CloudWatch Insights sample to query cloudtrail logs filtered on a rolename

cloudwatch_insights_query_sample

#################################################
# This query can be used as a guide for scoping a role down to permissions it actually uses.  
# Note that API calls dont have a 1:1 mapping to IAM permissions but the output is a good guide on what is required 
# for the role to work based on previous data
# For my use case - I had S3 data events being logged so I list S3 bucket and Key down to 2 levels as well
# Change line 15 as needed.
#################################################

fields eventName,userIdentity.arn
| parse @message '"resources":[*]' as resource
| parse @message /eventName":".*(Object|Objects)".*"resources":\[.*arn:aws:s3:::(?<bucketname>[^\/]+)\/(?<prefix>.*)"},.*\]/ 
| parse prefix /(?<newprefix>([^\/]+)\/([^\/]+)).*$/
| parse userIdentity.arn /^.*\/(?<caller>.*)$/
| parse @message /requestParameters":\{(?<rp>.*?)\}/
| filter userIdentity.arn like "arn:aws:sts::<accountid>:assumed-role/<rolename>"
| stats count(*) by eventName,coalesce(caller,requestParameters.roleArn,userIdentity.invokedBy),userIdentity.sessionContext.sessionIssuer.userName,bucketname,coalesce(newprefix,resource,rp) as res