  • AWS VPC Flow Logs: Perform various optimizations, including smart summarization, on AWS VPC Flow Logs data.

PreviousAWS VPC Flow LogsNextException Summarization

Last updated

Was this helpful?