jimathyp/aws-cloudtrail.md

Created June 17, 2021 09:43

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/jimathyp/47a4e3a76e7b718d78f7601a0a038a1f.js"></script>
Save jimathyp/47a4e3a76e7b718d78f7601a0a038a1f to your computer and use it in GitHub Desktop.

Download ZIP

Raw

aws-cloudtrail.md

AWS CloudTrail

need S3 access logging to find access denied errors

use jq and aws cli

( echo "Time,Identity ARN,Event ID,Service,Action,Error,Message";
  aws cloudtrail lookup-events --start-time "2019-10-29T06:40:00Z" --end-time "2019-10-29T06:55:00Z" --query "Events[*].CloudTrailEvent" --output text \
    | jq -r ". | select(.userIdentity.arn == \"your-arn\" and .eventType == \"AwsApiCall\" and .errorCode != null
    and (.errorCode | ascii_downcase | (contains(\"accessdenied\") or contains(\"unauthorized\"))))
    | [.eventTime, .userIdentity.arn, .eventID, .eventSource, .eventName, .errorCode, .errorMessage] | @csv"
) | column -t -s'",'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

jimathyp/aws-cloudtrail.md

Select an option

No results found

Select an option

No results found

AWS CloudTrail