Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
# Seguimiento de los cambios en sus cuentas de AMS Accelerate
**importante**
El servicio Change Record dejará de estar disponible a partir del 1 de julio de 2025.
No se pueden incorporar cuentas nuevas al servicio Change Record.
Para consultar CloudTrail los datos de sus cuentas de AMS Accelerate, puede utilizar estos servicios:
En AWS CloudTrail, elija **Historial de eventos** y filtre los eventos mediante los atributos de búsqueda. Puede usar el filtro de rango de tiempo y elegir filtrar el historial de eventos por fuente de eventos según lo `s3.amazon.aws.com` especificado, o filtrar el historial de eventos por nombre de usuario. Para obtener más información, consulta Cómo [trabajar con el historial de CloudTrail eventos](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
Use AWS CloudTrail Lake para recopilar datos a través de consultas. En, AWS CloudTrail elija **Lake** y, a continuación, elija **Query**. Puede crear sus propias consultas, utilizar el generador de consultas o utilizar consultas de ejemplo para recopilar datos basados en eventos. Por ejemplo, puedes preguntar quién eliminó una EC2 instancia de Amazon la semana pasada. Para obtener más información, consulta [Cómo crear un lago de datos a partir de una AWS CloudTrail fuente](https://docs.aws.amazon.com/lake-formation/latest/dg/getting-started-cloudtrail-tutorial.html) y [CloudTrailLake consultas](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-queries.html).
Crea una tabla de Amazon Athena AWS CloudTrail y establece la ubicación de almacenamiento como el depósito de Amazon S3 asociado a tu ruta. Comprueba que la región de origen de tu ruta y la del bucket de Amazon S3 sean las mismas. En Amazon Athena, utilice el editor de consultas para ejecutar las [consultas predeterminadas](#acc-cr-canned-queries) que Accelerate proporciona para su uso con la consola de Athena. Para obtener más información sobre cómo crear una tabla de Athena para consultar los CloudTrail registros, consulte Registros de [consultas AWS CloudTrail](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html).
**Topics**
+ [Ver tus registros de cambios](#acc-cr-using)
+ [Consultas predeterminadas](#acc-cr-canned-queries)
+ [Cambiar los permisos de registro](#acc-cr-permissions)
AWS Managed Services le ayuda a realizar un seguimiento de los cambios realizados por el equipo de AMS Accelerate Operations y la automatización de AMS Accelerate al proporcionar una interfaz consultable mediante la consola [Amazon Athena](https://docs.aws.amazon.com/athena/) (Athena) y la administración de registros de AMS Accelerate.
Athena es un servicio de consultas interactivo que puede utilizar para analizar datos en Amazon S3 mediante el lenguaje de consulta estructurado (SQL) estándar (consulte [Referencia de SQL para Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/ddl-sql-reference.html)). Athena no requiere un servidor, por lo que no hay una infraestructura para administrar y solo pagará por las consultas que ejecute. AMS Accelerate crea tablas de Athena con particiones diarias sobre CloudTrail registros y proporciona consultas en su AWS región principal y dentro del **ams-change-record**grupo de trabajo. Puede elegir cualquiera de las consultas predeterminadas y ejecutarlas según sea necesario. Para obtener más información sobre los grupos de trabajo de Athena, consulte [Cómo](https://docs.aws.amazon.com/athena/latest/ug/user-created-workgroups.html) funcionan los grupos de trabajo.
**nota**
Solo Accelerate puede consultar CloudTrail los eventos de su cuenta de Accelerate mediante Athena cuando Accelerate [está integrado en el registro de su CloudTrail organización](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-onb-trail-choices.html), a menos que el administrador de su organización haya implementado un rol de IAM para usar Athena para consultar y analizar CloudTrail los eventos de su cuenta durante la incorporación.
Con el registro de cambios, puede responder fácilmente a preguntas como las siguientes:
+ ¿Quién (AMS Accelerate Systems o AMS Accelerate Operators) ha accedido a su cuenta
+ ¿Qué cambios ha realizado AMS Accelerate en su cuenta
+ ¿Cuándo realizó AMS Accelerate cambios en su cuenta
+ ¿Dónde ir para ver los cambios realizados en su cuenta
+ ¿Por qué AMS Accelerate necesitaba realizar los cambios en su cuenta
+ ¿Cómo modificar las consultas para obtener respuestas a todas esas preguntas también en el caso de cambios que no sean de AMS
## Ver tus registros de cambios
Para usar las consultas de Athena, inicia sesión en la consola de AWS administración y navega hasta la consola de Athena en tu región principal. AWS
**nota**
Si ve la página **Primeros pasos de Amazon Athena mientras realiza alguno de los pasos, haga clic en **Comenzar****. Es posible que esto le aparezca incluso si su infraestructura de registro de cambios ya está instalada.
1. Seleccione **Grupo de trabajo** en el panel de navegación superior de la consola de Athena.
1. **Elija el **ams-change-record**grupo de trabajo y, a continuación, haga clic en Cambiar grupo de trabajo.**
1. Elija una opción **ams-change-record-database**del **cuadro combinado de base de datos**. **ams-change-record-database**Incluye la **ams-change-record-table**tabla.
1. Seleccione **Consultas guardadas** en el panel de navegación superior.
1. La ventana **Consultas guardadas** muestra una lista de consultas que proporciona AMS Accelerate y que puede ejecutar. Elija la consulta que desee ejecutar en la lista de **consultas guardadas**. Por ejemplo, la consulta **ams\_session\_accesses\_v1**.
Para ver la lista completa de consultas predefinidas de AMS Accelerate, consulte. [Consultas predeterminadas](#acc-cr-canned-queries)
1. Ajuste el filtro de **fecha y hora** en el cuadro del editor de consultas según sea necesario; de forma predeterminada, la consulta solo comprueba los cambios del último día.
1. Elija **Ejecutar consulta**.
## Consultas predeterminadas
AMS Accelerate proporciona varias consultas predeterminadas que puede utilizar en la consola de Athena. Las consultas predeterminadas se muestran en las siguientes tablas.
**nota**
Todas las consultas aceptan el **intervalo de fecha y hora** como filtro opcional; de forma predeterminada, todas las consultas se ejecutan durante las últimas 24 horas. Para conocer los datos esperados, consulte la siguiente subsección,. [Modificación del filtro de fecha y hora en las consultas](#acc-cr-canned-queries-mod-timestamp)
Las entradas de parámetros que puede o necesita cambiar se muestran en la consulta como ocurre {{}} con las llaves angulares. Sustituya el marcador de posición **y** las llaves angulares por el valor del parámetro.
Todos los filtros son opcionales. En las consultas, algunos filtros opcionales se comentan con un doble guión (--) al principio de la línea. Todas las consultas se ejecutarán sin ellos, con los parámetros predeterminados. Si desea especificar los valores de los parámetros para estos filtros opcionales, elimine el doble guión (--) situado al principio de la línea y sustituya el parámetro como desee.
Todas las consultas retornan `IAM PincipalId` y `IAM SessionId` aparecen en los resultados
El coste calculado de ejecutar una consulta depende del número de CloudTrail registros que se generen para la cuenta. Para calcular el costo, utilice la calculadora de [precios de AWS Athena](https://aws.amazon.com/athena/pricing/).
**Consultas predefinidas**
[See the AWS documentation website for more details](http://docs.aws.amazon.com/es_es/managedservices/latest/accelerate-guide/acc-change-record.html)
### Modificación del filtro de fecha y hora en las consultas
Todas las consultas aceptan el rango **de fecha y hora** como filtro opcional. De forma predeterminada, todas las consultas se ejecutan durante el último día.
