AWS CloudTrail

AWS CloudTrail #

Find changes on AWS security groups #

https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-event-history-changed/

Find new or deleted security groups # 

SELECT *
FROM example table name
WHERE 
    (eventname = 'CreateSecurityGroup' or eventname = 'DeleteSecurityGroup')
  AND eventtime > '2019-02-15T00:00:00Z'
ORDER BY eventtime asc

Find changes on all security groups # 

SELECT *
FROM example table name
WHERE 
    (eventname like '%SecurityGroup%')
  AND eventtime > '2019-02-15T00:00:00Z'
ORDER BY eventtime asc

Find changes on a specific security group # 

Specific security group
SELECT *
FROM example table name
WHERE
    (eventname like '%SecurityGroup%' and requestparameters like '%sg-123456789%')
  AND eventtime > '2019-02-15T00:00:00Z'
ORDER BY eventtime asc;