aws_accessanalyzer_analyzeraws_accessanalyzer_findingaws_accountaws_account_alternate_contactaws_account_contactaws_acm_certificateaws_acmpca_certificate_authorityaws_amplify_appaws_api_gateway_api_keyaws_api_gateway_authorizeraws_api_gateway_domain_nameaws_api_gateway_methodaws_api_gateway_rest_apiaws_api_gateway_stageaws_api_gateway_usage_planaws_api_gatewayv2_apiaws_api_gatewayv2_domain_nameaws_api_gatewayv2_integrationaws_api_gatewayv2_routeaws_api_gatewayv2_stageaws_app_runner_serviceaws_appautoscaling_policyaws_appautoscaling_targetaws_appconfig_applicationaws_appstream_fleetaws_appstream_imageaws_appsync_graphql_apiaws_athena_query_executionaws_athena_workgroupaws_auditmanager_assessmentaws_auditmanager_controlaws_auditmanager_evidenceaws_auditmanager_evidence_folderaws_auditmanager_frameworkaws_availability_zoneaws_backup_frameworkaws_backup_jobaws_backup_legal_holdaws_backup_planaws_backup_protected_resourceaws_backup_recovery_pointaws_backup_report_planaws_backup_selectionaws_backup_vaultaws_cloudcontrol_resourceaws_cloudformation_stackaws_cloudformation_stack_resourceaws_cloudformation_stack_setaws_cloudfront_cache_policyaws_cloudfront_distributionaws_cloudfront_functionaws_cloudfront_origin_access_identityaws_cloudfront_origin_request_policyaws_cloudfront_response_headers_policyaws_cloudsearch_domainaws_cloudtrail_channelaws_cloudtrail_event_data_storeaws_cloudtrail_importaws_cloudtrail_lookup_eventaws_cloudtrail_queryaws_cloudtrail_trailaws_cloudtrail_trail_eventaws_cloudwatch_alarmaws_cloudwatch_log_eventaws_cloudwatch_log_groupaws_cloudwatch_log_metric_filteraws_cloudwatch_log_resource_policyaws_cloudwatch_log_streamaws_cloudwatch_log_subscription_filteraws_cloudwatch_metricaws_cloudwatch_metric_data_pointaws_cloudwatch_metric_statistic_data_pointaws_codeartifact_domainaws_codeartifact_repositoryaws_codebuild_buildaws_codebuild_projectaws_codebuild_source_credentialaws_codecommit_repositoryaws_codedeploy_appaws_codedeploy_deployment_configaws_codedeploy_deployment_groupaws_codepipeline_pipelineaws_codestar_notification_ruleaws_cognito_identity_poolaws_cognito_identity_provideraws_cognito_user_poolaws_config_aggregate_authorizationaws_config_configuration_recorderaws_config_conformance_packaws_config_retention_configurationaws_config_ruleaws_cost_by_account_dailyaws_cost_by_account_monthlyaws_cost_by_record_type_dailyaws_cost_by_record_type_monthlyaws_cost_by_service_dailyaws_cost_by_service_monthlyaws_cost_by_service_usage_type_dailyaws_cost_by_service_usage_type_monthlyaws_cost_by_tagaws_cost_forecast_dailyaws_cost_forecast_monthlyaws_cost_usageaws_dax_clusteraws_dax_parameteraws_dax_parameter_groupaws_dax_subnet_groupaws_directory_service_certificateaws_directory_service_directoryaws_directory_service_log_subscriptionaws_directory_servicelog_subscriptionaws_dlm_lifecycle_policyaws_dms_certificateaws_dms_endpointaws_dms_replication_instanceaws_dms_replication_taskaws_docdb_clusteraws_docdb_cluster_instanceaws_docdb_cluster_snapshotaws_drs_jobaws_drs_recovery_instanceaws_drs_recovery_snapshotaws_drs_source_serveraws_dynamodb_backupaws_dynamodb_global_tableaws_dynamodb_metric_account_provisioned_read_capacity_utilaws_dynamodb_metric_account_provisioned_write_capacity_utilaws_dynamodb_tableaws_dynamodb_table_exportaws_ebs_snapshotaws_ebs_volumeaws_ebs_volume_metric_read_opsaws_ebs_volume_metric_read_ops_dailyaws_ebs_volume_metric_read_ops_hourlyaws_ebs_volume_metric_write_opsaws_ebs_volume_metric_write_ops_dailyaws_ebs_volume_metric_write