使用CloudTrail Lake进行日志筛选
[Github] aws-samples/cloud-trail-lake-query-samples
通过复制粘贴提供的检索样例语句,可以快速查找所需要的信息,对日志进行分析。
Roles assuming themselves are typically the result of unnecessary operations in code Self assume role events count towards the STS quota.
This query confirms if there were any activity performed from IP address in other AWS accounts in your organization except one during specific window time grouped by AWS account. Replace with your Event Data Store Id number, the <192.0.2.76> with the IP address you are looking for and the <555555555555> with the AWS account you want to exclude.
This query returns Aurora Postgresql DB instances that have performance insights enabled Replace with your Event Data Store Id number.
This query returns Aurora MySQL databases with Instance class information created from beginning of 2022. Replace with your Event Data Store Id number.
This query returns Aurora PostgreSQL databases with Availability zone information. Replace with your Event Data Store Id number.
This query will show if AWS Support has taken over the AWSServiceRoleForSupport Role, for Data Sovereignty requirements. Replace with your Event Data Store Id number.
This query modifications to CloudTrail trails. Replace with your Event Data Store Id number.
his query returns console logins with no MFA. Replace with your Event Data Store Id number.
This query returns results where cross-account access was granted. Replace with your Event Data Store Id number.
This query shows counts of all Data events by Day of the Week. Replace with your Event Data Store Id number.
This query returns database failover information: Returns Region, DB, user, and time of a failover event for a database Replace with your Event Data Store Id number.
This query results are a list in chronological order of DB reboots that have occured Replace with your Event Data Store Id number.
This query returns source and target of an RDS point in time restore Replace with your Event Data Store Id number.
This query returns raw records for all "scan" DunamoDB management events. Replace with your Event Data Store Id number.
This query returns EC2 instances information created across the organization during specific window time. Replace with your Event Data Store Id number.
This query lists raw records for all EC2 management events. Replace with your Event Data Store Id number.
This query obtain response element for a given CloudTrail event Id. Replace with your Event Data Store Id number and the CloudTrail event Id <3270e016-59a1-4448-8dd1-d27a4796502d>
This query returns snapshots that are created which are not encrypted. Replace with your Event Data Store Id number.
This query returns AWS API activity performed by an IAM user access key and from which IP address during specific time window ordered by AWS service. Replace with your Event Data Store Id number and with the IAM user access keys.
This query obtain successful activity performed by IAM user access key during specific window time grouped by AWS services and API. Replace with your Event Data Store Id number and the with the IAM user access keys.
This query returns IAM Identity Center users who has authenticated into IAM Identity Center portal during specific window time. Replace with your Event Data Store Id number.
This query helps to confirm in which AWS accounts the IAM Identify Center user has federated using which IAM roles during specific window time. Replace with your Event Data Store Id number and the IAM Identity Center user alice@example.com.
This query count and group activity based on APIs and the AWS services performed by the IAM Identity Center user during specific window time. Replace with your Event Data Store Id number and the IAM Identity Center user alice@example.com.
This query returns API IAM CreateRole called by the IAM Identity Center user during specific window time. Replace with your Event Data Store Id number and the IAM Identity Center user alice@example.com.
This query returns information about API IAM CreateUserAccessKeys performed by the IAM Identity Center user during specific window time. Replace with your Event Data Store Id number and the IAM Identity Center user alice@example.com.
This query returns information about API IAM CreateUser performed by the IAM Identity Center user during specific window time. Replace with your Event Data Store Id number and the IAM Identity Center user alice@example.com.
This query returns denied activity based errorCode response and the AWS services performed by the IAM Identity Center user during specific window time. Replace with your Event Data Store Id number and the IAM Identity Center user alice@example.com.
This query returns information about API IAM PutRolePolicy called by the IAM Identity Center user during specific window time. Replace with your Event Data Store Id number and the IAM Identity Center user alice@example.com.
This query returns activity based on mutable APIs and the AWS services performed by the IAM Identity Center user during specific window time. Replace with your Event Data Store Id number and the IAM Identity Center user alice@example.com.
This query confirms who (principal Id) has launched an EC2 instance. Replace with your Event Data Store Id number and the with the EC2 instance that you are looking for.
This query helps to confirm successful activity performed by IAM role during specific window time. Replace with your Event Data Store Id number and the arn:aws:iam::555555555555:role/alice with the IAM role ARN.
This query helps to confirm which IAM role was assumed by an IAM user access keys during specific window time. Replace with your Event Data Store Id number and with the IAM user access keys.
This query lists the encryption status of Objects uploaded to S3 buckets in the descending order of event time. Replace with your Event Data Store Id number.
This query can be used for troubleshooting purposes as it lists all the error messages for S3 source. You can use the query for all resources, just modifying the eventSource. Replace with your Event Data Store Id number.
This query can be used if there are requirements to use only a subsets of AWS regions. It lists any events which involve non authorized regions which may help to identify non-compliance scenarios. Replace with your Event Data Store Id number and replace , with the desired region and your account id.
This query gets a list of all resources that have been created manually (i.e outside of CloudFormation or via set list of CI/CD users), along with details on the action taken. Replace with your Event Data Store Id number.
This query Shows wich identity is making the most GetObject requests from S3 and what it is downloading, including error detail and attempted unauthorized accesses. Replace with your Event Data Store Id number.
This query analyzes CloudTrail Events and identifies any calls that result in errors. Replace with your Event Data Store Id number.
This query lists Publicly Accessible RDS Instances. Replace with your Event Data Store Id number.
This query analyzes CloudTrail Events and identifies any calls that are made to AWS service APIs via the AWS Management Console. Replace with your Event Data Store Id number.
This query returns summary of regions in use and well as what services are used in these regions. Replace with your Event Data Store Id number.
This query returns details when a RDS DB was deleted without taking final snapshot. Replace with your Event Data Store Id number.
This query obtain S3 bucket and object names affected by an IAM user access kesy during a specifc window time. Replace with your Event Data Store Id number and the with the IAM user access keys.
This query identifies buckets across an Organization with requests that rely on ACLs. This can help when migrating away from legacy ACLs to IAM Policies.
Replace with your Event Data Store ID number.
This query returns tag history for resources. Replace with your Event Data Store Id number.
This query shows all API requests where the specified TLS version was not used. Replace with your Event Data Store Id number.
This query count activity performed by an IAM role during specific time period grouped by AWS services and APIs. Replace with your Event Data Store Id number and the arn:aws:iam::555555555555:role/alice with the IAM role ARN.
This query lists the top Error messages for the specified time range Replace with your Event Data Store Id number.
This query identifies the top callers of the AWS IAM service based on their number of API calls. It can help you identity which principals are calling IAM the most and if these principals may be close to service limits.
This query lists the count of data events by API actions for a specified S3 bucket Replace with your Event Data Store Id number.
This query returns the most retrieved S3 Objects. Replace with your Event Data Store Id number.
This query returns when some user was made admin and who did it (added to any groups with name containing word ‘admin’). Helps identifying privilege escalation related issues. Replace with your Event Data Store Id number.
This query returns all requests by user by account for the specified time period. Ordered by request count. Replace with your Event Data Store Id number.
最后更新于