当发生安全事件时,您可能希望查看由于 IAM 委托人无权对该资源执行操作而导致尝试但失败的 API 调用。要发现这种活动,请运行以下查询(请务必先修改时间窗口):
SELECT *
FROM "amazon_security_lake_table_us_east_1_cloud_trail_mgmt_1_0"
where eventday >= '20231012'
AND eventday <= '20231112'
and actor.user.type != 'AWSService'
and actor.user.uuid LIKE '%iam%'
and status != 'Success'
and api.response.error IN ('Client.UnauthorizedOperation','Client.InvalidPermission.NotFound','Client.OperationNotPermitted','AccessDenied')
ORDER BY eventday desc
