Viewing recent management events with the Amazon CLI
You can look up CloudTrail management events for the last 90 days for the current Amazon Web Services Region using the aws cloudtrail lookup-events command. The aws cloudtrail lookup-events command shows events in the Amazon Web Services Region where they occurred.
Lookup supports the following attributes for management events:
-
Amazon access key
-
Event ID
-
Event name
-
Event source
-
Read only
-
Resource name
-
Resource type
-
User name
All attributes are optional.
The lookup-events
-
--max-items
<integer>
– The total number of items to return in the command's output. If the total number of items available is more than the value specified, aNextToken
is provided in the command's output. To resume pagination, provide theNextToken
value in the starting-token argument of a sub- sequent command. Do not use theNextToken
response element directly outside of the Amazon CLI. -
--start-time
<timestamp>
– Specifies that only events that occur after or at the specified time are returned. If the specified start time is after the specified end time, an error is returned. -
--lookup-attributes
<integer>
– Contains a list of lookup attributes. Currently the list can contain only one item. -
--generate-cli-skeleton
<string>
– Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for--cli-input-json
. Similarly, if provided yaml-input it will print a sample input YAML that can be used with--cli-input-yaml
. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the Amazon CLI and there are no backwards compatibility guarantees in the JSON skeleton generated. -
--cli-input-json
<string>
– Reads arguments from the JSON string provided. The JSON string follows the format provided by the--generate-cli-skeleton
parameter. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with the--cli-input-yaml
parameter.
For general information about using the Amazon Command Line Interface, see the Amazon Command Line Interface User Guide.
Contents
Prerequisites
-
To run Amazon CLI commands, you must install the Amazon CLI. For information, see Get started with the Amazon CLI.
-
Make sure your Amazon CLI version is greater than 1.6.6. To verify the CLI version, run aws --version on the command line.
-
To set the account, Amazon Web Services Region, and default output format for an Amazon CLI session, use the aws configure command. For more information, see Configuring the Amazon Command Line Interface.
Note
The CloudTrail Amazon CLI commands are case-sensitive.
Getting command line help
To see the command line help for lookup-events
, type the following
command:
aws cloudtrail lookup-events help
Looking up events
Important
The rate of lookup requests is limited to two per second, per account, per Region. If this limit is exceeded, a throttling error occurs.
To see the ten latest events, type the following command:
aws cloudtrail lookup-events --max-items 10
A returned event looks similar to the following fictitious example, which has been formatted for readability:
{ "NextToken": "kbOt5LlZe++mErCebpy2TgaMgmDvF1kYGFcH64JSjIbZFjsuvrSqg66b5YGssKutDYIyII4lrP4IDbeQdiObkp9YAlju3oXd12juy3CIZW8=", "Events": [ { "EventId": "0ebbaee4-6e67-431d-8225-ba0d81df5972", "Username": "root", "EventTime": 1424476529.0, "CloudTrailEvent": "{ \"eventVersion\":\"1.02\", \"userIdentity\":{ \"type\":\"Root\", \"principalId\":\"111122223333\", \"arn\":\"arn:aws:iam::111122223333:root\", \"accountId\":\"111122223333\"}, \"eventTime\":\"2015-02-20T23:55:29Z\", \"eventSource\":\"signin.amazonaws.com\", \"eventName\":\"ConsoleLogin\", \"awsRegion\":\"us-east-2\", \"sourceIPAddress\":\"203.0.113.4\", \"userAgent\":\"Mozilla/5.0\", \"requestParameters\":null, \"responseElements\":{\"ConsoleLogin\":\"Success\"}, \"additionalEventData\":{ \"MobileVersion\":\"No\", \"LoginTo\":\"https://console.aws.amazon.com/console/home", \"MFAUsed\":\"No\"}, \"eventID\":\"0ebbaee4-6e67-431d-8225-ba0d81df5972\", \"eventType\":\"AwsApiCall\", \"recipientAccountId\":\"111122223333\"}", "EventName": "ConsoleLogin", "Resources": [] } ] }
For an explanation of the lookup-related fields in the output, see the section Lookup output fields later in this document. For an explanation of the fields in the CloudTrail event, see CloudTrail record contents.
Specifying the number of events to return
To specify the number of events to return, type the following command:
aws cloudtrail lookup-events --max-items
<integer>
Possible values are 1 through 50. The following example returns one event.
aws cloudtrail lookup-events --max-items 1
Looking up events by time range
Events from the past 90 days are available for lookup. To specify a time range, type the following command:
aws cloudtrail lookup-events --start-time
<timestamp>
--end-time<timestamp>
--start-time
specifies, in UTC, that
only events that occur after or at the specified time are returned. If the specified
start time is after the specified end time, an error is returned.<timestamp>
--end-time
specifies, in UTC, that
only events that occur before or at the specified time are returned. If the specified
end time is before the specified start time, an error is returned.<timestamp>
The default start time is the earliest date that data is available within the last 90 days. The default end time is the time of the event that occurred closest to the current time.
All timestamps are shown in UTC.
Looking up events by attribute
To filter by an attribute, type the following command:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=
<attribute>
,AttributeValue=<string>
You can specify only one attribute key/value pair for each
lookup-events command. The following are valid values for
AttributeKey
. Value names are case sensitive.
-
AccessKeyId
-
EventId
-
EventName
-
EventSource
-
ReadOnly
-
ResourceName
-
ResourceType
-
Username
The maximum length for the AttributeValue
is 2000 characters. The
following characters ('_
', '
', ',
',
'\\n
') count as two characters towards the 2000 character limit.
Attribute lookup examples
The following example command returns events in Region
cn-northwest-1
, which allows you to view global service events. Replace
gseService
with the appropriate value for your configuration.
aws cloudtrail --region cn-northwest-1 lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=
gseService
The following example command returns events in which the value of
AccessKeyId
is AKIAIOSFODNN7EXAMPLE
.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=AKIAIOSFODNN7EXAMPLE
The following example command returns the event for the specified CloudTrail
EventId
.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventId,AttributeValue=b5cc8c40-12ba-4d08-a8d9-2bceb9a3e002
The following example command returns events in which the value of
EventName
is RunInstances
.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances
The following example command returns events in which the value of
EventSource
is iam.amazonaws.com
.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=iam.amazonaws.com
The following example command returns write events. It excludes read events such
as GetBucketLocation
and DescribeStream
.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false
The following example command returns events in which the value of
ResourceName
is CloudTrail_CloudWatchLogs_Role
.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=CloudTrail_CloudWatchLogs_Role
The following example command returns events in which the value of
ResourceType
is AWS::S3::Bucket
.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::S3::Bucket
The following example command returns events in which the value of
Username
is root
.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root
Specifying the next page of results
To get the next page of results from a lookup-events
command, type the
following command:
aws cloudtrail lookup-events
<same parameters as previous command>
--next-token=<token>
where the value for <token>
is taken from the first
field of the output of the previous command.
When you use --next-token
in a command, you must use the same parameters
as in the previous command. For example, suppose you run the following command:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root
To get the next page of results, your next command would look like this:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root --next-token=kbOt5LlZe++mErCebpy2TgaMgmDvF1kYGFcH64JSjIbZFjsuvrSqg66b5YGssKutDYIyII4lrP4IDbeQdiObkp9YAlju3oXd12juy3CIZW8=
Getting JSON input from a file
The Amazon CLI for some Amazon services has two parameters,
--generate-cli-skeleton
and --cli-input-json
, that you can
use to generate a JSON template which you can modify and use as input to the
--cli-input-json
parameter. This section describes how to use these
parameters with aws cloudtrail lookup-events
. For more general information,
see Amazon CLI skeletons and input files.
To look up CloudTrail events by getting JSON input from a file
-
Create an input template for use with
lookup-events
by redirecting the--generate-cli-skeleton
output to a file, as in the following example.aws cloudtrail lookup-events --generate-cli-skeleton > LookupEvents.txt
The template file generated (in this case, LookupEvents.txt) looks like this:
{ "LookupAttributes": [ { "AttributeKey": "", "AttributeValue": "" } ], "StartTime": null, "EndTime": null, "MaxResults": 0, "NextToken": "" }
-
Use a text editor to modify the JSON as needed. The JSON input must contain only values that are specified.
Important
All empty or null values must be removed from the template before you can use it.
The following example specifies a time range and maximum number of results to return.
{ "StartTime": "2023-11-01", "EndTime": "2023-12-12", "MaxResults": 10 }
-
To use the edited file as input, use the syntax
--cli-input-json file://
<filename>
, as in the following example:aws cloudtrail lookup-events --cli-input-json file://LookupEvents.txt
Note
You can use other arguments on the same command line as
--cli-input-json
.
Lookup output fields
- Events
-
A list of lookup events based on the lookup attribute and time range that were specified. The events list is sorted by time, with the latest event listed first. Each entry contains information about the lookup request and includes a string representation of the CloudTrail event that was retrieved.
The following entries describe the fields in each lookup event.
- CloudTrailEvent
-
A JSON string that contains an object representation of the event returned. For information about each of the elements returned, see Record Body Contents.
- EventId
-
A string that contains the GUID of the event returned.
- EventName
-
A string that contains the name of the event returned.
- EventSource
-
The Amazon service that the request was made to.
- EventTime
-
The date and time, in UNIX time format, of the event.
- Resources
-
A list of resources referenced by the event that was returned. Each resource entry specifies a resource type and a resource name.
- ResourceName
-
A string that contains the name of the resource referenced by the event.
- ResourceType
-
A string that contains the type of a resource referenced by the event. When the resource type cannot be determined, null is returned.
- Username
-
A string that contains the user name of the account for the event returned.
- NextToken
-
A string to get the next page of results from a previous
lookup-events
command. To use the token, the parameters must be the same as those in the original command. If noNextToken
entry appears in the output, there are no more results to return.