AWS CloudTrail Log Search Using Amazon Athena

Posted on: Mar 15, 2018

AWS CloudTrail makes it easier to search CloudTrail log files using the power of Amazon Athena. Previously, you had to manually create a CloudTrail table using the Athena console or AWS CLI and ensure you had the proper configuration and data definitions to match the CloudTrail log format. Now, from within the CloudTrail console event history page, you simply enter the Amazon S3 bucket where your CloudTrail logs are stored, and CloudTrail will automatically create the Athena table for you. Once the table is created, you’ll be able to jump directly to the Athena console query editor and immediately begin running queries.

This allows you to use common SQL queries to search for specific sets of activities recorded by AWS CloudTrail. For example, you can easily identifying console logins from outside the corporate network that didn’t use multi-factor authentication or you can query for API failures for a given resource that occurred during a specific timeframe. There is no cost to setup the integration and create the CloudTrail table within Athena. Running Athena queries within the Athena query editor or using the AWS CLI will incur standard Athena charges. Please visit the Amazon Athena pricing page for more information.

The integration within the AWS CloudTrail console is available in all AWS public regions, as well as the AWS GovCloud (US) Region, the China (Beijing) Region, and the China (Ningxia) Region. Please visit the AWS Region Table page to see the Athena supported regions in which you can create the CloudTrail table and run corresponding queries.

For more information on AWS CloudTrail: