aws-athena查询语句总结

完全归于本人mysql语句小白,是一点也写不出来,故汇总到此

1. cloudtrail
bash 复制代码
## 查询事件排序
SELECT  eventname,eventtime,count(eventname) as num  FROM your_athena_tablename
where eventtime between '2024-11-10' and '2024-11-11' group by eventname,eventtime order by num desc


## 查询具体事件名对应的详细信息
SELECT  *  FROM your_athena_tablename where eventname = 'GetCallerIdentity' and  eventtime between '2024-11-10' and '2024-11-11' limit 50

## 确定 CloudTrail 事件数量导致的成本增长情况
SELECT eventName,count(eventName) AS NumberOfChanges,eventSource
FROM your_athena_tablename
WHERE eventtime >= '2024-11-10T00:00:00Z'and eventtime < '2024-11-11T00:00:00Z'
GROUP BY eventName, eventSource
ORDER BY NumberOfChanges DESC

## 显示特定访问密钥的所有记录的 AWS API 活动
SELECT eventTime, eventName, userIdentity.principalId
FROM your_athena_tablename
WHERE userIdentity.accessKeyId like 'access_key_id'

## 确定您的 EC2 实例的所有安全组更改
SELECT eventname, useridentity.username, sourceIPAddress, eventtime, requestparameters
FROM your_athena_tablename
WHERE (requestparameters like '%sg-5887f224%' or requestparameters like '%sg-e214609e%' or requestparameters like '%eni-6c5ca5a8%')
and eventtime > '2017-02-15T00:00:00Z'
order by eventtime asc;

## 显示过去 24 小时内的所有控制台登录信息
SELECT useridentity.username, sourceipaddress, eventtime, additionaleventdata
FROM your_athena_tablename
WHERE eventname = 'ConsoleLogin'
and eventtime >= '2017-02-17T00:00:00Z'
and eventtime < '2017-02-18T00:00:00Z';

## 显示过去 24 小时内所有失败的控制台登录尝试
SELECT useridentity.username, sourceipaddress, eventtime, additionaleventdata
FROM your_athena_tablename
WHERE eventname = 'ConsoleLogin'
and useridentity.username = 'HIDDEN_DUE_TO_SECURITY_REASONS'
and eventtime >= '2017-02-17T00:00:00Z'
and eventtime < '2017-02-18T00:00:00Z';

## 确定缺少的 IAM 权限
SELECT count (*) as TotalEvents, useridentity.arn, eventsource, eventname, errorCode, errorMessage
FROM your_athena_tablename
WHERE (errorcode like '%Denied%' or errorcode like '%Unauthorized%')
AND eventtime >= '2019-10-28T00:00:00Z'
AND eventtime < '2019-10-29T00:00:00Z'
GROUP by eventsource, eventname, errorCode, errorMessage, useridentity.arn
ORDER by eventsource, eventname

## 如果结果未显示失败的 API 调用,则通过类似于下面这样的方法扩大查询范围:
SELECT count (*) as TotalEvents, useridentity.arn, eventsource, eventname, errorCode, errorMessage
FROM your_athena_tablename
WHERE errorcode <> ''
AND eventtime >= '2019-10-28T00:00:00Z'
AND eventtime < '2019-10-29T00:00:00Z'
GROUP by eventsource, eventname, errorCode, errorMessage, useridentity.arn
ORDER by eventsource, eventname
相关推荐
缘的猿10 小时前
云计算划分标准与Kubernetes NetworkPolicy深度解析
容器·kubernetes·云计算
互联网志10 小时前
云计算综合标准化体系建设提供系统性指引
云计算
王道长服务器 | 亚马逊云11 小时前
AWS Shield 与海外高防服务器的对比分析
服务器·云计算·aws
weixin_3077791311 小时前
AWS云上ClickHouse数据仓库部署方案详解
开发语言·clickhouse·自动化·云计算·aws
Amy_au11 小时前
AWS Lambda 学习笔
学习·云计算·aws
潇凝子潇11 小时前
AWS CLI自动删除资源脚本
chrome·云计算·aws
weixin_3077791311 小时前
使用AWS IAM和Python自动化权限策略分析与导出
开发语言·python·自动化·云计算·aws
FreeBuf_11 小时前
红队APT组织利用泄露的IAM密钥劫持AWS账户实施数据窃取
云计算·aws
wanhengidc1 天前
云手机能够做些什么?
运维·服务器·人工智能·智能手机·云计算
捷智算云服务1 天前
混合云新篇章:H100裸金属租赁与云计算的协同效应
云计算