jayers99 · October 9, 2019 21:41
diff --git a/cloudtrailFun.sh b/cloudtrailFun.sh
 aws cloudtrail lookup-events --profile dev --max-results 10 \
 --lookup-attributes AttributeKey=EventName,AttributeValue=GetTrailStatus --query 'Events[*].CloudTrailEvent' | jq -r . | jq .

 # events by some user
 aws cloudtrail lookup-events --profile dev --max-results 50 \
 --lookup-attributes AttributeKey=Username,AttributeValue=someUserName --query 'Events[*].CloudTrailEvent' | jq -r . | jq .eventName

 # write events
 aws cloudtrail lookup-events --profile dev --max-results 100 \
 --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false --query 'Events[*].CloudTrailEvent' | jq -r .

 # comma delim of username/identity and eventname
 aws cloudtrail lookup-events --profile dev --max-results 40 \
 --query 'Events[*].CloudTrailEvent' | \
 jq '. | "\(.eventTime), \(.userIdentity.sessionContext.sessionIssuer.userName), \(.userIdentity.userName), \(.eventName)"' | jq -r .

 # security group create
 aws cloudtrail lookup-events --profile dev --max-results 10 \
 --lookup-attributes AttributeKey=EventName,AttributeValue=CreateSecurityGroup \
 --query 'Events[*].CloudTrailEvent' | jq -r '.[]' | \
 jq '. | "\(.eventTime), \(.userIdentity.principalId), \(.requestParameters.groupName)"' | jq -r

 aws cloudtrail lookup-events --profile dev --max-results 10 \
 --lookup-attributes AttributeKey=EventName,AttributeValue=CreateSecurityGroup \
 --query 'Events[*].CloudTrailEvent' | jq -r '.[]' | \
 jq '. | "\(.eventTime) \(.userIdentity.principalId) \(.userIdentity.accessKeyId) \(.requestParameters.groupName)"' | jq -r

 # get one by event id
 aws cloudtrail lookup-events --profile dev --max-results 10 \
 --lookup-attributes AttributeKey=EventId,AttributeValue=someIDGuid \
 --query 'Events[*].CloudTrailEvent' | jq -r '.[]' | jq
	aws cloudtrail lookup-events --profile dev --max-results 10 \
	--lookup-attributes AttributeKey=EventName,AttributeValue=GetTrailStatus --query 'Events[*].CloudTrailEvent' \| jq -r . \| jq .

	# events by some user
	aws cloudtrail lookup-events --profile dev --max-results 50 \
	--lookup-attributes AttributeKey=Username,AttributeValue=someUserName --query 'Events[*].CloudTrailEvent' \| jq -r . \| jq .eventName

	# write events
	aws cloudtrail lookup-events --profile dev --max-results 100 \
	--lookup-attributes AttributeKey=ReadOnly,AttributeValue=false --query 'Events[*].CloudTrailEvent' \| jq -r .

	# comma delim of username/identity and eventname
	aws cloudtrail lookup-events --profile dev --max-results 40 \
	--query 'Events[*].CloudTrailEvent' \| \
	jq '. \| "\(.eventTime), \(.userIdentity.sessionContext.sessionIssuer.userName), \(.userIdentity.userName), \(.eventName)"' \| jq -r .

	# security group create
	aws cloudtrail lookup-events --profile dev --max-results 10 \
	--lookup-attributes AttributeKey=EventName,AttributeValue=CreateSecurityGroup \
	--query 'Events[*].CloudTrailEvent' \| jq -r '.[]' \| \
	jq '. \| "\(.eventTime), \(.userIdentity.principalId), \(.requestParameters.groupName)"' \| jq -r

	aws cloudtrail lookup-events --profile dev --max-results 10 \
	--lookup-attributes AttributeKey=EventName,AttributeValue=CreateSecurityGroup \
	--query 'Events[*].CloudTrailEvent' \| jq -r '.[]' \| \
	jq '. \| "\(.eventTime) \(.userIdentity.principalId) \(.userIdentity.accessKeyId) \(.requestParameters.groupName)"' \| jq -r

	# get one by event id
	aws cloudtrail lookup-events --profile dev --max-results 10 \
	--lookup-attributes AttributeKey=EventId,AttributeValue=someIDGuid \
	--query 'Events[*].CloudTrailEvent' \| jq -r '.[]' \| jq