CloudTrail on The Cloud Optimist https://antoinedelia.github.io/cloud-optimist/pr-144/en/tags/cloudtrail/ Recent content in CloudTrail on The Cloud Optimist Hugo -- gohugo.io en-US Wed, 09 Jul 2025 12:30:00 +0200 On The Trail of The Lost Resource - My Investigation With Athena and CloudTrail https://antoinedelia.github.io/cloud-optimist/pr-144/en/posts/2025/on-the-trail-of-the-lost-resource-my-investigation-with-athena-and-cloudtrail/ Wed, 09 Jul 2025 12:30:00 +0200 https://antoinedelia.github.io/cloud-optimist/pr-144/en/posts/2025/on-the-trail-of-the-lost-resource-my-investigation-with-athena-and-cloudtrail/ <img src="https://antoinedelia.github.io/cloud-optimist/pr-144/fr/posts/2025/on-the-trail-of-the-lost-resource-my-investigation-with-athena-and-cloudtrail/aws_lost_resource.jpeg" alt="Featured image of post On The Trail of The Lost Resource - My Investigation With Athena and CloudTrail" /><h1 id="introduction"><a href="#introduction" class="header-anchor"></a>Introduction </h1><p>Recently, I had to play detective in our AWS account.</p> <p>A resource was there (a Cognito User Pool), plain as day, but nobody could remember where it came from. And of course, there were no tags to help us (if only they had read <a class="link" href="https://antoinedelia.github.io/cloud-optimist/pr-144/en/posts/2025/why-tagging-your-aws-resources-is-a-must/" >my post on why tagging your AWS resources is a must</a>).</p> <p>My mission, should I choose to accept it: find out who created it. The problem? The event was about four months old.</p> <p>My first instinct was to turn to AWS CloudTrail. And there, I hit my first wall: <a class="link" href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html#event-history-limitations" target="_blank" rel="noopener" >the event history is only viewable for the last 90 days</a>. Dead end.</p> <p>Luckily, I knew our CloudTrail logs were archived in an S3 bucket. My first thought was to manually download the archives for the right month, unzip dozens of JSON files, and hit <kbd>Ctrl+F</kbd> while praying for a miracle. Let&rsquo;s just say it was neither efficient, pleasant, nor fast.</p> <p>So, I wondered if there wasn&rsquo;t a simpler way to search through this pile of logs, and I finally found the perfect solution: <strong>AWS Athena</strong>.</p> <h1 id="querying-your-s3-logs-with-athena"><a href="#querying-your-s3-logs-with-athena" class="header-anchor"></a>Querying your S3 logs with Athena </h1><p>For those unfamiliar, <a class="link" href="https://docs.aws.amazon.com/athena/latest/ug/what-is.html" target="_blank" rel="noopener" >AWS Athena</a> is an interactive query service that makes it easy to analyze data directly in Amazon S3 using standard SQL. Basically, you can run queries on files (JSON, CSV, etc.) as if they were in a traditional database. No more downloading anything!</p> <p>The idea, then, is to &ldquo;map&rdquo; our CloudTrail logs stored in S3 to a table in Athena. To do this, we use a single <code>CREATE EXTERNAL TABLE</code> query. Following <a class="link" href="https://docs.aws.amazon.com/athena/latest/ug/create-cloudtrail-table-partition-projection.html" target="_blank" rel="noopener" >the AWS documentation on the subject</a>, I ran the following query in the Athena console.</p> <p>This query creates a table and uses a very handy feature called &ldquo;partition projection.&rdquo; This allows Athena to infer the location of the logs based on the date, without having to manually manage partitions. This is very convenient when the structure is standardized, as is the case with AWS CloudTrail.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">CREATE</span><span class="w"> </span><span class="k">EXTERNAL</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">cloudtrail_logs_pp</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventversion</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">useridentity</span><span class="w"> </span><span class="n">STRUCT</span><span class="o">&lt;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">arn</span><span class="p">:</span><span class="n">STRING</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="o">&gt;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventtime</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventsource</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventname</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">awsregion</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">requestparameters</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">responseelements</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">additionaleventdata</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">requestid</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventid</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">resources</span><span class="w"> </span><span class="nb">ARRAY</span><span class="o">&lt;</span><span class="n">STRUCT</span><span class="o">&lt;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">arn</span><span class="p">:</span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">accountid</span><span class="p">:</span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">type</span><span class="p">:</span><span class="n">STRING</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="o">&gt;&gt;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventtype</span><span class="w"> </span><span class="n">STRING</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventcategory</span><span class="w"> </span><span class="n">STRING</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">PARTITIONED</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="o">`</span><span class="k">timestamp</span><span class="o">`</span><span class="w"> </span><span class="n">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ROW</span><span class="w"> </span><span class="n">FORMAT</span><span class="w"> </span><span class="n">SERDE</span><span class="w"> </span><span class="s1">&#39;org.apache.hive.hcatalog.data.JsonSerDe&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">STORED</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">INPUTFORMAT</span><span class="w"> </span><span class="s1">&#39;com.amazon.emr.cloudtrail.CloudTrailInputFormat&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">OUTPUTFORMAT</span><span class="w"> </span><span class="s1">&#39;org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">LOCATION</span><span class="w"> </span><span class="s1">&#39;s3://BUCKET-NAME/AWSLogs/ACCOUNT-ID/CloudTrail/REGION&#39;</span><span class="w"> </span><span class="c1">-- Replace with your S3 bucket path </span></span></span><span class="line"><span class="cl"><span class="n">TBLPROPERTIES</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;projection.enabled&#39;</span><span class="o">=</span><span class="s1">&#39;true&#39;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;projection.timestamp.format&#39;</span><span class="o">=</span><span class="s1">&#39;yyyy/MM/dd&#39;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;projection.timestamp.interval&#39;</span><span class="o">=</span><span class="s1">&#39;1&#39;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;projection.timestamp.interval.unit&#39;</span><span class="o">=</span><span class="s1">&#39;DAYS&#39;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;projection.timestamp.range&#39;</span><span class="o">=</span><span class="s1">&#39;2024/01/01,NOW&#39;</span><span class="p">,</span><span class="w"> </span><span class="c1">-- Replace with your start date </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;projection.timestamp.type&#39;</span><span class="o">=</span><span class="s1">&#39;date&#39;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;storage.location.template&#39;</span><span class="o">=</span><span class="s1">&#39;s3://BUCKET-NAME/AWSLogs/ACCOUNT-ID/CloudTrail/REGION/${timestamp}&#39;</span><span class="w"> </span><span class="c1">-- Replace with your S3 bucket path </span></span></span><span class="line"><span class="cl"><span class="p">)</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>Warning:</strong> Don&rsquo;t forget to replace the <code>s3://...</code> URLs with the exact path to your S3 bucket where your CloudTrail logs are stored, and to adjust the <code>projection.timestamp.range</code> property to the period you&rsquo;re interested in.</p> <h1 id="investigation-time-finding-the-information"><a href="#investigation-time-finding-the-information" class="header-anchor"></a>Investigation Time: Finding the Information </h1><p>Once the table is created (which only takes a few seconds), the hardest part is over! My investigation could finally begin.</p> <p>I was looking for who had created a Cognito <code>UserPoolClient</code> on a specific date. So my SQL query looked like this:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventTime</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">eventName</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">userIdentity</span><span class="p">.</span><span class="n">arn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">cloudtrail_logs_pp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WHERE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">timestamp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;2025/02/25&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">eventName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;CreateUserPoolClient&#39;</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>In just a few seconds, Athena scanned the logs for the requested day and returned the result.</p> <p><img src="https://antoinedelia.github.io/cloud-optimist/pr-144/img/on-the-trail-of-the-lost-resource-my-investigation-with-athena-and-cloudtrail/running_the_athena_query.png" loading="lazy" alt="Athena query to search CloudTrail logs in S3" ></p> <p>I had the exact time, the event, and most importantly, the ARN of the user who performed the action. Mission accomplished!</p> <h1 id="the-verdict-and-the-culprit"><a href="#the-verdict-and-the-culprit" class="header-anchor"></a>The Verdict&hellip; and the Culprit </h1><p>The funniest part of this story?</p> <p>After setting up this solution and finding the information so easily, I discovered that the &ldquo;culprit&rdquo; who had created this resource four months ago&hellip; <strong>was me</strong>. I had completely forgotten!</p> <p>Jokes aside, this experience confirmed one thing for me: taking a few minutes to set up Athena on your CloudTrail logs is an incredibly worthwhile investment. You&rsquo;re giving yourself a long-term auditing and search capability that will save you hours of manual searching the day you really need it. Don&rsquo;t be like me; don&rsquo;t wait until you&rsquo;re stuck to set it up!</p>