Last active
October 4, 2023 08:53
-
-
Save shadiakiki1986/f6e676d1ab5800fcf7899b6a392ab821 to your computer and use it in GitHub Desktop.
aws cli cloudtrail + jq examples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # list latest 10 event names and the next token | |
| aws cloudtrail lookup-events \ | |
| --max-items 10 \ | |
| --lookup-attributes AttributeKey=EventSource,AttributeValue=ec2.amazonaws.com \ | |
| --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false \ | |
| --starting-token "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxMH0=" | \ | |
| jq '.Events[].EventName,.NextToken' | |
| "ModifyInstanceAttribute" | |
| "CreateLogStream" | |
| "CreateLogStream" | |
| "CreateLogStream" | |
| "CreateLogStream" | |
| "CreateLogStream" | |
| "CreateLogStream" | |
| "StopInstances" | |
| "CreateTags" | |
| "ModifyInstanceAttribute" | |
| "abcdef" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # get the latest request paremter as filterable json with jq | |
| aws cloudtrail lookup-events \ | |
| --max-items 1 \ | |
| --lookup-attributes AttributeKey=EventSource,AttributeValue=ec2.amazonaws.com \ | |
| --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyInstanceAttribute | \ | |
| jq '.Events[].CloudTrailEvent|fromjson|.requestParameters' | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # select latest 10 events after 2019-08-30 for ModifyInstanceAttribute that change the instance type | |
| # The instance types in the request parameters are the "target" type | |
| # (eg if an instance is changed from A to B, this contains B) | |
| aws cloudtrail lookup-events \ | |
| --profile=autofitcloud --region=eu-central-1 \ | |
| --max-items 10 \ | |
| --lookup-attributes AttributeKey=EventSource,AttributeValue=ec2.amazonaws.com \ | |
| --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyInstanceAttribute \ | |
| --start-time="2019-08-30" \ | |
| > test.json | |
| # changes from awscli | |
| cat test.json | jq '.Events[].CloudTrailEvent|fromjson|.requestParameters|select(.instanceType)' | |
| # changes from boto3 | |
| cat test.json | jq '.Events[].CloudTrailEvent|fromjson|.requestParameters|select(.attribute=="instanceType")' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # list events related to instances | |
| aws cloudtrail \ | |
| --profile autofitcloud \ | |
| --region eu-central-1 \ | |
| lookup-events \ | |
| --lookup-attributes AttributeKey=EventSource,AttributeValue=ec2.amazonaws.com \ | |
| --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false \ | |
| --max-items 1000 \ | |
| |grep EventName|grep Instances | |
| "EventName": "StartInstances", | |
| "EventName": "StopInstances", | |
| "EventName": "RunInstances", |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment