created: 2019-06-10T04:31:32.000Z
AWSのアクセストークンが昨日どんなAPIコールを行なったか確認する
cloudtrailのlookup-eventsで昨日の分をすべてとる
$ aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=AccessKeyId,AttributeValue=xxxxxxxx \
--start-time $(date -v -2d -u +"%Y-%m-%dT%H:%M:%SZ") \
--end-time $(date -v -1d -u +"%Y-%m-%dT%H:%M:%SZ") \
| tee /tmp/_
取得できるデータ
- EventSourceやEventNameなどでどのAPIが叩かれたかわかる
- EventTimeで時間もわかる
{
"EventId": "7615c6ad-xxxx-4f42-baa4-d4f14d240d96",
"EventName": "GetQueryExecution",
"ReadOnly": "true",
"AccessKeyId": "xxxxxx",
"EventTime": 1560042666,
"EventSource": "athena.amazonaws.com",
"Username": "xxxx",
"Resources": [],
"CloudTrailEvent": {...}
}
CloudTrailEvent
どんな感じでAPIを叩いたかも CloudTrailEvent で見られる
下記の例だとGetQueryExecutionの叩かれ方がrequestParametersなどをみればわかる
$ cat /tmp/_ | jq -r .Events[0].CloudTrailEvent | jq .
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "xxxx",
"arn": "arn:aws:iam::xxxx:user/mossan",
"accountId": "xxxx",
"accessKeyId": "xxxx",
"userName": "mossan"
},
"eventTime": "2019-06-09T01:11:06Z",
"eventSource": "athena.amazonaws.com",
"eventName": "GetQueryExecution",
"awsRegion": "ap-northeast-1",
"sourceIPAddress": "13.231.254.111",
"userAgent": "aws-sdk-nodejs/2.320.0 linux/v8.10.0 exec-env/AWS_Lambda_nodejs8.10 callback",
"requestParameters": {
"queryExecutionId": "xxxx"
},
"responseElements": null,
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "xxxx"
}
jqを使ってtsvに整形
大体の場合、どのAPIがどれくらいの頻度で叩かれてるかが見られればよいので、jqで以下のように整形すれば良い感じに見られる
.EventTime|.+32400|todate でUNIXエポックをJSTに変換している
$ cat /tmp/_ | jq -r '.Events[] | [(.EventTime|.+32400|todate),.EventSource,.EventName] | @tsv' | head
2019-06-09T10:11:06Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:06Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:05Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:05Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:05Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:04Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:04Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:03Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:02Z athena.amazonaws.com GetQueryExecution
2019-06-09T10:11:02Z athena.amazonaws.com GetQueryExecution
