steampipe plugin install awssteampipe plugin install aws
aws_accessanalyzer_analyzeraws_accountaws_acm_certificateaws_api_gateway_api_authorizeraws_api_gateway_api_keyaws_api_gateway_authorizeraws_api_gateway_rest_apiaws_api_gateway_stageaws_api_gateway_usage_planaws_api_gatewayv2_apiaws_api_gatewayv2_domain_nameaws_api_gatewayv2_integrationaws_api_gatewayv2_stageaws_appautoscaling_targetaws_auditmanager_assessmentaws_auditmanager_controlaws_auditmanager_evidenceaws_auditmanager_evidence_folderaws_auditmanager_frameworkaws_availability_zoneaws_backup_planaws_backup_protected_resourceaws_backup_recovery_pointaws_backup_selectionaws_backup_vaultaws_cloudcontrol_resourceaws_cloudformation_stackaws_cloudfront_cache_policyaws_cloudfront_distributionaws_cloudfront_origin_access_identityaws_cloudfront_origin_request_policyaws_cloudtrail_trailaws_cloudtrail_trail_eventaws_cloudwatch_alarmaws_cloudwatch_log_eventaws_cloudwatch_log_groupaws_cloudwatch_log_metric_filteraws_cloudwatch_log_resource_policyaws_cloudwatch_log_streamaws_codebuild_projectaws_codebuild_source_credentialaws_codecommit_repositoryaws_codepipeline_pipelineaws_config_configuration_recorderaws_config_conformance_packaws_config_ruleaws_cost_by_account_dailyaws_cost_by_account_monthlyaws_cost_by_service_dailyaws_cost_by_service_monthlyaws_cost_by_service_usage_type_dailyaws_cost_by_service_usage_type_monthlyaws_cost_forecast_dailyaws_cost_forecast_monthlyaws_cost_usageaws_dax_clusteraws_directory_service_directoryaws_dms_replication_instanceaws_dynamodb_backupaws_dynamodb_global_tableaws_dynamodb_metric_account_provisioned_read_capacity_utilaws_dynamodb_metric_account_provisioned_write_capacity_utilaws_dynamodb_tableaws_ebs_snapshotaws_ebs_volumeaws_ebs_volume_metric_read_opsaws_ebs_volume_metric_read_ops_dailyaws_ebs_volume_metric_read_ops_hourlyaws_ebs_volume_metric_write_opsaws_ebs_volume_metric_write_ops_dailyaws_ebs_volume_metric_write_ops_hourlyaws_ec2_amiaws_ec2_ami_sharedaws_ec2_application_load_balanceraws_ec2_application_load_balancer_metric_request_countaws_ec2_application_load_balancer_metric_request_count_dailyaws_ec2_autoscaling_groupaws_ec2_capacity_reservationaws_ec2_classic_load_balanceraws_ec2_gateway_load_balanceraws_ec2_instanceaws_ec2_instance_availabilityaws_ec2_instance_metric_cpu_utilizationaws_ec2_instance_metric_cpu_utilization_dailyaws_ec2_instance_metric_cpu_utilization_hourlyaws_ec2_instance_typeaws_ec2_key_pairaws_ec2_launch_configurationaws_ec2_load_balancer_listeneraws_ec2_network_interfaceaws_ec2_network_load_balanceraws_ec2_network_load_balancer_metric_net_flow_countaws_ec2_network_load_balancer_metric_net_flow_count_dailyaws_ec2_regional_settingsaws_ec2_reserved_instanceaws_ec2_ssl_policyaws_ec2_target_groupaws_ec2_transit_gatewayaws_ec2_transit_gateway_routeaws_ec2_transit_gateway_route_tableaws_ec2_transit_gateway_vpc_attachmentaws_ecr_repositoryaws_ecrpublic_repositoryaws_ecs_clusteraws_ecs_cluster_metric_cpu_utilizationaws_ecs_cluster_metric_cpu_utilization_dailyaws_ecs_cluster_metric_cpu_utilization_hourlyaws_ecs_container_instanceaws_ecs_serviceaws_ecs_taskaws_ecs_task_definitionaws_efs_access_pointaws_efs_file_systemaws_efs_mount_targetaws_eks_addonaws_eks_addon_versionaws_eks_clusteraws_eks_identity_provider_configaws_elastic_beanstalk_applicationaws_elastic_beanstalk_environmentaws_elasticache_clusteraws_elasticache_parameter_groupaws_elasticache_redis_metric_cache_hits_hourlyaws_elasticache_redis_metric_curr_connections_hourlyaws_elasticache_redis_metric_engine_cpu_utilization_hourlyaws_elasticache_redis