Last active
September 9, 2020 00:42
-
-
Save mattgillard/dc26d3054d42ba837779edddfcd00ec7 to your computer and use it in GitHub Desktop.
CloudWatch Insights sample to query cloudtrail logs filtered on a rolename
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################# | |
# This query can be used as a guide for scoping a role down to permissions it actually uses. | |
# Note that API calls dont have a 1:1 mapping to IAM permissions but the output is a good guide on what is required | |
# for the role to work based on previous data | |
# For my use case - I had S3 data events being logged so I list S3 bucket and Key down to 2 levels as well | |
# Change line 15 as needed. | |
################################################# | |
fields eventName,userIdentity.arn | |
| parse @message '"resources":[*]' as resource | |
| parse @message /eventName":".*(Object|Objects)".*"resources":\[.*arn:aws:s3:::(?<bucketname>[^\/]+)\/(?<prefix>.*)"},.*\]/ | |
| parse prefix /(?<newprefix>([^\/]+)\/([^\/]+)).*$/ | |
| parse userIdentity.arn /^.*\/(?<caller>.*)$/ | |
| parse @message /requestParameters":\{(?<rp>.*?)\}/ | |
| filter userIdentity.arn like "arn:aws:sts::<accountid>:assumed-role/<rolename>" | |
| stats count(*) by eventName,coalesce(caller,requestParameters.roleArn,userIdentity.invokedBy),userIdentity.sessionContext.sessionIssuer.userName,bucketname,coalesce(newprefix,resource,rp) as res | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment