DEV Community

Abdallah Deeb
Abdallah Deeb

Posted on • Originally published at deeb.me on

2

List IPs from CloudTrail events

#cloudtrail #cli #aws #bash

A quick command to list the IPs from AWS CloudTrail events.

#!/bin/bash ACCESS\_KEY\_ID=AKIASMOETHINGHERE MAX\_ITEMS=100 aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS\_KEY\_ID} --max-items ${MAX\_ITEMS} \ | jq -r '.Events[].CloudTrailEvent' \ | jq '.sourceIPAddress' \ | sort | uniq

This of course can be extended to include more information, for example:

#!/bin/bash ACCESS\_KEY\_ID=AKIASMOETHINGHERE MAX\_ITEMS=100 aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=${ACCESS\_KEY\_ID} --max-items ${MAX\_ITEMS} \ | jq -r '.Events[].CloudTrailEvent' \ | jq '{ User: .userIdentity.userName, IP: .sourceIPAddress, Event: .eventName }'
profile
AWS
 Promoted

AWS Q Developer image

Top comments (0)

profile
Timescale
Promoted

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Read next

ajayi profile image

Creating a S3 Bucket on AWS and Presigned URLs

Adedapo -

vijaykodam profile image

Do you know that EKS Auto Mode enforces a 21-day maximum node lifetime?

Vijay Kodam -

theerej_c profile image

💻 Mastering Linux Shell Scripting: The Ultimate Guide for Automation Ninjas 🚀

Theerej C -

oluwaseun_musa profile image

Building Cloud Security Efforts with AWS CAF and Well-Architected Framework

Seun -