Wednesday, June 3, 2026

A spurious message from AWS Health about Java v1 SDK usage

Today I got an email from AWS Health about my personal account:

Our records indicate that one or more applications in this account made AWS API calls using the AWS SDK for Java 1.x within the last 16 days.

Hmmm … I think the only thing I did with that account in the last several months was uploading backup files to S3 using the CLI (which is written in Python). Maybe I have a Lambda running on a schedule? Nope, all of my current Lambdas are written in Python, and none of them are triggered on a schedule. Maybe an errant EC2 instance or ECS task? Nope, nothing.

The email went on to say that I could use CloudTrail to “trace SDK 1.x API calls back to a specific principal”. That seemed like a good idea, especially since I have the “one free trail” writing events to S3 (as everyone should!). So I downloaded all of the files for the past two months, and started to explore them using jq.

How can one use CloudTrail to identify the source of an event? If you look at the example event from the docs, you'll see a likely candidate: userAgent. Extracting and counting the unique valies for this field, I got the following: 

     33 "AWS Internal"
      1 "aws-sdk-java/2.44.4 md/io#sync md/http#Apache md/internal ua/2.1 api/VerifiedPermissions#2.44.x os/Linux#6.1.166 lang/java#25.0.3 md/OpenJDK_64-Bit_Server_VM#25.0.3+9-LTS md/vendor#Amazon.com_Inc. md/en_US md/kotlin/2.3.21-release-298 exec-env/AWS_ECS_FARGATE m/D,AJ,i"
    112 "backup.amazonaws.com"
   1430 "cloudtrail.amazonaws.com"
      3 "[Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0]"
    200 "Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0"
    755 "rds.amazonaws.com"
   3115 "resource-explorer-2.amazonaws.com"

Only one event that claims to be from Java SDK, and that's from version 2.44.4. And most of the events seem to be from AWS itself. I poked around a little more, including filtering events by sourceIPAddress and extracting the events corresponding to my home IP, but didn't find anything that pointed at the Java v1 SDK.

Which leaves me with one of two conclusions. Either, (1) this is a spurious email, and there hasn't been any Java v1 usage in the past 16 days (or two months), or (2) WS has some way of determining the v1 SDK that doesn't involve user agent, that information isn't stored in the CloudTrail event, and the call is coming from inside the house.

Either way, this warning could cause larger users to waste a lot of time (aka money) chasing down a non-existent problem (assuming, that is, that they actually updated their legacy code, something I didn't expect to happen).

Posted by at No comments:
Subscribe to: Posts (Atom)