The Lost Notebook

A quick command to list the IPs from AWS CloudTrail events.

#!/bin/bash
ACCESS_KEY_ID=AKIASMOETHINGHERE
MAX_ITEMS=100
aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS_KEY_ID} --max-items ${MAX_ITEMS} \
  | jq -r '.Events[].CloudTrailEvent' \
  | jq '.sourceIPAddress' \
  | sort | uniq

This of course can be extended to include more information, for example:

#!/bin/bash
ACCESS_KEY_ID=AKIASMOETHINGHERE
MAX_ITEMS=100
aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS_KEY_ID} --max-items ${MAX_ITEMS} \
  | jq -r '.Events[].CloudTrailEvent' \
  | jq '{ User: .userIdentity.userName, IP: .sourceIPAddress, Event: .eventName }'

Similar Posts:

• How can I copy S3 objects from another AWS account?
• VaultPress SSH/SFTP access for WordPress site behind AWS load balancer
• Change Nickname in Mattermost
• ChatOps with Mattermost and AWS Lambda
• Quick WHM/cPanel All email passwords reset