_metric_get_type_cmds_hourlyaws_elasticache_redis_metric_list_based_cmds_hourlyaws_elasticache_redis_metric_new_connections_hourlyaws_elasticache_replication_groupaws_elasticache_subnet_groupaws_elasticsearch_domainaws_emr_clusteraws_emr_cluster_metric_is_idleaws_emr_instance_groupaws_eventbridge_busaws_eventbridge_ruleaws_fsx_file_systemaws_glacier_vaultaws_glue_catalog_databaseaws_guardduty_detectoraws_guardduty_findingaws_guardduty_ipsetaws_guardduty_threat_intel_setaws_iam_access_advisoraws_iam_access_keyaws_iam_account_password_policyaws_iam_account_summaryaws_iam_actionaws_iam_credential_reportaws_iam_groupaws_iam_policyaws_iam_policy_simulatoraws_iam_roleaws_iam_server_certificateaws_iam_useraws_iam_virtual_mfa_deviceaws_identitystore_groupaws_identitystore_useraws_inspector_assessment_targetaws_inspector_assessment_templateaws_kinesis_consumeraws_kinesis_firehose_delivery_streamaws_kinesis_streamaws_kinesis_video_streamaws_kinesisanalyticsv2_applicationaws_kms_keyaws_lambda_aliasaws_lambda_functionaws_lambda_function_metric_duration_dailyaws_lambda_function_metric_errors_dailyaws_lambda_function_metric_invocations_dailyaws_lambda_layeraws_lambda_layer_versionaws_lambda_versionaws_macie2_classification_jobaws_media_store_containeraws_organizations_accountaws_rds_db_clusteraws_rds_db_cluster_parameter_groupaws_rds_db_cluster_snapshotaws_rds_db_event_subscriptionaws_rds_db_instanceaws_rds_db_instance_metric_connectionsaws_rds_db_instance_metric_connections_dailyaws_rds_db_instance_metric_connections_hourlyaws_rds_db_instance_metric_cpu_utilizationaws_rds_db_instance_metric_cpu_utilization_dailyaws_rds_db_instance_metric_cpu_utilization_hourlyaws_rds_db_instance_metric_read_iopsaws_rds_db_instance_metric_read_iops_dailyaws_rds_db_instance_metric_read_iops_hourlyaws_rds_db_instance_metric_write_iopsaws_rds_db_instance_metric_write_iops_dailyaws_rds_db_instance_metric_write_iops_hourlyaws_rds_db_option_groupaws_rds_db_parameter_groupaws_rds_db_snapshotaws_rds_db_subnet_groupaws_redshift_clusteraws_redshift_cluster_metric_cpu_utilization_dailyaws_redshift_event_subscriptionaws_redshift_parameter_groupaws_redshift_snapshotaws_redshift_subnet_groupaws_regionaws_route53_domainaws_route53_recordaws_route53_resolver_endpointaws_route53_resolver_ruleaws_route53_zoneaws_s3_access_pointaws_s3_account_settingsaws_s3_bucketaws_sagemaker_endpoint_configurationaws_sagemaker_modelaws_sagemaker_notebook_instanceaws_sagemaker_training_jobaws_secretsmanager_secretaws_securityhub_hubaws_securityhub_productaws_securityhub_standards_subscriptionaws_serverlessapplicationrepository_applicationaws_sfn_state_machineaws_sfn_state_machine_executionaws_sfn_state_machine_execution_historyaws_sns_topicaws_sns_topic_subscriptionaws_sqs_queueaws_ssm_associationaws_ssm_documentaws_ssm_maintenance_windowaws_ssm_managed_instanceaws_ssm_managed_instance_complianceaws_ssm_parameteraws_ssm_patch_baselineaws_ssoadmin_instanceaws_ssoadmin_managed_policy_attachmentaws_ssoadmin_permission_setaws_tagging_resourceaws_vpcaws_vpc_customer_gatewayaws_vpc_dhcp_optionsaws_vpc_egress_only_internet_gatewayaws_vpc_eipaws_vpc_endpointaws_vpc_endpoint_serviceaws_vpc_flow_logaws_vpc_flow_log_eventaws_vpc_internet_gatewayaws_vpc_nat_gatewayaws_vpc_network_aclaws_vpc_routeaws_vpc_route_tableaws_vpc_security_groupaws_vpc_security_group_ruleaws_vpc_subnetaws_vpc_vpn_connectionaws_vpc_vpn_gatewayaws_waf_rate_based_ruleaws_waf_ruleaws_wafv2_ip_setaws_wafv2_regex_pattern_setaws_wafv2_rule_groupaws_wafv2_web_aclaws_wellarchitected_workloadaws_workspaces_workspace

