本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
示例查询
本节介绍如何访问 CloudTrail 控制台中的示例查询,并包括一些示例 CloudTrail Lake 查询,以帮助您入门。
注意
您还可以查看 GitHub 社区创建的查询。有关更多信息并查看这些示例查询,请参阅 GitHub 网站上的 CloudTrail Lake sample queries
主题
查看 CloudTrail 控制台中的示例查询
CloudTrail 控制台提供了很多示例查询,可以帮助您开始编写您自己的查询。
访问 CloudTrail 控制台中的示例查询
-
登录到 Amazon Web Services Management Console,然后通过以下网址打开 CloudTrail 控制台:https://console.aws.amazon.com/cloudtrail
。 -
在导航窗格中,在 Lake 下,选择查询。
-
选择 Sample queries(示例查询)选项卡。
-
要编辑示例查询,请选择查询名称。有关运行查询的信息,请参阅 运行查询并保存查询结果。
示例:查找于 2023 年 1 月 22 日调用 CreateBucket 的所有主体的用户身份
SELECT userIdentity.principalid, eventName FROMevent_data_store_IDWHERE userIdentity.principalid IS NOT NULL AND eventTime > '2023-01-22 00:00:00' AND eventTime < '2023-01-23 00:00:00' AND eventName='CreateBucket'
结果
{ "QueryStatus": "FINISHED", "QueryStatistics": { "ResultsCount": 1, "TotalResultsCount": 1, "BytesScanned": 25077 }, "QueryResultRows": [ [ { "principalid": "principal_ID" }, { "eventName": "CreateBucket" } ] ] }
示例:查找用户于 2023 年 1 月 22 日调用的所有 API
SELECT eventID, eventName, eventSource, eventTime FROMevent_data_store_IDWHERE userIdentity.username = 'bob' AND eventTime > '2023-01-22 00:00:00' AND eventTime < '2023-01-23 00:00:00'
结果
{ "QueryStatus": "FINISHED", "QueryStatistics": { "ResultsCount": 2, "TotalResultsCount": 2, "BytesScanned": 13287 }, "QueryResultRows": [ [ { "eventID": "EXAMPLE-c3b6-43e4-aa35-b2490EXAMPLE" }, { "eventName": "DescribeQuery" }, { "eventSource": "cloudtrail.amazonaws.com" }, { "eventTime": "2023-01-22 16:53:53.000" } ], [ { "eventID": "EXAMPLE6-ac95-4b37-b587-76a80EXAMPLE" }, { "eventName": "ListBuckets" }, { "eventSource": "s3.amazonaws.com" }, { "eventTime": "2023-01-22 20:25:01.000" } ] ] }
示例:查找自 2023 年 1 月 1 日起进行的 API 调用数量,按 eventName 和 eventSource 分组
SELECT eventSource, eventName, COUNT(*) AS apiCount FROMevent_data_store_IDWHERE eventTime > '2023-01-01 00:00:00' GROUP BY eventSource, eventName ORDER BY apiCount DESC
结果
{ "QueryStatus": "FINISHED", "QueryStatistics": { "ResultsCount": 3, "TotalResultsCount": 3, "BytesScanned": 10442 }, "QueryResultRows": [ [ { "eventSource": "s3.amazonaws.com" }, { "eventName": "PutObject" }, { "apiCount": "96059" } ], [ { "eventSource": "dynamodb.amazonaws.com" }, { "eventName": "DescribeTable" }, { "apiCount": "49426" } ], [ { "eventSource": "sts.amazonaws.com" }, { "eventName": "AssumeRole" }, { "apiCount": "45617" } ] ] }
示例:查找在一组区域中登录过控制台的所有用户
SELECT eventTime, useridentity.arn, awsRegion FROMevent_data_store_IDWHERE awsRegion in ('us-east-1', 'us-west-2') AND eventName = 'ConsoleLogin'
结果
{ "QueryStatus": "FINISHED", "QueryStatistics": { "ResultsCount": 2, "TotalResultsCount": 2, "BytesScanned": 15580 }, "QueryResultRows": [ [ { "eventTime": "2022-02-08 19:54:44.000" }, { "arn": "arn:aws:sts::123456789012:assumed-role/example-identity" }, { "awsRegion": "us-east-1" } ], [ { "eventTime": "2022-01-21 16:38:27.000" }, { "arn": "arn:aws:sts::123456789012:assumed-role/example-identity" }, { "awsRegion": "us-west-2" } ] ] }
示例:查找 2023 年 1 月运行的所有 CloudTrail Lake 查询
SELECT element_at(responseElements, 'queryId'), element_at(requestParameters, 'queryStatement') FROMevent_data_store_IDWHERE eventName='StartQuery' AND eventSource = 'cloudtrail.amazonaws.com' AND responseElements IS NOT NULL AND eventTime > '2023-01-01 00:00:00' AND eventTime < '2023-02-01 00:00:00'
结果
{ "QueryStatus": "FINISHED", "QueryStatistics": { "ResultsCount": 1, "TotalResultsCount": 1, "BytesScanned": 13002 }, "QueryResultRows": [ [ { "_col0": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE" }, { "_col1": "select * fromevent_data_store_IDlimit 1;" } ] ] }