El formato utilizado para el campo de **fecha y hora** es yyyy/MM/dd (por ejemplo: 01/01/2021). Recuerde que solo almacena la fecha y no la marca de tiempo completa. **Para toda la marca de tiempo, utilice el campo **eventime, que almacena la marca de tiempo** en el formato ISO 8601 yyyy-MM-dd **T HH:mm:ss Z (por ejemplo: 2021-01-01T 23:59:59** Z).** Sin embargo, dado que la tabla está [dividida](https://docs.aws.amazon.com/athena/latest/ug/partitions.html) en el campo de fecha y hora, tendrás que pasar los filtros de fecha y hora a la consulta. Vea los siguientes ejemplos de .
**nota**
Para ver todas las formas aceptadas de modificar el rango, consulte la [documentación más reciente de la función Presto](https://docs.aws.amazon.com/athena/latest/ug/presto-functions.html), basada en la versión del motor Athena que se utiliza actualmente para **las funciones y operadores de fecha y hora**, para ver todas las formas aceptadas de modificar el rango.
**Nivel de fecha: último día o últimas 24 horas (predeterminado)** Ejemplo: si CURRENT\_DATE='2021/01/01', el filtro restará un día de la fecha actual y le dará el formato de datetime > '2020/12/31'
```
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
```
**Nivel de fecha: ejemplo de los últimos 2** meses:
```
datetime > date_format(date_add('month', - 2, CURRENT_DATE), '%Y/%m/%d')
```
**Nivel de fecha: ejemplo entre 2 fechas**:
```
datetime > '2021/01/01'
AND
datetime < '2021/01/10'
```
**Nivel de marca horaria: ejemplo de las últimas 12 horas**:
Particione los datos escaneados para que duren 1 día y, a continuación, filtre todos los eventos de las últimas 12 horas
```
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND
eventtime > date_format(date_add('hour', - 12, CURRENT_TIMESTAMP), '%Y-%m-%dT%H:%i:%sZ')
```
**Nivel de marca de tiempo: ejemplo de entre 2 marcas de tiempo**:
Obtenga eventos entre el 1 de enero de 2021 a las 12:00 p. m. y el 10 de enero de 2021 a las 3:00 p. m.
```
datetime > '2021/01/01' AND datetime < '2021/01/10'
AND
eventtime > '2021-01-01T12:00:00Z' AND eventtime < '2021-01-10T15:00:00Z'
```
### Ejemplos de consultas por defecto
#### `ams_access_session_query_v1`
```
Name: ams_access_session_query_v1
Description: >-
The query provides more information on specific AMS access session.
The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
By default; the query filter last day events only, the user can change the datetime filter to search for more wide time range.
By default; the IAM PrincipalId filter is disabled. To enable it, remove "-- " from that line.
AthenaQueryString: |-
/*
The query provides list of AMS access sessions during specific time range.
The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
By default; the IAM Principal ID filter is disabled (it shows access sessions for all IAM principals).
If you want to only show access sessions for a particular IAM principal ID, remove the double-dash (--) from
the "IAM Principal ID" filter line in the WHERE clause of the query, and replace the placeholder "" with the specific ID that you want.
You can run the query without the filter to determine the exact IAM PrincipalId you want to filter with.
By default; the query only shows AMS access sessions. If you also want to show non-AMS access sessions,
remove the "useragent" filter in the WHERE clause of the query.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') AS "IAM PrincipalId",
json_extract_scalar(responseelements, '$.credentials.accessKeyId') AS "IAM SessionId",
eventtime AS "EventTime",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
json_extract_scalar(requestparameters, '$.tags[0].value') AS "BusinessNeed",
json_extract_scalar(requestparameters, '$.tags[1].value') AS "BusinessNeedType",
json_extract_scalar(requestparameters, '$.tags[2].value') AS "Requester",
json_extract_scalar(requestparameters, '$.tags[3].value') AS "AccessRequestType"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND eventname = 'AssumeRole'
AND useragent = 'access.managedservices.amazonaws.com'
-- AND json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') = ''
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of AMS access sessions during specific time range.
