AWS CloudTrail Lake

wikipedia:AWS CloudTrail Lake (Jan 2022 ^[1])

• https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html
• Data Lakes: CloudTrail events (management events, data events, network activity events), CloudTrail Insights events, AWS Config configuration items, AWS Audit Manager evidence, or events from outside of AWS.

Commands (ref)

• aws cloudtrail list-event-data-stores
• aws cloudtrail create-event-data-store
• aws cloudtrail list-event-data-stores
• aws cloudtrail update-event-data-store
• aws cloudtrail delete-event-data-store

Example

 select userIdentity.arn as user,
   element_at(requestParameters, 'bucketName') as bucket,
   element_at(requestParameters, 'key') as key,
   count(*) as attempts
from xxxxx-yyyyy-xxxxx-zzzz-xxxxx
where eventSource = 's3.amazonaws.com'
   and eventName = 'GetObject'
   and userIdentity.arn = 'arn:aws:sts::0987654321:assumed-role/your-role/user@domain.com'
group by 1,
   2,
   3
order by attempts desc

Activities

• Enable cross-account queries on AWS CloudTrail lake using delegated administration from AWS Organizations

Related

• AWS Data
• AWS control tower
• AWS security
• AWS best practices
• Apache Optimized Row Columnar (ORC)

See also

• AWS CloudTrail Lake
• AWS CloudTrail, AWS CloudTrail Insights, CloudTrail Events, AWS CloudTrail Lake, AWS CloudTrail Lake Dashboards, Terraform, Best practices, Datadog SIEM Content Packs for Cloudtrail