AWS CloudTrail  sandbox 

Feb 15, 2024 / Notes / 1 min
Table of Contents

Trails

No IAM roles needed for cross-account delivery. #todo What principal does it show if you enable data events on the log delivery bucket?

Lake

Ingest events into an event data source, and run sql queries on this data source.

Data can be collected from AWS (like CloudTrail events), custom application or 3rd parties (like okta system log)

Pricing is based on data ingestion, analysis and retention. It can retain data up to a maximum of 10 years.

Query

Run a SQL like query against the events recorded in the CloudTrail lake. It does not support some query types.

Examples

Find all actions taken by user across accounts and regions

SELECT eventID, eventName, eventSource, eventTime, userIdentity.arn AS user
FROM <cloudtrail-lake>
WHERE userIdentity.arn LIKE '%username%'
AND eventTime > '2023-11-11 00:00:00' AND eventTime < '2023-11-11 16:30:00'

SELECT eventTime, eventName, eventSource, awsRegion, resources, userIdentity.arn AS user, errorCode, errorMessage, eventID
FROM <cloudtrail-lake>
WHERE userIdentity.arn = 'arn:aws:sts::000123456789:assumed-role/some-role'
    AND NOT readOnly
    AND eventTime > '2023-11-11 11:00:00'
    AND errorCode IS NOT NULL
ORDER BY eventTime DESC

Find out which accounts are generating most events, and what the most frequent events are

SELECT recipientAccountId, eventName, COUNT(*) AS eventCount
FROM <cloudtrail-lake-id>
WHERE eventTime > '2024-07-01 00:00:00' AND eventTime < '2024-07-10 00:00:00'
GROUP BY recipientAccountId, eventName
ORDER BY eventCount DESC