Temporary CloudTrail for ESF S3 data events

esf-s3-data-events.sh

#!/usr/bin/env bash
set -euo pipefail

ENVIRONMENT="${ENVIRONMENT:-dev}"
ACCOUNT_ID="${ACCOUNT_ID:-150992150901}"
REGION="${REGION:-us-west-2}"
CONFIG_BUCKET="pge-elastic-serverless-forwarder-config-${ENVIRONMENT,,}-${ACCOUNT_ID}"
TRAIL_NAME="esf-config-data-events-$(date +%s)"
LOG_BUCKET="pge-cloudtrail-temp-logs-${TRAIL_NAME}"

log() {
  printf '[%s] %s\n' "$(date -u +%Y-%m-%dT%H:%M:%SZ)" "$1"
}

log "Creating log bucket s3://${LOG_BUCKET}"
aws s3 mb "s3://${LOG_BUCKET}"

log "Creating CloudTrail ${TRAIL_NAME}"
aws cloudtrail create-trail \
  --name "${TRAIL_NAME}" \
  --s3-bucket-name "${LOG_BUCKET}" \
  --is-multi-region-trail

aws cloudtrail start-logging --name "${TRAIL_NAME}"

log "Enabling S3 data events for ${CONFIG_BUCKET}"
aws cloudtrail put-event-selectors \
  --trail-name "${TRAIL_NAME}" \
  --event-selectors "[
    {
      \"ReadWriteType\": \"All\",
      \"IncludeManagementEvents\": false,
      \"DataResources\": [
        {
          \"Type\": \"AWS::S3::Object\",
          \"Values\": [\"arn:aws:s3:::${CONFIG_BUCKET}/\"]
        }
      ]
    }
  ]"

cat <<MSG

Force the Lambda to restart (update an env var) and wait ~60 seconds.
Then run:
  aws cloudtrail lookup-events \
    --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:s3:::${CONFIG_BUCKET}/config.yaml \
    --max-results 10

Press Enter when done to clean up logging.
MSG

read -r _

log "Stopping CloudTrail logging"
aws cloudtrail stop-logging --name "${TRAIL_NAME}"

log "Deleting CloudTrail"
aws cloudtrail delete-trail --name "${TRAIL_NAME}"

log "Deleting log bucket"
aws s3 rb "s3://${LOG_BUCKET}" --force

log "Cleanup complete"