CloudTrail

2024.05.17

We mainly check whether commands can be executed using AWS Cloud9.
If you would like to provide example commands, please submit them using the form below.
Please also provide corrections if the command examples have mistake.

Suggest
The proposed content may be modified. Please be aware of this before making any suggestions.

List times and users who attempted to launch EC2 in the last 90 days

aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances \
--query 'Events[*].[EventTime, Username] | map(&[], @)' \
--output text

output

2024-05-10T07:00:19+09:00     i-5203422c
2024-05-10T07:00:19+09:00     AutoScaling
2024-05-09T07:00:16+09:00     UserA
2024-05-09T07:00:13+09:00     UserB
2024-05-08T07:00:16+09:00     UserC
2024-05-08T07:00:13+09:00     UserD
<以下省略>

by anonymous

List times and users for which EC2 failed to start in the last 90 days

aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances \
--query 'Events[?contains(CloudTrailEvent,`errorMessage`)].[EventTime, Username] | map(&[], @)' \
--output text

output

2024-05-10T07:00:19+09:00     i-5203422c
2024-05-08T07:00:16+09:00     UserC
2024-05-08T07:00:13+09:00     UserD
<以下省略>

by anonymous

List the times, instance IDs, and users who launched EC2 in the past 90 days

aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances \
--query 'Events[?!contains(CloudTrailEvent,`errorMessage`)].[EventTime, Resources[?ResourceType==`AWS::EC2::Instance`].ResourceName[], Username] | map(&[], @)' \
--output text

output

2024-05-10T07:00:19+09:00     i-5203422c       AutoScaling
2024-05-09T07:00:16+09:00     i-5203422d       UserA
2024-05-09T07:00:13+09:00     i-5203422e       UserB
<以下省略>

by anonymous

List times and actions and users who interacted with a specific route table in the last 3 days

start=$(date --date '3 days ago' '+%s')
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::EC2::RouteTable \
--start-time $start \
--query 'Events[?Resources[0].ResourceName==`rtb-01234567890123456`].[EventTime, EventName, Username]' \
--output text

output

2024-05-18T13:26:30+00:00       DeleteRoute     UserA
2024-05-18T13:25:42+00:00       CreateRoute     UserB
2024-05-18T13:05:00+00:00       AssociateRouteTable     UserA
2024-05-18T12:30:28+00:00       DeleteRoute     UserB
<以下省略>

by anonymous

タイトルとURLをコピーしました