Doing CloudTrail Analysis with Athena, S3, HiveQL
I discovered a security group which got opened too widely. I want to figure out when it happened and who did it.
This article assumes you have CloudTrail enabled and there is a complete history of your account activity sitting in an S3 bucket.
AWS has a product called Athena that let's you run Hive queries against data in S3 without needing to set up your own Hadoop resources.
An AWS blog post lists all of the steps to do this type of analysis.
See attached sql files for the approach I took. Replace your bucket and account number in dml.sql and your security group id in security-group-ingress.sql
Consolidating CloudTrail logs from multiple AWS accounts
Validating the integrity of CloudTrail log files
Security Monkey and AWS Config are two tools which can help teams discover misconfigured resources more proactively.