Table: aws_cloudtrail_trail_event

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. These events can be sent to a CloudWatch log group to allow for easy monitoring.

This table reads CloudTrail event data from a CloudWatch log group that is configured to log events from a trail.

Important notes:

  • You must specify log_group_name in a where clause in order to use this table.
  • This table supports optional quals. Queries with optional quals are optimised to use CloudWatch filters. Optional quals are supported for the following columns:
    • access_key_id
    • aws_region (region of the event, useful in case of multi-region trails)
    • error_code
    • event_category
    • event_id
    • event_name
    • event_source
    • filter
    • log_stream_name
    • region
    • source_ip_address
    • timestamp
    • username

Examples

List all action events, i.e., not ReadOnly

select
event_name,
event_source,
event_time,
user_type,
username,
user_identifier,
jsonb_pretty(response_elements) as response_elements
from
aws_cloudtrail_trail_event
where
log_group_name = 'aws-cloudtrail-logs-013122550996-77246e11' and
not read_only
order by
event_time asc;

List events for a specific service (IAM)

select
event_name,
event_source,
event_time,
user_type,
user_identifier,
jsonb_pretty(request_parameters) as request_parameters,
jsonb_pretty(response_elements) as response_elements
from
aws_cloudtrail_trail_event
where
log_group_name = 'aws-cloudtrail-logs-013122550996-77246e11' and
event_source = 'iam.amazonaws.com'
order by
event_time asc;

List events for an IAM user (steampipe)

select
event_name,
event_source,
event_time,
user_type,
username,
user_identifier,
jsonb_pretty(request_parameters) as request_parameters,
jsonb_pretty(response_elements) as response_elements
from
aws_cloudtrail_trail_event
where
log_group_name = 'aws-cloudtrail-logs-013122550996-77246e11' and
username = 'steampipe'
order by
event_time asc;

List events performed by IAM users

select
event_name,
event_source,
event_time,
user_type,
username,
user_identifier,
jsonb_pretty(request_parameters) as request_parameters,
jsonb_pretty(response_elements) as response_elements
from
aws_cloudtrail_trail_event
where
log_group_name = 'aws-cloudtrail-logs-013122550996-77246e11' and
user_type = 'IAMUser'
order by
event_time asc;

List events performed with an assumed role

select
event_name,
event_source,
event_time,
user_type,
username,
user_identifier,
jsonb_pretty(request_parameters) as request_parameters,
jsonb_pretty(response_elements) as response_elements
from
aws_cloudtrail_trail_event
where
log_group_name = 'aws-cloudtrail-logs-013122550996-77246e11' and
user_type = 'AssumedRole'
order by
event_time asc;

List events that were not successfully executed

select
event_name,
event_source,
event_time,
error_code,
error_message,
user_type,
username,
user_identifier,
jsonb_pretty(request_parameters) as request_parameters,
jsonb_pretty(response_elements) as response_elements
from
aws_cloudtrail_trail_event
where
log_group_name = 'aws-cloudtrail-logs-013122550996-77246e11' and
error_code is not null
order by
event_time asc;

Filter Examples

For more information on CloudWatch log filters, please refer to Filter Pattern Syntax.

List events originating from a specific IP address range

select
event_name,
event_source,
event_time,
error_code,
error_message,
user_type,
username,
user_identifier,
jsonb_pretty(request_parameters) as request_parameters,
jsonb_pretty(response_elements) as response_elements
from
aws_cloudtrail_trail_event
where
log_group_name = 'aws-cloudtrail-logs-013122550996-77246e11' and
filter = '{ $.sourceIPAddress = 203.189.* }'
order by
event_time asc;

.inspect aws_cloudtrail_trail_event

CloudTrail events from cloudwatch service.

NameTypeDescription
access_key_idtextThe AWS access key ID that was used to sign the request. If the request was made with temporary security credentials, this is the access key ID of the temporary credentials.
account_idtextThe AWS Account ID in which the resource is located.
additional_event_datajsonbAdditional data about the event that was not part of the request or response.
aws_regiontextThe AWS region that the request was made to, such as us-east-2.
cloudtrail_eventjsonbThe CloudTrail event in the json format.
error_codetextThe AWS service error if the request returns an error.
error_messagetextIf the request returns an error, the description of the error.
event_categorytextShows the event category that is used in LookupEvents calls.
event_idtextThe ID of the event.
event_nametextThe name of the event returned.
event_sourcetextThe AWS service that the request was made to.
event_timetimestamp without time zoneThe date and time the request was made, in coordinated universal time (UTC).
event_typetextIdentifies the type of event that generated the event record.
event_versiontextThe version of the log event format.
filtertextThe cloudwatch filter pattern for the search.
log_group_nametextThe name of the log group to which this event belongs.
log_stream_nametextThe name of the log stream to which this event belongs.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
read_onlybooleanInformation about whether the event is a write event or a read event.
recipient_account_idtextRepresents the account ID that received this event.
regiontextThe AWS Region in which the resource is located.
request_idtextThe value that identifies the request.
request_parametersjsonbThe parameters, if any, that were sent with the request.
resourcesjsonbA list of resources referenced by the event returned.
response_elementsjsonbThe response element for actions that make changes (create, update, or delete actions).
shared_event_idtextGUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.
source_ip_addresstextThe IP address that the request was made from.
timestamptimestamp without time zoneThe time when the event occurred.
timestamp_msbigintThe time when the event occurred.
tls_detailsjsonbShows information about the Transport Layer Security (TLS) version, cipher suites, and the FQDN of the client-provided host name of a service API call.
user_agenttextThe agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI.
user_identifiertextThe name/arn of user/role that made the api call.
user_identityjsonbInformation about the user that made the request.
user_typetextThe name of the event returned.
usernametextThe user name of the user that made the api request.
vpc_endpoint_idtextIdentifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.