Files
wehub-resource-sync 4b6817381b
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
CI / coverage-report (push) Has been cancelled
CI / test-kubernetes (push) Has been cancelled
CI / should-run-thorough (push) Has been cancelled
CI / test-thorough (cloudwatch-demo) (push) Has been cancelled
CI / test-thorough (flink-ecs) (push) Has been cancelled
CI / test-thorough (upstream-lambda) (push) Has been cancelled
CI / test-thorough (prefect-ecs-fargate) (push) Has been cancelled
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Has been cancelled
Benchmark image — build + push to ECR (any adapter) / build + push (push) Has been cancelled
CI / quality (ubuntu-latest) (push) Has been cancelled
CI / test (tools-runtime) (push) Has been cancelled
CI / test (e2e-general) (push) Has been cancelled
CI / test (cli-runtime) (push) Has been cancelled
CI / test (e2e-provider-and-openclaw) (push) Has been cancelled
CI / test (integrations-and-misc) (push) Has been cancelled
Release / verify (push) Has been cancelled
Release / build-python-dist (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Has been cancelled
Release / publish-release (push) Has been cancelled
Release / publish-main-release (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Has been cancelled
Release / prepare (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Has been cancelled
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:10:45 +08:00

287 lines
11 KiB
Python

"""CloudTrail events tool — "who changed what, and when?" change forensics.
Wraps the read-only CloudTrail ``lookup_events`` API so the planner can trace
configuration-change causality during an AWS incident: IAM changes,
security-group mutations, EKS/Lambda config updates, and resource deletions.
CloudTrail's ``LookupAttributes`` accepts only ONE filter attribute per call,
so the tool exposes the common forensic filters (resource name, event source,
principal/username) as optional params and sends the most specific one that was
provided. A ``duration_minutes`` window is converted to the ``StartTime`` /
``EndTime`` pair the API expects.
"""
from __future__ import annotations
import json
import logging
from datetime import UTC, datetime, timedelta
from typing import Any, cast
from core.tool_framework.tool_decorator import tool
from integrations.aws.aws_sdk_client import execute_aws_sdk_call
from integrations.cloudtrail import (
DEFAULT_CLOUDTRAIL_REGION,
cloudtrail_extract_params,
cloudtrail_is_available,
)
logger = logging.getLogger(__name__)
DEFAULT_DURATION_MINUTES = 60
# CloudTrail caps lookups at 90 days of history and 50 events per page.
MAX_DURATION_MINUTES = 90 * 24 * 60
DEFAULT_MAX_RESULTS = 50
MAX_RESULTS_LIMIT = 50
def _build_lookup_attribute(
resource_name: str,
event_source: str,
username: str,
) -> list[dict[str, str]]:
"""Build the single-item ``LookupAttributes`` list CloudTrail allows.
CloudTrail rejects more than one attribute per request, so we pick the most
specific filter that was provided: a concrete resource pins the blast
radius best, then the acting principal, then the broad service source.
Returns an empty list when no filter is set (recent account-wide events).
"""
if resource_name:
return [{"AttributeKey": "ResourceName", "AttributeValue": resource_name}]
if username:
return [{"AttributeKey": "Username", "AttributeValue": username}]
if event_source:
return [{"AttributeKey": "EventSource", "AttributeValue": event_source}]
return []
def _shape_event(raw: dict[str, Any]) -> dict[str, Any]:
"""Trim a raw CloudTrail event down to the fields RCA actually needs."""
# Skip non-dict Resources entries: the transport sanitizer replaces the tail
# of an oversized list with a "... (N more items truncated)" string (one
# event CAN reference >MAX_LIST_ITEMS resources, e.g. CreateTags across a
# fleet), and degraded payloads may carry nulls. Anything skipped is
# surfaced via resources_truncated so the planner knows the resource list
# understates the true blast radius instead of silently trusting it.
raw_resources = raw.get("Resources") or []
resources = [
{
"type": resource.get("ResourceType"),
"name": resource.get("ResourceName"),
}
for resource in raw_resources
if isinstance(resource, dict)
]
resources_truncated = len(resources) != len(raw_resources)
# CloudTrailEvent is a JSON string carrying the full record; pull the
# high-signal forensic fields out of it without dumping the whole blob.
aws_region = source_ip = error_code = None
detail = raw.get("CloudTrailEvent")
if isinstance(detail, str):
try:
parsed = json.loads(detail)
except (ValueError, TypeError):
parsed = {}
# The record should be a JSON object, but degraded payloads can carry
# valid-but-non-dict JSON ("null", a bare string, a list) — treat those
# as "no detail" rather than crashing on .get.
if not isinstance(parsed, dict):
parsed = {}
aws_region = parsed.get("awsRegion")
source_ip = parsed.get("sourceIPAddress")
error_code = parsed.get("errorCode")
# CloudTrail returns ReadOnly as the string "true"/"false"; coerce to a real
# bool so callers don't trip over "false" being truthy in Python.
read_only_raw = raw.get("ReadOnly")
if isinstance(read_only_raw, bool):
read_only = read_only_raw
elif isinstance(read_only_raw, str):
read_only = read_only_raw.strip().lower() == "true"
else:
read_only = None
return {
"event_id": raw.get("EventId"),
"event_name": raw.get("EventName"),
"event_time": raw.get("EventTime"),
"event_source": raw.get("EventSource"),
"username": raw.get("Username"),
"read_only": read_only,
"access_key_id": raw.get("AccessKeyId"),
"resources": resources,
"resources_truncated": resources_truncated,
"aws_region": aws_region,
"source_ip_address": source_ip,
"error_code": error_code,
}
@tool(
name="lookup_cloudtrail_events",
display_name="CloudTrail",
source="cloudtrail",
description=(
"Look up recent AWS CloudTrail management events to answer 'who changed "
"what, and when?' — IAM changes, security-group mutations, EKS/Lambda "
"config updates, and resource deletions. Filter by resource name, event "
"source (e.g. iam.amazonaws.com), or username over a time window."
