dynnamitt/lookup_events.sh

## lookup_events.sh
#!/bin/sh

# improved some of guide:
# https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/

usage() {
  echo >&2 "Usage: $0 <name@company.no|user_id> [hours_back]"
  exit 1
}

if [ -z "$1" ];then usage;fi

USER=${1}
HOURS=${2:-10}  # -10hours default

start_iso_time=$(date -u +"%Y-%m-%dT%H:%M:%SZ" -d "$HOURS hour ago")

echo "Time,Identity ARN,Event ID,Service,Action,Error,Message"
aws cloudtrail lookup-events \
  --start-time "$start_iso_time" \
  --lookup-attributes AttributeKey=Username,AttributeValue=$USER \
  --query "Events[*].CloudTrailEvent" --output text \
  | jq -r ". |
       [.eventTime, .userIdentity.arn, .eventID, .eventSource, .eventName, .errorCode, .errorMessage]
        | @csv"
	#!/bin/sh

	# improved some of guide:
	# https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/

	usage() {
	echo >&2 "Usage: $0 <name@company.no\|user_id> [hours_back]"
	exit 1
	}

	if [ -z "$1" ];then usage;fi

	USER=${1}
	HOURS=${2:-10} # -10hours default

	start_iso_time=$(date -u +"%Y-%m-%dT%H:%M:%SZ" -d "$HOURS hour ago")

	echo "Time,Identity ARN,Event ID,Service,Action,Error,Message"
	aws cloudtrail lookup-events \
	--start-time "$start_iso_time" \
	--lookup-attributes AttributeKey=Username,AttributeValue=$USER \
	--query "Events[*].CloudTrailEvent" --output text \
	\| jq -r ". \|
	[.eventTime, .userIdentity.arn, .eventID, .eventSource, .eventName, .errorCode, .errorMessage]
	\| @csv"