Viewing CloudTrail Insights events for trails with the AWS CLI
You can look up CloudTrail Insights events for the last 90 days by running the
aws cloudtrail lookup-events command.
The lookup-events command has the following options:
-
--end-time -
--event-category -
--max-results -
--start-time -
--lookup-attributes -
--next-token -
--generate-cli-skeleton -
--cli-input-json
For general information about using the AWS Command Line Interface, see the AWS Command Line Interface User Guide.
Contents
Prerequisites
-
To run AWS CLI commands, you must install the AWS CLI. For more information, see Installing the AWS Command Line Interface.
-
Make sure your AWS CLI version is greater than 1.6.6. To verify the CLI version, run aws --version on the command line.
-
To set the account, Region, and default output format for an AWS CLI session, use the aws configure command. For more information, see Configuring the AWS Command Line Interface.
-
To log Insights events on API call volume, the trail must log
writemanagement events. To log Insights events on API error rate, the trail must logreadorwritemanagement events.
Note
The CloudTrail AWS CLI commands are case-sensitive.
Getting command line help
To see the command line help for lookup-events, type the following
command.
aws cloudtrail lookup-events help
Looking up Insights events
To see the ten latest Insights events, type the following command.
aws cloudtrail lookup-events --event-category insight
A returned event looks similar to the following example,
{ "NextToken": "kbOt5LlZe++mErCebpy2TgaMgmDvF1kYGFcH64JSjIbZFjsuvrSqg66b5YGssKutDYIyII4lrP4IDbeQdiObkp9YAlju3oXd12juEXAMPLE=", "Events": [ { "eventVersion": "1.07", "eventTime": "2019-10-15T21:13:00Z", "awsRegion": "us-east-1", "eventID": "EXAMPLE-9b6f-45f8-bc6b-9b41c052ebc7", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "EXAMPLE8-02b2-4e93-9aab-08ed47ea5fd3", "insightDetails": { "state": "Start", "eventSource": "autoscaling.amazonaws.com", "eventName": "CompleteLifecycleAction", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 0.0000882145 }, "insight": { "average": 0.6 }, "insightDuration": 5, "baselineDuration": 11336 }, "attributions": [ { "attribute": "userIdentityArn", "insight": [ { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole1", "average": 0.2 }, { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole2", "average": 0.2 }, { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole3", "average": 0.2 } ], "baseline": [ { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole1", "average": 0.0000882145 } ] }, { "attribute": "userAgent", "insight": [ { "value": "codedeploy.amazonaws.com", "average": 0.6 } ], "baseline": [ { "value": "codedeploy.amazonaws.com", "average": 0.0000882145 } ] }, { "attribute": "errorCode", "insight": [ { "value": "null", "average": 0.6 } ], "baseline": [ { "value": "null", "average": 0.0000882145 } ] } ] } }, "eventCategory": "Insight" }, { "eventVersion": "1.07", "eventTime": "2019-10-15T21:14:00Z", "awsRegion": "us-east-1", "eventID": "EXAMPLEc-9eac-4af6-8e07-26a5ae8786a5", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "EXAMPLE8-02b2-4e93-9aab-08ed47ea5fd3", "insightDetails": { "state": "End", "eventSource": "autoscaling.amazonaws.com", "eventName": "CompleteLifecycleAction", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 0.0000882145 }, "insight": { "average": 0.6 }, "insightDuration": 5, "baselineDuration": 11336 }, "attributions": [ { "attribute": "userIdentityArn", "insight": [ { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole1", "average": 0.2 }, { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole2", "average": 0.2 }, { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole3", "average": 0.2 } ], "baseline": [ { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole1", "average": 0.0000882145 } ] }, { "attribute": "userAgent", "insight": [ { "value": "codedeploy.amazonaws.com", "average": 0.6 } ], "baseline": [ { "value": "codedeploy.amazonaws.com", "average": 0.0000882145 } ] }, { "attribute": "errorCode", "insight": [ { "value": "null", "average": 0.6 } ], "baseline": [ { "value": "null", "average": 0.0000882145 } ] } ] } }, "eventCategory": "Insight" } ] }
For an explanation of the lookup-related fields in the output, see Lookup output fields in this topic. For an explanation of fields in the Insights event, see CloudTrail record contents.
Specifying the number of Insights events to return
To specify the number of events to return, type the following command.
aws cloudtrail lookup-events --event-category insight --max-results<integer>
The default value for <integer>, if it is not
specified, is 10. Possible values are 1 through 50. The following example returns one
result.
aws cloudtrail lookup-events --event-category insight --max-results 1
Looking up Insights events by time range
Insights events from the past 90 days are available for lookup. To specify a time range, type the following command.
aws cloudtrail lookup-events --event-category insight --start-time<timestamp>--end-time<timestamp>
--start-time specifies, in UTC, that
only Insights events that occur after or at the specified time are returned. If the specified
start time is after the specified end time, an error is returned.<timestamp>
--end-time specifies, in UTC, that
only Insights events that occur before or at the specified time are returned. If the specified
end time is before the specified start time, an error is returned.<timestamp>
The default start time is the earliest date that data is available within the last 90 days. The default end time is the time of the event that occurred closest to the current time.
All timestamps are shown in UTC.
Looking up Insights events by attribute
To filter by an attribute, type the following command.
aws cloudtrail lookup-events --event-category insight --lookup-attributes AttributeKey=<attribute>,AttributeValue=<string>
You can specify only one attribute key-value pair for each
lookup-events command. The following are valid Insights event
values for AttributeKey. Value names are case sensitive.
-
EventId -
EventName -
EventSource
The maximum length for the AttributeValue is 2000 characters. The
following characters ('_', ' ', ',',
'\\n') count as two characters towards the 2000 character limit.
Attribute lookup examples
The following example command returns Insights events in which the value of
EventName is PutRule.
aws cloudtrail lookup-events --event-category insight --lookup-attributes AttributeKey=EventName, AttributeValue=PutRule
The following example command returns Insights events in which the value of
EventId is
b5cc8c40-12ba-4d08-a8d9-2bceb9a3e002.
aws cloudtrail lookup-events --event-category insight --lookup-attributes AttributeKey=EventId, AttributeValue=b5cc8c40-12ba-4d08-a8d9-2bceb9a3e002
The following example command returns Insights events in which the value of
EventSource is iam.amazonaws.com.
aws cloudtrail lookup-events --event-category insight --lookup-attributes AttributeKey=EventSource, AttributeValue=iam.amazonaws.com
Specifying the next page of results
To get the next page of results from a lookup-events command, type the
following command.
aws cloudtrail lookup-events --event-category insight<same parameters as previous command>--next-token=<token>
In this command, the value for <token> is taken from
the first field of the output of the previous command.
When you use --next-token in a command, you must use the same parameters
as in the previous command. For example, suppose you run the following command.
aws cloudtrail lookup-events --event-category insight --lookup-attributes AttributeKey=EventName, AttributeValue=PutRule
To get the next page of results, your next command would look like the following.
aws cloudtrail lookup-events --event-category insight --lookup-attributes AttributeKey=EventName,AttributeValue=PutRule --next-token=EXAMPLEZe++mErCebpy2TgaMgmDvF1kYGFcH64JSjIbZFjsuvrSqg66b5YGssKutDYIyII4lrP4IDbeQdiObkp9YAlju3oXd12juEXAMPLE=
Getting JSON input from a file
The AWS CLI for some AWS services has two parameters,
--generate-cli-skeleton and --cli-input-json, that you can
use to generate a JSON template, which you can modify and use as input to the
--cli-input-json parameter. This section describes how to use these
parameters with aws cloudtrail lookup-events. For more information, see
Generate CLI Skeleton and CLI
Input JSON Parameters.
To look up Insights events by getting JSON input from a file
-
Create an input template for use with
lookup-eventsby redirecting the--generate-cli-skeletonoutput to a file, as in the following example.aws cloudtrail lookup-events --event-category insight --generate-cli-skeleton > LookupEvents.txtThe template file generated (in this case, LookupEvents.txt) looks like the following.
{ "LookupAttributes": [ { "AttributeKey": "", "AttributeValue": "" } ], "StartTime": null, "EndTime": null, "MaxResults": 0, "NextToken": "" } -
Use a text editor to modify the JSON as needed. The JSON input must contain only values that are specified.
Important
All empty or null values must be removed from the template before you can use it.
The following example specifies a time range and maximum number of results to return.
{ "StartTime": "2023-11-01", "EndTime": "2023-12-12", "MaxResults": 10 } -
To use the edited file as input, use the syntax
--cli-input-json file://<filename>, as in the following example.aws cloudtrail lookup-events --event-category insight --cli-input-json file://LookupEvents.txt
Note
You can use other arguments on the same command line as
--cli-input-json.
Lookup output fields
- Events
-
A list of lookup events based on the lookup attribute and time range that were specified. The events list is sorted by time, with the latest event listed first. Each entry contains information about the lookup request and includes a string representation of the CloudTrail event that was retrieved.
The following entries describe the fields in each lookup event.
- CloudTrailEvent
-
A JSON string that contains an object representation of the event returned. For information about each of the elements returned, see Record Body Contents.
- EventId
-
A string that contains the GUID of the event returned.
- EventName
-
A string that contains the name of the event returned.
- EventSource
-
The AWS service that the request was made to.
- EventTime
-
The date and time, in UNIX time format, of the event.
- Resources
-
A list of resources referenced by the event that was returned. Each resource entry specifies a resource type and a resource name.
- ResourceName
-
A string that contains the name of the resource referenced by the event.
- ResourceType
-
A string that contains the type of a resource referenced by the event. When the resource type cannot be determined, null is returned.
- Username
-
A string that contains the user name of the account for the event returned.
- NextToken
-
A string to get the next page of results from a previous
lookup-eventscommand. To use the token, the parameters must be the same as those in the original command. If noNextTokenentry appears in the output, there are no more results to return.
For more information about CloudTrail Insights events, see Logging Insights events in this guide.
