Created
August 20, 2020 04:04
-
-
Save jpbarto/3568586ac83422131ec9154e0fb9e377 to your computer and use it in GitHub Desktop.
Simple shell script to query AWS CloudTrail for particular actions in an AWS account
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # The following shell script uses Amazon Athena to query AWS CloudTrail logs for any occurrences of the | |
| # action sagemaker:ListNotebookInstances. The query returns the user identity who invoked the API, along | |
| # with the region where the API was called. A simple count of the number of invokes is outputted as a | |
| # result. | |
| SQL="SELECT useridentity.arn, eventname, eventsource, awsregion, sourceipaddress, errorcode, eventtime FROM cloudtrail_logs_account_logging WHERE eventsource = 'sagemaker.amazonaws.com' AND eventname in ('ListNotebookInstances') AND eventtime > '2020-04-15' LIMIT 3;" | |
| EXEC_ID=$(aws athena start-query-execution --query-string "$SQL" --result-configuration OutputLocation=s3://my-s3-logging-bucket/queries --query 'QueryExecutionId' --output text) | |
| echo Started execution ID $EXEC_ID | |
| STATUS=$(aws athena get-query-execution --query-execution-id $EXEC_ID --query 'QueryExecution.Status.State' --output text) | |
| while [ $STATUS == 'RUNNING' ] | |
| do | |
| echo Query has status $STATUS | |
| sleep 5 | |
| STATUS=$(aws athena get-query-execution --query-execution-id $EXEC_ID --query 'QueryExecution.Status.State' --output text) | |
| done | |
| REC_COUNT=$(aws athena get-query-results --query-execution-id $EXEC_ID --query 'ResultSet.Rows[*].Data[*].VarCharValue' --output text | wc -l) | |
| echo Action was invoked at least $REC_COUNT times this month |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment