A quick command to list the IPs from AWS CloudTrail events.
#!/bin/bash
ACCESS_KEY_ID=AKIASMOETHINGHERE
MAX_ITEMS=100
aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS_KEY_ID} --max-items ${MAX_ITEMS} \
| jq -r '.Events[].CloudTrailEvent' \
| jq '.sourceIPAddress' \
| sort | uniq
This of course can be extended to include more information, for example:
#!/bin/bash
ACCESS_KEY_ID=AKIASMOETHINGHERE
MAX_ITEMS=100
aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS_KEY_ID} --max-items ${MAX_ITEMS} \
| jq -r '.Events[].CloudTrailEvent' \
| jq '{ User: .userIdentity.userName, IP: .sourceIPAddress, Event: .eventName }'
No Comments
You can leave the first : )