cloudwatch.sh

event_name="ConsoleLogin"
aws cloudtrail lookup-events --lookup-attributes \
  AttributeKey=EventName,AttributeValue=$event_name --query \
  'Events[*].{Ev:CloudTrailEvent,User:Username}' | 
    jq '.[]| "Username: " + .User, "  " + (.Ev| fromjson | "EventTime: " + .eventTime, "SourceIP: " + .sourceIPAddress) '

for event_name in AuthorizeSecurityGroupEgress AuthorizeSecurityGroupIngress CreatePolicy \
 CreateSecurityGroup DeleteTrail ModifyVpcAttribute PutUserPolicy PutRolePolicy \
 RevokeSecurityGroupEgress RevokeSecurityGroupIngress UpdateTrail; do
  printf "\n================= $event_name ===========\n"
   aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=$event_name | jq '.Events | length'
  aws cloudtrail lookup-events \
    --lookup-attributes AttributeKey=EventName,AttributeValue=$event_name |
      jq '[.Events[]| {Username: .Username, EventInfo: (.CloudTrailEvent | fromjson) }]'
done

Here's one way of digging into the CreatePolicy events:

The aws cloudtrail call gets all the CreatePolicy events

• the jq unpacks some of the strings in the original JSON that are themselves embedded JSON
  • the CloudTrailEvent string, which in turn embbeds
    • the requestParameters.policyDocument
• the final jq just selects the events that have Username = terraform-provision

event_name="CreatePolicy"
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=$event_name |
    jq '[.Events[]| {Username: .Username, EventInfo: (.CloudTrailEvent | fromjson), PolicyDocument: (.CloudTrailEvent | fromjson | .requestParameters.policyDocument | fromjson) } ]'  | 
    jq '.[]| select(.Username=="terraform-provision")'