Last active
March 21, 2022 12:53
-
-
Save pburkholder/855141433cec44752cb8d01f731c9a17 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
event_name="ConsoleLogin" | |
aws cloudtrail lookup-events --lookup-attributes \ | |
AttributeKey=EventName,AttributeValue=$event_name --query \ | |
'Events[*].{Ev:CloudTrailEvent,User:Username}' | | |
jq '.[]| "Username: " + .User, " " + (.Ev| fromjson | "EventTime: " + .eventTime, "SourceIP: " + .sourceIPAddress) ' | |
for event_name in AuthorizeSecurityGroupEgress AuthorizeSecurityGroupIngress CreatePolicy \ | |
CreateSecurityGroup DeleteTrail ModifyVpcAttribute PutUserPolicy PutRolePolicy \ | |
RevokeSecurityGroupEgress RevokeSecurityGroupIngress UpdateTrail; do | |
printf "\n================= $event_name ===========\n" | |
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=$event_name | jq '.Events | length' | |
aws cloudtrail lookup-events \ | |
--lookup-attributes AttributeKey=EventName,AttributeValue=$event_name | | |
jq '[.Events[]| {Username: .Username, EventInfo: (.CloudTrailEvent | fromjson) }]' | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here's one way of digging into the CreatePolicy events:
The
aws cloudtrail
call gets all the CreatePolicy eventsjq
unpacks some of the strings in the original JSON that are themselves embedded JSONjq
just selects the events that have Username = terraform-provision