AWS Cloud Trail 日志解析

Question

我想从 Cloud Trail 日志中解析嵌套的 JSON 以获取用户名数据和时间我该怎么做有没有可以在 Lambda 中使用的代码或者有一些工具，例如 JSON 文件看起来像这样

{"version":"0","id":"5bd0a964-0969-4b1a-badd-3b4f7e9e077f","detail-type":"AWS API Call via CloudTrail","source":"aws.ec2","account":"111111111","time":"2017-04-25T16:07:33Z","region":"us-west-2","resources":[],"detail":{"eventVersion":"1.05","userIdentity":{"type":"Root","principalId":"1111111","arn":"arn:aws:iam::137247507067:root","accountId":"111111111","accessKeyId":"AAAAAAAA","userName":"roger","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2017-04-25T05:44:56Z"}}},"eventTime":"2017-04-25T16:07:33Z","eventSource":"ec2.amazonaws.com","eventName":"ModifyImageAttribute","awsRegion":"us-west-2","sourceIPAddress":"X.X.X.X","userAgent":"console.ec2.amazonaws.com","requestParameters":{"imageId":"ami-36e85556","launchPermission":{"add":{"items":[{"userId":"879125893843"}]}},"attributeType":"launchPermission"},"responseElements":{"_return":true},"requestID":"06ae4745-2d29-4a3b-b526-c5d8c4b4a7fc","eventID":"fc57b805-ae30-4ec7-bf4f-7a9c971ae0c7","eventType":"AwsApiCall"}}

Answer 1

您可以使用 AWS Athena。

它基本上将 cloudtrail 日志加载到一个表中，因此我们可以轻松查询所有内容。

分析cloudtrail日志有更多选择。例如，如果你想知道是谁启动了ec2实例，那么这样查询，

SELECT date_format(from_iso8601_timestamp(eventTime), '%Y-%m-%d') AS EventDate,useridentity.arn UserARN,
       awsregion AS Region,
       json_extract_scalar(item,'$.instanceId') AS InstanceId
FROM cloudtrail_logs
CROSS JOIN UNNEST (cast(json_extract(responseElements,'$.instancesSet.items') AS array(json))) AS i (item)
WHERE eventsource='ec2.amazonaws.com'
  AND eventname = 'RunInstances'
  AND eventtime >= '2017-04-25T02:00:00.000'
 order by eventtime desc limit 2;

结果是，

https://aws.amazon.com/blogs/big-data/aws-cloudtrail-and-amazon-athena-dive-deep-to-analyze-security-compliance-and-operational-activity/