),
use_cases=[
"Finding who modified an IAM policy, role, or security group before an incident",
"Tracing config changes to a specific resource (by ResourceName)",
"Auditing all actions taken by a principal/user (by Username)",
"Reviewing recent activity from one AWS service (by EventSource)",
"Establishing change causality at the start of a post-mortem",
],
requires=[],
input_schema={
"type": "object",
"properties": {
"resource_name": {
"type": "string",
"description": "Filter by a specific resource name/ARN (most specific filter).",
},
"event_source": {
"type": "string",
"description": "Filter by AWS service event source, e.g. 'iam.amazonaws.com'.",
},
"username": {
"type": "string",
"description": "Filter by the acting principal / IAM username.",
},
"region": {"type": "string", "default": DEFAULT_CLOUDTRAIL_REGION},
"duration_minutes": {
"type": "integer",
"default": DEFAULT_DURATION_MINUTES,
"minimum": 1,
"maximum": MAX_DURATION_MINUTES,
"description": "Look-back window in minutes (CloudTrail keeps 90 days).",
},
"max_results": {
"type": "integer",
"default": DEFAULT_MAX_RESULTS,
"minimum": 1,
"maximum": MAX_RESULTS_LIMIT,
},
"next_token": {
"type": "string",
"default": "",
"description": (
"Pagination token from a previous truncated response; pass it to "
"fetch the next page of events."
),
},
},
"required": [],
},
injected_params=("aws_backend",),
is_available=cloudtrail_is_available,
extract_params=cloudtrail_extract_params,
)
def lookup_cloudtrail_events(
resource_name: str = "",
event_source: str = "",
username: str = "",
region: str = DEFAULT_CLOUDTRAIL_REGION,
duration_minutes: int = DEFAULT_DURATION_MINUTES,
max_results: int = DEFAULT_MAX_RESULTS,
next_token: str = "",
aws_backend: Any = None,
**_kwargs: Any,
) -> dict[str, Any]:
"""Look up recent CloudTrail management events scoped to a filter + window.
When ``aws_backend`` is provided (FixtureAWSBackend in synthetic tests) the
call short-circuits to the backend so we never leak boto3 calls to real AWS
during scenario runs. Otherwise calls boto3 cloudtrail via
``execute_aws_sdk_call`` using the default boto3 credential chain.
"""
duration_minutes = max(1, min(duration_minutes, MAX_DURATION_MINUTES))
max_results = max(1, min(max_results, MAX_RESULTS_LIMIT))
lookup_attributes = _build_lookup_attribute(resource_name, event_source, username)
logger.info(
"[cloudtrail] lookup_events region=%s filter=%s duration=%s max=%s",
region,
lookup_attributes or "none",
duration_minutes,
max_results,
)
if aws_backend is not None:
return cast(
"dict[str, Any]",
aws_backend.lookup_events(
lookup_attributes=lookup_attributes,
duration_minutes=duration_minutes,
max_results=max_results,
region=region,
next_token=next_token,
),
)
end_time = datetime.now(UTC)
start_time = end_time - timedelta(minutes=duration_minutes)
parameters: dict[str, Any] = {
"StartTime": start_time,
"EndTime": end_time,
"MaxResults": max_results,
}
if lookup_attributes:
parameters["LookupAttributes"] = lookup_attributes
if next_token:
parameters["NextToken"] = next_token
result = execute_aws_sdk_call(
service_name="cloudtrail",
operation_name="lookup_events",
parameters=parameters,
region=region,
)
if not result.get("success"):
logger.error(
"[cloudtrail] lookup_events failed region=%s: %s",
region,
result.get("error"),
)
return {
"source": "cloudtrail",
"available": False,
"error": "Failed to look up CloudTrail events. Check server logs for details.",
}
data = result.get("data") or {}
raw_events = data.get("Events") or []
# Shape only dict entries. Defensive: the sanitizer's list-truncation marker
# cannot reach Events today (LookupEvents pages cap at 50 < MAX_LIST_ITEMS
# and the client never merges pages) — unlike per-event Resources, where it
# genuinely can — but degraded payloads must degrade, not crash the parse.
events = [_shape_event(event) for event in raw_events if isinstance(event, dict)]
# CloudTrail returns a NextToken when more matching events exist beyond this
# page. Surface it so the agent knows the result is partial (and can paginate
# via the next_token param) instead of silently treating 50 events as "all".
returned_token = data.get("NextToken") or None
# NOTE: the success payload must NOT carry an "error" key. The runtime tool
# loop (core.execution._normalize_result) treats the mere presence of an
# "error" key as a failure (is_error = "error" in raw) and replaces the whole
# payload with {"error": ...} before the agent sees it — so a success dict
# with "error": None would hide every event from the investigation. Only the
# failure paths above set "error".
return {
"source": "cloudtrail",
"available": True,
"region": region,
"duration_minutes": duration_minutes,
"filter": (lookup_attributes[0] if lookup_attributes else None),
"total_events": len(events),
"truncated": bool(returned_token),
"next_token": returned_token,
"events": events,
}