# The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
#
# By default; the IAM Principal ID filter is disabled (it shows access sessions for all IAM principals).
# If you want to only show access sessions for a particular IAM principal ID, remove the # (#) from
# the "IAM Principal ID" filter of the query, and replace the placeholder "" with the specific ID that you want.
# You can run the query without the filter to determine the exact IAM PrincipalId you want to filter with.
#
# By default; the query only shows AMS access sessions. If you also want to show non-AMS access sessions,
# remove the "useragent" filter from the query.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter eventName="AssumeRole" AND userAgent="access.managedservices.amazonaws.com"
# | filter responseElements.assumedRoleUser.assumedRoleId= ""
| sort eventTime desc
| fields
responseElements.assumedRoleUser.assumedRoleId as IAMPrincipalId,
responseElements.credentials.accessKeyId as IAMSessionId,
eventTime as EventTime,
eventName as EventName,
awsRegion as EventRegion,
eventID as EventId,
requestParameters.tags.0.value as BusinessNeed,
requestParameters.tags.1.value as BusinessNeedType,
requestParameters.tags.2.value as Requester,
requestParameters.tags.3.value as AccessRequestType
```
#### `ams_events_query_v1`
```
ams_events_query_v1.yaml
/*
The query provides list of events to track write actions for all AMS changes.
The query returns all write actions done on the account using that AMS role filter.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
You can also track mutating actions done by non-AMS roles by removing the "useridentity.arn" filter lines from the WHERE clause of the query.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
useridentity.arn AS "RoleArn",
eventid AS "EventId",
eventname AS "EventName",
awsregion AS "EventRegion",
eventsource AS "EventService",
eventtime AS "EventTime",
requestparameters As "RequestParameters",
responseelements AS "ResponseElements",
useragent AS "UserAgent"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
readonly <> 'true'
AND
(
LOWER(useridentity.arn) LIKE '%/ams%'
OR LOWER(useridentity.arn) LIKE '%/customer_ssm_automation_role%'
)
ORDER BY eventtime
```
#### `ams_instance_access_sessions_query_v1`
```
ams_instance_access_sessions_query_v1
/*
The query provides list of AMS Instance accesses during specific time range.
The query returns the list of AMS instance accesses; every record includes the event time, the event AWS Region, the instance ID, the IAM session ID, and the SSM session ID.
You can use the IAM Principal ID to get more details on the business need for accessing the instance by using ams_access_session_query_v1 athena query.
You can use the SSM session ID to get more details on the instance access session, including the start and end time of the session and log details, using the AWS Session Manager Console in the instance's AWS Region.
You can also list non-AMS instance accesses by removing the "useridentity" filter line in the WHERE clause of the query.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
json_extract_scalar(requestparameters, '$.target') AS "InstanceId",
json_extract_scalar(responseelements, '$.sessionId') AS "SSM SessionId",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventsource AS "EventService",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
useridentity.sessionContext.sessionIssuer.arn like '%/ams_%'
AND eventname = 'StartSession'
ORDER BY eventtime
```
#### `ams_privilege_escalation_events_query_v1`
```
ams_privilege_escalation_events_query_v1.yaml
/*
The query provides list of events that can directly or potentially lead to a privilege escalation.
The query accepts ActionedBy as an optional filter and returns EventName, EventId, EventTime, ... etc.
All fields associated with the event are also returned. Some fields are blank if not applicable for that event.
You can use the IAM Session ID to get more details about events happened in that session by using ams_session_events_query_v1 query.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
By default, the ActionedBy filter is disabled (it shows privilege escalation events from all users).
To show events for a particular user or role, remove the double-dash (--) from the useridentity filter line in the WHERE clause of the query
and replace the placeholder "" with an IAM user or role name.
You can run the query without the filter to determine the exact user you want to filter with.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventtime AS "EventTime",
json_extract_scalar(requestparameters, '$.userName') AS "UserName",
json_extract_scalar(requestparameters, '$.roleName') AS "RoleName",
json_extract_scalar(requestparameters, '$.groupName') AS "GroupName",
json_extract_scalar(requestparameters, '$.policyArn') AS "PolicyArn",
json_extract_scalar(requestparameters, '$.policyName') AS "PolicyName",
json_extract_scalar(requestparameters, '$.permissionsBoundary') AS "PermissionsBoundary",
json_extract_scalar(requestparameters, '$.instanceProfileName') AS "InstanceProfileName",
json_extract_scalar(requestparameters, '$.openIDConnectProviderArn') AS "OpenIDConnectProviderArn",
json_extract_scalar(requestparameters, '$.serialNumber') AS "SerialNumber",
json_extract_scalar(requestparameters, '$.serverCertificateName') AS "ServerCertificateName",
json_extract_scalar(requestparameters, '$.accessKeyId') AS "AccessKeyId",
json_extract_scalar(requestparameters, '$.certificateId') AS "CertificateId",
json_extract_scalar(requestparameters, '$.newUserName') AS "NewUserName",
json_extract_scalar(requestparameters, '$.newGroupName') AS "NewGroupName",
json_extract_scalar(requestparameters, '$.newServerCertificateName') AS "NewServerCertificateName",
json_extract_scalar(requestparameters, '$.name') AS "SAMLProviderName",
json_extract_scalar(requestparameters, '$.sAMLProviderArn') AS "SAMLProviderArn",
json_extract_scalar(requestparameters, '$.sSHPublicKeyId') AS "SSHPublicKeyId",
json_extract_scalar(requestparameters, '$.virtualMFADeviceName') AS "VirtualMFADeviceName"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
(
-- More event names can be found at https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html
eventname LIKE 'Add%' OR
eventname LIKE 'Attach%' OR
eventname LIKE 'Delete%' AND eventname != 'DeleteAccountAlias' OR
eventname LIKE 'Detach%' OR
eventname LIKE 'Create%' AND eventname != 'CreateAccountAlias' OR
eventname LIKE 'Put%' OR
eventname LIKE 'Remove%' OR
eventname LIKE 'Update%' OR
eventname LIKE 'Upload%' OR
eventname = 'DeactivateMFADevice' OR
eventname = 'EnableMFADevice' OR
eventname = 'ResetServiceSpecificCredential' OR
eventname = 'SetDefaultPolicyVersion'
)
AND eventsource = 'iam.amazonaws.com'
ORDER BY eventtime
```
#### `ams_resource_events_query_v1`
```
Name: ams_resource_events_query_v1
Description: >-
The query provides list of events done on specific resource.
The query accepts resource id as part of the filters, and return all write actions done on that resource.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides list of events done on specific resource.
The query accepts the resource ID as part of the filters (replace the placeholder "" in the WHERE clause of the query),
and returns all write actions done on that resource. The resource ID can be an ID for any AWS resource in the account.
Example: An instance ID for an EC2 instance, table name for a DynamoDB table, logGroupName for a CloudWatch Log, etc.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventsource AS "EventService",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND readonly <> 'true'
AND
(
requestparameters LIKE '%%'
OR responseelements LIKE '%%'
)
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of events done on specific resource.
#
# The query accepts the resource ID as part of the filters (replace the placeholder "" in the filter of the query),
# and returns all write actions done on that resource. The resource ID can be an ID for any AWS resource in the account.
# Example: An instance ID for an EC2 instance, table name for a DynamoDB table, logGroupName for a CloudWatch Log, etc.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter readOnly=0
| parse @message '"requestParameters":{*}' as RequestParameters
| parse @message '"responseElements":{*}' as ResponseElements
# | filter RequestParameters like "RESOURCE_INFO" or ResponseElements like ""
| fields
userIdentity.principalId as IAMPrincipalId,
userIdentity.accessKeyId as IAMSessionId,
userIdentity.accountId as AccountId,
userIdentity.arn as ActionedBy,
eventName as EventName,
awsRegion as EventRegion,
eventID as EventId,
eventSource as EventService,
eventTime as EventTime
| display IAMPrincipalId, IAMSessionId, AccountId, ActionedBy, EventName, EventRegion, EventId, EventService, EventTime
| sort eventTime desc
```
#### `ams_session_events_query_v1`
```
Name: ams_session_events_query_v1
Description: >-
The query provides list of events done on specific session.