_ops_hourlyaws_ec2_amiaws_ec2_ami_sharedaws_ec2_application_load_balanceraws_ec2_application_load_balancer_metric_request_countaws_ec2_application_load_balancer_metric_request_count_dailyaws_ec2_autoscaling_groupaws_ec2_capacity_reservationaws_ec2_classic_load_balanceraws_ec2_client_vpn_endpointaws_ec2_gateway_load_balanceraws_ec2_instanceaws_ec2_instance_availabilityaws_ec2_instance_metric_cpu_utilizationaws_ec2_instance_metric_cpu_utilization_dailyaws_ec2_instance_metric_cpu_utilization_hourlyaws_ec2_instance_typeaws_ec2_key_pairaws_ec2_launch_configurationaws_ec2_launch_templateaws_ec2_launch_template_versionaws_ec2_load_balancer_listeneraws_ec2_load_balancer_listener_ruleaws_ec2_managed_prefix_listaws_ec2_managed_prefix_list_entryaws_ec2_network_interfaceaws_ec2_network_load_balanceraws_ec2_network_load_balancer_metric_net_flow_countaws_ec2_network_load_balancer_metric_net_flow_count_dailyaws_ec2_regional_settingsaws_ec2_reserved_instanceaws_ec2_spot_priceaws_ec2_ssl_policyaws_ec2_target_groupaws_ec2_transit_gatewayaws_ec2_transit_gateway_routeaws_ec2_transit_gateway_route_tableaws_ec2_transit_gateway_vpc_attachmentaws_ecr_imageaws_ecr_image_scan_findingaws_ecr_registry_scanning_configurationaws_ecr_repositoryaws_ecrpublic_repositoryaws_ecs_clusteraws_ecs_cluster_metric_cpu_utilizationaws_ecs_cluster_metric_cpu_utilization_dailyaws_ecs_cluster_metric_cpu_utilization_hourlyaws_ecs_container_instanceaws_ecs_serviceaws_ecs_taskaws_ecs_task_definitionaws_efs_access_pointaws_efs_file_systemaws_efs_mount_targetaws_eks_addonaws_eks_addon_versionaws_eks_clusteraws_eks_fargate_profileaws_eks_identity_provider_configaws_eks_node_groupaws_elastic_beanstalk_applicationaws_elastic_beanstalk_application_versionaws_elastic_beanstalk_environmentaws_elasticache_clusteraws_elasticache_parameter_groupaws_elasticache_redis_metric_cache_hits_hourlyaws_elasticache_redis_metric_curr_connections_hourlyaws_elasticache_redis_metric_engine_cpu_utilization_dailyaws_elasticache_redis_metric_engine_cpu_utilization_hourlyaws_elasticache_redis_metric_get_type_cmds_hourlyaws_elasticache_redis_metric_list_based_cmds_hourlyaws_elasticache_redis_metric_new_connections_hourlyaws_elasticache_replication_groupaws_elasticache_reserved_cache_nodeaws_elasticache_subnet_groupaws_elasticsearch_domainaws_emr_block_public_access_configurationaws_emr_clusteraws_emr_cluster_metric_is_idleaws_emr_instanceaws_emr_instance_fleetaws_emr_instance_groupaws_emr_security_configurationaws_eventbridge_busaws_eventbridge_ruleaws_fms_app_listaws_fms_policyaws_fsx_file_systemaws_glacier_vaultaws_globalaccelerator_acceleratoraws_globalaccelerator_endpoint_groupaws_globalaccelerator_listeneraws_glue_catalog_databaseaws_glue_catalog_tableaws_glue_connectionaws_glue_crawleraws_glue_data_catalog_encryption_settingsaws_glue_data_quality_rulesetaws_glue_dev_endpointaws_glue_jobaws_glue_security_configurationaws_guardduty_detectoraws_guardduty_filteraws_guardduty_findingaws_guardduty_ipsetaws_guardduty_memberaws_guardduty_publishing_destinationaws_guardduty_threat_intel_setaws_health_affected_entityaws_health_eventaws_iam_access_advisoraws_iam_access_keyaws_iam_account_password_policyaws_iam_account_summaryaws_iam_actionaws_iam_credential_reportaws_iam_groupaws_iam_open_id_connect_provideraws_iam_policyaws_iam_policy_attachmentaws_iam_policy_simulatoraws_iam_roleaws_iam_saml_provideraws_iam_server_certificateaws_iam_service_specific_credentialaws_iam_useraws_iam_virtual_mfa_deviceaws_identitystore_groupaws_identitystore_group_membershipaws_identitystore_useraws_inspector2_coverageaws_inspector2_coverage_statisticsaws_inspector2_findingaws_inspector2_memberaws_inspector_assessment_runaws_inspector_assessment_targetaws_inspector_assessment_templateaws_inspector_exclusionaws_inspector_findingaws_iot_fleet_metricaws_iot_thingaws_iot_thing_groupaws_iot_thing_typeaws_kinesis_consumeraws_kinesis_firehose_delivery_streamaws_kinesis_streamaws_kinesis_video_streamaws_kinesisanalyticsv2_applicationaws_kms_aliasaws_kms_keyaws_kms_key_rotationaws_lambda_aliasaws_lambda_event_source_mappingaws_lambda_functionaws_lambda_function_metric_duration_dailyaws_lambda_function_metric_errors_dailyaws_lambda_function_metric_invocations_dailyaws_lambda_layeraws_lambda_layer_versionaws_lambda_versionaws_lightsail_bucketaws_lightsail_instanceaws_macie2_classification_jobaws_media_store_containeraws_memorydb_clusteraws_mgn_applicationaws_mq_brokeraws_msk_clusteraws_msk_serverless_clusteraws_neptune_db_clusteraws_neptune_db_cluster_snapshotaws_networkfirewall_firewallaws_networkfirewall_firewall_policyaws_networkfirewall_rule_groupaws_oam_linkaws_oam_sinkaws_opensearch_domainaws_organizations_accountaws_organizations_organizational_unitaws_organizations_policyaws_organizations_policy_targetaws_organizations_rootaws_pinpoint_appaws_pipes_pipeaws_pricing_productaws_pricing_service_attributeaws_ram_principal_associationaws_ram_resource_associationaws_rds_db_clusteraws_rds_db_cluster_parameter_groupaws_rds_db_cluster_snapshotaws_rds_db_engine_versionaws_rds_db_event_subscriptionaws_rds_db_instanceaws_rds_db_instance_automated_backupaws_rds_db_instance_metric_connectionsaws_rds_db_instance_metric_connections_dailyaws_rds_db_instance_metric_connections_hourlyaws_rds_db_instance_metric_cpu_utilizationaws_rds_db_instance_metric_cpu_utilization_dailyaws_rds_db_instance_metric_cpu_utilization_hourlyaws_rds_db_instance_metric_read_iopsaws_rds_db_instance_metric_read_iops_dailyaws_rds_db_instance_metric_read_iops_hourlyaws_rds_db_instance_metric_write_iopsaws_rds_db_instance_metric_write_iops_dailyaws_rds_db_instance_metric_write_iops_hourlyaws_rds_db_option_groupaws_rds_db_parameter_groupaws_rds_db_proxyaws_rds_db_recommendationaws_rds_db_snapshotaws_rds_db_subnet_groupaws_rds_reserved_db_instanceaws_redshift_clusteraws_redshift_cluster_metric_cpu_utilization_dailyaws_redshift_event_subscriptionaws_redshift_parameter_groupaws_redshift_snapshotaws_redshift_subnet_groupaws_redshiftserverless_namespaceaws_redshiftserverless_workgroupaws_regionaws_resource_explorer_indexaws_resource_explorer_searchaws_resource_explorer_supported_resource_typeaws_route53_domainaws_route53_health_checkaws_route53_query_logaws_route53_recordaws_route53_resolver_endpointaws_route53_resolver_query_log_configaws_route53_resolver_ruleaws_route53_traffic_policyaws_route53_traffic_policy_instanceaws_route53_vpc_association_authorizationaws_route53_zoneaws_s3_access_pointaws_s3_account_settingsaws_s3_bucketaws_s3_bucket_intelligent_tiering_configurationaws_s3_multi_region_access_pointaws_s3_objectaws_s3_object_versionaws_sagemaker_appaws_sagemaker_domainaws_sagemaker_endpoint_configurationaws_sagemaker_modelaws_sagemaker_notebook_instanceaws_sagemaker_training_jobaws_secretsmanager_secretaws_securityhub_action_targetaws_securityhub_enabled_product_subscriptionaws_securityhub_findingaws_securityhub_finding_aggregatoraws_securityhub_hubaws_securityhub_insightaws_securityhub_memberaws_securityhub_productaws_securityhub_standards_controlaws_securityhub_standards_subscriptionaws_securitylake_data_lakeaws_securitylake_subscriberaws_serverlessapplicationrepository_applicationaws_service_discovery_instanceaws_service_discovery_namespaceaws_service_discovery_serviceaws_servicecatalog_portfolioaws_servicecatalog_productaws_servicecatalog_provisioned_productaws_servicequotas_default_service_quotaaws_servicequotas_serviceaws_servicequotas_service_quotaaws_servicequotas_service_quota_change_requestaws_ses_domain_identityaws_ses_email_identityaws_sfn_state_machineaws_sfn_state_machine_executionaws_sfn_state_machine_execution_historyaws_simspaceweaver_simulationaws_sns_subscriptionaws_sns_topicaws_sns_topic_subscriptionaws_sqs_queueaws_ssm_associationaws_ssm_documentaws_ssm_document_permissionaws_ssm_inventoryaws_ssm_inventory_entryaws_ssm_maintenance_windowaws_ssm_managed_instanceaws_ssm_managed_instance_complianceaws_ssm_managed_instance_patch_stateaws_ssm_parameteraws_ssm_patch_baselineaws_ssmincidents_response_planaws_ssoadmin_account_assignmentaws_ssoadmin_instanceaws_ssoadmin_managed_policy_attachmentaws_ssoadmin_permission_setaws_sts_caller_identityaws_tagging_resourceaws_timestreamwrite_databaseaws_timestreamwrite_tableaws_transfer_serveraws_transfer_useraws_trusted_advisor_check_summaryaws_vpcaws_vpc_customer_gatewayaws_vpc_dhcp_optionsaws_vpc_egress_only_internet_gatewayaws_vpc_eipaws_vpc_eip_address_transferaws_vpc_endpointaws_vpc_endpoint_serviceaws_vpc_flow_logaws_vpc_flow_log_eventaws_vpc_internet_gatewayaws_vpc_nat_gatewayaws_vpc_nat_gateway_metric_bytes_out_to_destinationaws_vpc_network_aclaws_vpc_peering_connectionaws_vpc_routeaws_vpc_route_tableaws_vpc_security_groupaws_vpc_security_group_ruleaws_vpc_subnetaws_vpc_verified_access_endpointaws_vpc_verified_access_groupaws_vpc_verified_access_instanceaws_vpc_verified_access_trust_provideraws_vpc_vpn_connectionaws_vpc_vpn_gatewayaws_waf_rate_based_ruleaws_waf_ruleaws_waf_rule_groupaws_waf_web_aclaws_wafregional_ruleaws_wafregional_rule_groupaws_wafregional_web_aclaws_wafv2_ip_setaws_wafv2_regex_pattern_setaws_wafv2_rule_groupaws_wafv2_web_aclaws_wellarchitected_answeraws_wellarchitected_check_detailaws_wellarchitected_check_summaryaws_wellarchitected_consolidated_reportaws_wellarchitected_lensaws_wellarchitected_lens_reviewaws_wellarchitected_lens_review_improvementaws_wellarchitected_lens_review_reportaws_wellarchitected_lens_shareaws_wellarchitected_milestoneaws_wellarchitected_notificationaws_wellarchitected_share_invitationaws_wellarchitected_workloadaws_wellarchitected_workload_shareaws_workspaces_directoryaws_workspaces_workspace
Table: aws_cloudtrail_trail_event - Query AWS CloudTrail Events using SQL
AWS CloudTrail Events are records of activity within your AWS environment. This service captures all API calls for your account, including calls made via the AWS Management Console, SDKs, and CLI. It provides a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services.
Table Usage Guide
The aws_cloudtrail_trail_event table in Steampipe provides you with information about each trail event within AWS CloudTrail. This table allows you, as a DevOps engineer, to query event-specific details, including event time, event name, resources involved, and more. You can utilize this table to gather insights on trail events, such as event source, user identity, and request parameters. The schema outlines the various attributes of the CloudTrail event for you, including the event ID, event version, read only, and associated tags.
Important Notes
- You must specify
log_group_namein awhereclause in order to use this table. - For improved performance, it is advised that you use the optional qual
timestampto limit the result set to a specific time period. - This table supports optional quals. Queries with optional quals are optimised to use CloudWatch filters. Optional quals are supported for the following columns:
access_key_idaws_region(region of the event, useful in case of multi-region trails)error_codeevent_categoryevent_idevent_nameevent_sourcefilterlog_stream_nameregionsource_ip_addresstimestampusername
Examples
List events that occurred over the last five minutes
This query is useful for gaining insights into recent activity within your AWS environment. It provides a quick overview of the events that have taken place in the last five minutes, which can be particularly useful for immediate incident response or real-time monitoring.
select event_name, event_source, event_time, user_type, username, user_identifier, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and timestamp >= now() - interval '5 minutes';select event_name, event_source, event_time, user_type, username, user_identifier, json(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and timestamp >= datetime('now', '-5 minutes');List ordered events that occurred between five to ten minutes ago
Explore the sequence of events that occurred within a specific time frame in the recent past. This can be useful for auditing activities, identifying anomalies, or tracking user behaviour within a given period.
select event_name, event_source, event_time, user_type, username, user_identifier, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and timestamp between (now() - interval '10 minutes') and (now() - interval '5 minutes')order by event_time asc;select event_name, event_source, event_time, user_type, username, user_identifier, json(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and timestamp between (datetime('now', '-10 minutes')) and (datetime('now', '-5 minutes'))order by event_time asc;List all action events, i.e., not ReadOnly that occurred over the last hour
Explore which action events have occurred in the last hour on AWS Cloudtrail. This is useful for identifying recent activities that have potentially altered your system.
select event_name, event_source, event_time, user_type, username, user_identifier, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and not read_only and timestamp >= now() - interval '1 hour'order by event_time asc;select event_name, event_source, event_time, user_type, username, user_identifier, json(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and not read_only and timestamp >= datetime('now', '-1 hours')order by event_time asc;List events for a specific service (IAM) that occurred over the last hour
This query allows users to monitor recent activity for a specific service, in this case, AWS's Identity and Access Management (IAM). It is particularly useful for security audits, as it provides a chronological overview of events, including who initiated them and what actions were taken, over the last hour.
select event_name, event_source, event_time, user_type, user_identifier, jsonb_pretty(request_parameters) as request_parameters, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and event_source = 'iam.amazonaws.com' and timestamp >= now() - interval '1 hour'order by event_time asc;select event_name, event_source, event_time, user_type, user_identifier, json(request_parameters) as request_parameters, json(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and event_source = 'iam.amazonaws.com' and timestamp >= datetime('now', '-1 hour')order by event_time asc;List events for an IAM user (steampipe) that occurred over the last hour
Explore which events have occurred on your system over the past hour that are associated with a specific IAM user. This can help in monitoring user activity and identifying potential security concerns.
select event_name, event_source, event_time, user_type, username, user_identifier, jsonb_pretty(request_parameters) as request_parameters, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and username = 'steampipe' and timestamp >= now() - interval '1 hour'order by event_time asc;select event_name, event_source, event_time, user_type, username, user_identifier, request_parameters, response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and username = 'steampipe' and timestamp >= datetime('now', '-1 hour')order by event_time asc;List events performed by IAM users that occurred over the last hour
Determine the activities undertaken by IAM users within the past hour in your AWS environment. This can help in understanding user behaviors, monitoring security, and auditing purposes.
select event_name, event_source, event_time, user_type, username, user_identifier, jsonb_pretty(request_parameters) as request_parameters, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and user_type = 'IAMUser' and timestamp >= now() - interval '1 hour'order by event_time asc;select event_name, event_source, event_time, user_type, username, user_identifier, request_parameters, response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and user_type = 'IAMUser' and timestamp >= datetime('now', '-1 hours')order by event_time asc;List events performed with an assumed role that occurred over the last hour
Explore which actions were carried out using an assumed role in the past hour. This is useful in monitoring and auditing for any unusual or unauthorized activities.
select event_name, event_source, event_time, user_type, username, user_identifier, jsonb_pretty(request_parameters) as request_parameters, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and user_type = 'AssumedRole' and timestamp >= now() - interval '1 hour'order by event_time asc;select event_name, event_source, event_time, user_type, username, user_identifier, request_parameters, response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and user_type = 'AssumedRole' and timestamp >= datetime('now', '-1 hours')order by event_time asc;List events that were not successfully executed that occurred over the last hour
Identify instances where events were not executed successfully in the past hour. This is useful for monitoring system performance and quickly addressing any operational issues.
select event_name, event_source, event_time, error_code, error_message, user_type, username, user_identifier, jsonb_pretty(request_parameters) as request_parameters, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and error_code is not null and timestamp >= now() - interval '1 hour'order by event_time asc;select event_name, event_source, event_time, error_code, error_message, user_type, username, user_identifier, request_parameters, response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and error_code is not null and timestamp >= datetime('now', '-1 hours')order by event_time asc;Filter examples
For more information on CloudWatch log filters, please refer to Filter Pattern Syntax.
List events originating from a specific IP address range that occurred over the last hour
Explore which events have originated from a specific IP address range in the last hour. This is useful for understanding and monitoring recent activity and potential security incidents related to that IP range.
select event_name, event_source, event_time, error_code, error_message, user_type, username, user_identifier, jsonb_pretty(request_parameters) as request_parameters, jsonb_pretty(response_elements) as response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and filter = '{ $.sourceIPAddress = 203.189.* }' and timestamp >= now() - interval '1 hour'order by event_time asc;select event_name, event_source, event_time, error_code, error_message, user_type, username, user_identifier, request_parameters, response_elementsfrom aws_cloudtrail_trail_eventwhere log_group_name = 'aws-cloudtrail-log-group-name' and json_extract(filter, '$.sourceIPAddress') like '203.189.%' and timestamp >= datetime('now', '-1 hour')order by event_time asc;Schema for aws_cloudtrail_trail_event
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| access_key_id | text | = | The AWS access key ID that was used to sign the request. If the request was made with temporary security credentials, this is the access key ID of the temporary credentials. |
| account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
| additional_event_data | jsonb | Additional data about the event that was not part of the request or response. | |
| aws_region | text | = | The AWS region that the request was made to, such as us-east-2. |
| cloudtrail_event | jsonb | The CloudTrail event in the json format. | |
| error_code | text | = | The AWS service error if the request returns an error. |
| error_message | text | If the request returns an error, the description of the error. | |
| event_category | text | = | Shows the event category that is used in LookupEvents calls. |
| event_id | text | = | The ID of the event. |
| event_name | text | = | The name of the event returned. |
| event_source | text | = | The AWS service that the request was made to. |
| event_time | timestamp with time zone | The date and time the request was made, in coordinated universal time (UTC). | |
| event_type | text | Identifies the type of event that generated the event record. | |
| event_version | text | The version of the log event format. | |
| filter | text | = | The cloudwatch filter pattern for the search. |
| log_group_name | text | = | The name of the log group to which this event belongs. |
| log_stream_name | text | = | The name of the log stream to which this event belongs. |
| partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
| read_only | boolean | = | Information about whether the event is a write event or a read event. |
| recipient_account_id | text | Represents the account ID that received this event. | |
| region | text | = | The AWS Region in which the resource is located. |
| request_id | text | The value that identifies the request. | |
| request_parameters | jsonb | The parameters, if any, that were sent with the request. | |
| resources | jsonb | A list of resources referenced by the event returned. | |
| response_elements | jsonb | The response element for actions that make changes (create, update, or delete actions). | |
| shared_event_id | text | GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. | |
| source_ip_address | text | = | The IP address that the request was made from. |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| timestamp | timestamp with time zone | >, >=, =, <, <= | The time when the event occurred. |
| timestamp_ms | bigint | The time when the event occurred. | |
| tls_details | jsonb | Shows information about the Transport Layer Security (TLS) version, cipher suites, and the FQDN of the client-provided host name of a service API call. | |
| user_agent | text | The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI. | |
| user_identifier | text | The name/arn of user/role that made the api call. | |
| user_identity | jsonb | Information about the user that made the request. | |
| user_type | text | = | The name of the event returned. |
| username | text | = | The user name of the user that made the api request. |
| vpc_endpoint_id | text | Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- awsYou can pass the configuration to the command with the --config argument:
steampipe_export_aws --config '<your_config>' aws_cloudtrail_trail_event