AWS CloudTrail logs all the API calls made to the AWS account. You do not require any tool to view the last 90 days of events. But if you want to view the logs older than three months you have to setup a S3 bucket to store it and then you can analyse the logs. This post aims to show you how you can use AWS Athena to view AWS logs stored in S3 bucket.
You can view the last 90 days of events. Choose an event to view more information about it. To view a complete log of your CloudTrail events, create a trail and then go to your Amazon S3 bucket or CloudWatch Logs.
Create a CloudTrail and store the logs in a S3 bucket
To create a trail, search for CloudTrail and then click on “create trail”. You can use a already created s3 bucket to store the logs or you can opt to create a new bucket while creating the trail.
Create a table for Athena
Once you finish creating the trail and assign a S3 bucket to it, you need to create a table in Athena. Click on “event history” in the CloudTrail dashboard and then click on “Run advanced queries in Amazon Athena”.
Next, select the bucket that you created for storing your logs and then click on “Create Table”.
Run the queries in Athena
Open the Athena dashboard and select the table. Next run the query. For instance to run the query for the event named ‘GetAccountPublicAccessBlock’.
select eventTime, eventName from cloudtrail_logs_your_bucket_name where eventName like ‘GetAccountPublicAccessBlock’
select eventTime, eventName from cloudtrail_logs_your_bucket_name where eventName like ‘DeleteActivity’
select eventTime, eventName from cloudtrail_logs_your_bucket_name where eventType like ‘AwsApiCall’
Note: replace the “your_bucket_name” by your own bucket name.
Alternative solutions to query logs in S3 buckets
AWS ElasticWolf Client Console-https://aws.amazon.com/tools/aws-elasticwolf-client-console/
S3browser- http://s3browser.com/
