Skip to content

Instantly share code, notes, and snippets.

@rileydakota
Last active July 16, 2024 22:27
Show Gist options
  • Save rileydakota/da5f4e51d6b0f32867324420276d77a0 to your computer and use it in GitHub Desktop.
Save rileydakota/da5f4e51d6b0f32867324420276d77a0 to your computer and use it in GitHub Desktop.
Load and Query AWS CloudTrail direct from DuckDB
INSTALL AWS;
LOAD AWS;
CALL load_aws_credentials();
CREATE TABLE ct_raw AS SELECT * FROM read_json('s3://YOUR_CT_BUCKET_WITH_A_DATE_PREFIX/*.gz', maximum_depth=2);
CREATE TABLE ct as SELECT unnest(Records) as Event FROM ct_raw;
CREATE TABLE cloudtrail_events AS SELECT json_extract_string(event, '$.eventVersion') AS eventVersion,
json_extract_string(event, '$.userIdentity.type') AS userType,
json_extract_string(event, '$.userIdentity.principalId') AS principalId,
json_extract_string(event, '$.userIdentity.arn') AS userArn,
json_extract_string(event, '$.userIdentity.accountId') AS accountId,
json_extract_string(event, '$.userIdentity.accessKeyId') AS accessKeyId,
json_extract_string(event, '$.userIdentity.userName') AS userName,
CAST(json_extract_string(event, '$.eventTime') AS TIMESTAMP) AS eventTime,
json_extract_string(event, '$.eventSource') AS eventSource,
json_extract_string(event, '$.eventName') AS eventName,
json_extract_string(event, '$.awsRegion') AS awsRegion,
json_extract_string(event, '$.sourceIPAddress') AS sourceIPAddress,
json_extract_string(event, '$.userAgent') AS userAgent,
json_extract_string(event, '$.errorCode') AS errorCode,
json_extract_string(event, '$.errorMessage') AS errorMessage,
json_extract(event, '$.requestParameters') AS requestParameters,
json_extract(event, '$.responseElements') as responseElements,
json_extract(event, '$.resources') AS resources,
FROM ct
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment