AWS CloudTrail CLI [Cheat Sheet]

CloudTrail CLI Cheat Sheet banner

Here’s a CloudTrail CLI cheat sheet in both downloadable image format and text format for reference.

AWS CloudTrail Downloadable CLI Cheat Sheet

Please note this is not a comprehensive list of all commands or how to use them. These are some of the most commonly used commands and scenarios. If you’re looking for a full list of CloudTrail CLI commands, refer to the official documentation.

General and Operational Commands

List trails in your AWS account:

aws cloudtrail list-trailsCode language: PHP (php)

Shows settings for one or more trails for the specified region (or current region if not specified):

aws cloudtrail describe-trails [--trail-name-list <value>] [--region <value>]Code language: HTML, XML (xml)

Create a new trail

aws cloudtrail create-trail --name <value> --s3-new-bucket <value> [--include-global-service-events] [--is-multi-region-trail] [--enable-log-file-validation] [--cloud-watch-logs-log-group-arn <value>] [--cloud-watch-logs-role-arn <value>] [--kms-key-id <value>]Code language: CSS (css)

List names and settings of all trails:

aws cloudtrail describe-trails [--output json] Code language: CSS (css)

Get the status of a trail:

aws cloudtrail add-tags —resource-id <value> —tags-list “Key=log-events,Value=management”Code language: HTML, XML (xml)

Event History and Insights Events

See a list of the latest events in JSON format

lookup-eventsmax-items 1 [--output json]Code language: CSS (css)

Instead of a max, you can specify a time range

lookup-events --start-time <timestamp> --end-time <timestamp>Code language: HTML, XML (xml)

Example

aws cloudtrail lookup-events --start-time "2023-11-15, 5:00PM" --end-time "2023-11-15, 6:00 PM" --output jsonCode language: JavaScript (javascript)

We can also query by using a single attribute, like this:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=<attribute>,AttributeValue=<string>Code language: HTML, XML (xml)

Example – you think an access key has been compromised and has been used by a threat actor. You can query the last 10 events related to that access key like this:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=EXAMPLE_KEY_ID_HERE --max-items 10

Working with Trails

Log file location:

bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/file_name.json.gz

Search through log files manually:

Example (uses jq)

find . -type f -exec jq '.Records[].userIdentity.arn' {} \;Code language: JavaScript (javascript)

This will search all files in our directory, then run the jq command looking for userIdentity.arn. Note that this is case sensitive, so if you capitalize the User for example, it won’t find anything.

Example

find . -type f -exec jq -r '.Records[] | [.eventTime, .sourceIPAddress, .userIdentity.arn, .eventName] | join(" -- ")' {} \; | sortCode language: JavaScript (javascript)

CloudTrail Lake

Crete and manage event data stores

create-event-data-store --name [--advanced-event-selectors <value>]Code language: HTML, XML (xml)

Return info about a specific event data store:

get-event-data-store --event-data-store <value> # The ARN (or ID suffix of the ARN)Code language: PHP (php)

List all event data stores
Returns an array of EventDataStores[]

list-event-data-storesCode language: PHP (php)

Starts/stops ingesting live events for a specific event data store:

start-event-data-store-ingestion --event-data-store <value> # The ARN (or ID suffix of the ARN)
stop-event-data-store-ingestion --event-data-store <value>Code language: PHP (php)

Create a channel to ingest events from a partner or external source.

create-channel --name <value> --source <value> --destinations <value> # Event data stores to send events from this channel toCode language: HTML, XML (xml)

Returns a channel’s info:

get-channel --channelCode language: JavaScript (javascript)

List all channels:

list-channelsCode language: PHP (php)

Returns metadata about a query:

aws cloudtrail describe-query --event-data-store ac1e7a13-… --query-id 95f234dd-…

Get the results of a query run in Lake

get-query-results --query-id <value>Code language: HTML, XML (xml)

Example

aws cloudtrail get-query-results --query-id 95f234dd-…Code language: JavaScript (javascript)

List all queries run in the last 7 days

list-queries --event-data-store <value>Code language: HTML, XML (xml)

Example

aws cloudtrail list-queries --event-data-store 2cbe7a73-…Code language: PHP (php)

Imports data from logged trail events in S3 to an event data store for Lake queries:

start-import [--destinations <value>] [--import-source <value>] [--start-event-time <value>] [--end-event-time <value>]Code language: HTML, XML (xml)

Runs a CloudTrail Lake query

--query-statement is the SQL code to run
--query-parameters is the list of query parameters

start-query [--query-statement <value>] [--delivery-s3-uri <value>] [--query-parameters <value>]Code language: HTML, XML (xml)

Insights Events

Enables Insights event logging for an existing trail or event data store --insights-selectors are the insights types you want to log (APICallRateInsight and/or ApiErrorRateInsight):

put-insight-selectors [--trail-name <value>] --insight-selectors <value> [--event-data-store <value>] [--insights-destination <value>]Code language: HTML, XML (xml)

Retrieve settings for Isngihts event selectors configured for trails or event data stores:

get-insight-selectors [--trail-name <value>][--event-data-store <value>]Code language: HTML, XML (xml)

Record Contents

Records that make up CloudTrail log events:

Learn how to use and configure CloudTrail properly for security with our free course:

Beginner's Guide to AWS CloudTrail for Security Course

> More AWS Security cheat sheets <

Related Articles

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.