DEV Community

Abdallah Deeb
Abdallah Deeb

Posted on • Originally published at deeb.me on

List IPs from CloudTrail events

#cloudtrail #cli #aws #bash

A quick command to list the IPs from AWS CloudTrail events.

#!/bin/bash ACCESS\_KEY\_ID=AKIASMOETHINGHERE MAX\_ITEMS=100 aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS\_KEY\_ID} --max-items ${MAX\_ITEMS} \ | jq -r '.Events[].CloudTrailEvent' \ | jq '.sourceIPAddress' \ | sort | uniq

This of course can be extended to include more information, for example:

#!/bin/bash ACCESS\_KEY\_ID=AKIASMOETHINGHERE MAX\_ITEMS=100 aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS\_KEY\_ID} --max-items ${MAX\_ITEMS} \ | jq -r '.Events[].CloudTrailEvent' \ | jq '{ User: .userIdentity.userName, IP: .sourceIPAddress, Event: .eventName }'

Top comments (0)

Read next

psantus profile image

How to run PHP on AWS ServerLess architecture ? Part 2 - introducing Bref runtime

Paul SANTUS -

mursalfk profile image

LLMs - Behind the Scenes

Mursal Furqan Kumbhar -

aws-cloudsec profile image

Issue 60 of AWS Cloud Security Weekly

AJ -

karthiksakthiveltechie profile image

AmazonECS now supports AWS Graviton-based Spot compute with AWS Fargate Spot

Karthik Sakthivel -