The query accepts IAM Principal Id as part of the filters, and return all write actions done on that resource.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides a list of events executed on a specific session.
The query accepts the IAM principal ID as part of the filters (replace the placeholder "" in the WHERE clause of the query),
and returns all write actions done on that resource.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventsource AS "EventService",
eventtime AS "EventTime",
requestparameters As "RequestParameters",
responseelements AS "ResponseElements",
useragent AS "UserAgent"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate WHERE
useridentity.principalid = ''
AND datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND readonly <> 'true'
ORDER BY eventtime
InsightsQueryString: |-
# The query provides a list of events executed on a specific session.
#
# The query accepts the IAM principal ID as part of the filters (replace the placeholder "" in the filter of the query),
# and returns all write actions done on that resource.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter readOnly=0 AND userIdentity.principalId = ""
| sort eventTime desc
| fields
userIdentity.accessKeyId as IAMSessionId,
userIdentity.principalId as IAMPrincipalId,
userIdentity.accountId as AccountId,
userIdentity.arn as ActionedBy,
eventName as EventName,
awsRegion as EventRegion,
eventSource as EventService,
eventTime as EventTime,
userAgent as UserAgent
| parse @message '"requestParameters":{*}' as RequestParameters
| parse @message '"responseElements":{*}' as ResponseElements
```
#### `ams_session_ids_by_requester_v1`
```
Name: ams_session_ids_by_requester_v1
Description: >-
The query provides list of IAM Principal/Session Ids for specific requester.
The query accepts requester and return all IAM Principal/Session Ids by that requester during specific time range.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides list of IAM Principal IDs for a specific requester.
The query accepts the requester (replace placeholder "" in the WHERE clause of the query),
and returns all IAM Principal IDs by that requester during a specific time range.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') AS "IAM PrincipalId",
json_extract_scalar(responseelements, '$.credentials.accessKeyId') AS "IAM SessionIId",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND json_extract_scalar(requestparameters, '$.tags[2].value') = ''
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of IAM Principal IDs for a specific requester.
#
# The query accepts the requester (replace placeholder "" in the filter of the query),
# and returns all IAM Principal IDs by that requester during a specific time range.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter eventName="AssumeRole" AND requestParameters.tags.2.value=""
| sort eventTime desc
| fields
responseElements.assumedRoleUser.assumedRoleId as IAMPrincipalId,
responseElements.credentials.accessKeyId as IAMSessionId,
eventTime as EventTime
```
## Cambiar los permisos de registro
Se necesitan los siguientes permisos para ejecutar consultas de registro de cambios:
+ **Athena**
+ Atenea: GetWorkGroup
+ atenea: StartQueryExecution
+ atenea: ListDataCatalogs
+ atenea: GetQueryExecution
+ atenea: GetQueryResults
+ atenea: BatchGetNamedQuery
+ atenea: ListWorkGroups
+ atenea: UpdateWorkGroup
+ atenea: GetNamedQuery
+ atenea: ListQueryExecutions
+ atenea: ListNamedQueries
+ **AWS KMS**
+ kms:Decrypt
+ AWS KMS ID de clave de AMSCloudTrailLogManagement, o sus ID de AWS KMS clave, si Accelerate utiliza su almacén de datos de bucket Amazon S3 de CloudTrail Trail Events mediante el cifrado [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html).
+ **AWS Glue**
+ pegamento: GetDatabase
+ pegamento: GetTables
+ pegamento: GetDatabases
+ pegamento: GetTable
+ **Acceso de lectura a Amazon S3**
+ CloudTrail Almacén de datos de bucket de Amazon S3: ams-a {{AccountId}} -cloudtrail-, o el nombre de {{primary region}} su bucket de Amazon S3, trail events CloudTrail Amazon S3 data store.
+ **Acceso de escritura a Amazon S3**
+ Resultados de consultas de eventos de Athena bucket de Amazon S3: {{AccountId}} ams-a athena-results- {{primary region}}