Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
# Melacak perubahan di akun AMS Accelerate
**penting**
Layanan Change Record tidak digunakan lagi pada 1 Juli 2025.
Akun baru tidak dapat di-onboard ke layanan Change Record.
Untuk melakukan kueri CloudTrail data di akun AMS Accelerate, Anda dapat menggunakan layanan ini:
Di AWS CloudTrail, pilih **Riwayat acara** dan filter peristiwa menggunakan atribut Pencarian. Anda dapat menggunakan filter rentang waktu dan memilih untuk memfilter riwayat peristiwa berdasarkan sumber Peristiwa dengan yang `s3.amazon.aws.com` ditentukan, atau memilih untuk memfilter riwayat peristiwa berdasarkan Nama Pengguna. Untuk informasi selengkapnya, lihat [Bekerja dengan riwayat CloudTrail acara](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
Gunakan AWS CloudTrail Lake untuk mengumpulkan data melalui kueri. Dalam AWS CloudTrail memilih **Lake**, dan kemudian pilih **Query**. Anda dapat membuat kueri sendiri, menggunakan generator kueri, atau menggunakan kueri sampel untuk mengumpulkan data berbasis peristiwa. Misalnya, Anda dapat bertanya siapa yang menghapus EC2 instans Amazon minggu lalu. Untuk informasi selengkapnya, lihat [Membuat data lake dari AWS CloudTrail sumber](https://docs.aws.amazon.com/lake-formation/latest/dg/getting-started-cloudtrail-tutorial.html) dan [CloudTrailLake kueri.](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-queries.html)
Buat tabel Amazon Athena AWS CloudTrail dan atur lokasi penyimpanan sebagai bucket Amazon S3 yang terkait dengan jejak Anda. Verifikasi bahwa wilayah Beranda untuk jejak Anda dan bucket Amazon S3 adalah sama. Di Amazon Athena, gunakan editor Kueri untuk menjalankan [kueri default](#acc-cr-canned-queries) yang disediakan Accelerate untuk digunakan dengan konsol Athena. Untuk informasi selengkapnya tentang cara membuat tabel Athena ke CloudTrail log kueri, lihat Log [kueri AWS CloudTrail](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html).
**Topics**
+ [Melihat catatan perubahan Anda](#acc-cr-using)
+ [Kueri default](#acc-cr-canned-queries)
+ [Ubah izin rekaman](#acc-cr-permissions)
AWS Managed Services membantu Anda melacak perubahan yang dibuat oleh tim Operasi Akselerasi AMS dan otomatisasi AMS Accelerate dengan menyediakan antarmuka yang dapat dikueri menggunakan konsol [Amazon Athena](https://docs.aws.amazon.com/athena/) (Athena) dan manajemen log AMS Accelerate.
Athena adalah layanan kueri interaktif yang dapat Anda gunakan untuk menganalisis data di Amazon S3 dengan menggunakan Bahasa Kueri Terstruktur standar (SQL) ([lihat Referensi SQL untuk](https://docs.aws.amazon.com/athena/latest/ug/ddl-sql-reference.html) Amazon Athena). Athena tidak memiliki server, sehingga tidak ada infrastruktur untuk dikelola dan Anda hanya membayar untuk mengkueri yang Anda jalankan. AMS Accelerate membuat tabel Athena dengan partisi harian di atas CloudTrail log, dan menyediakan kueri di AWS Wilayah utama Anda dan dalam grup kerja. **ams-change-record** Anda dapat memilih salah satu kueri default dan menjalankannya sesuai kebutuhan. Untuk mempelajari selengkapnya tentang kelompok kerja Athena, lihat [Cara](https://docs.aws.amazon.com/athena/latest/ug/user-created-workgroups.html) Kerja Kelompok Kerja.
**catatan**
Hanya Accelerate yang dapat melakukan kueri CloudTrail peristiwa untuk akun Accelerate Anda menggunakan Athena saat Accelerate [terintegrasi dengan jejak CloudTrail Organisasi Anda](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-onb-trail-choices.html), kecuali administrator Organisasi Anda menerapkan Peran IAM untuk menggunakan Athena untuk menanyakan dan menganalisis CloudTrail peristiwa di akun Anda, selama orientasi.
Menggunakan catatan perubahan, Anda dapat dengan mudah menjawab pertanyaan seperti:
+ Siapa (AMS Accelerate Systems atau AMS Accelerate Operator) telah mengakses akun Anda
+ Perubahan apa yang telah dilakukan oleh AMS Accelerate di akun Anda
+ Kapan AMS Accelerate melakukan perubahan di akun Anda
+ Ke mana harus pergi untuk melihat perubahan yang dibuat di akun Anda
+ Mengapa AMS Accelerate diperlukan untuk membuat perubahan di akun Anda
+ Cara memodifikasi kueri untuk mendapatkan jawaban atas semua pertanyaan tersebut untuk perubahan non-AMS juga
## Melihat catatan perubahan Anda
Untuk menggunakan kueri Athena, masuk ke konsol AWS Manajemen dan arahkan ke konsol Athena di Wilayah utama Anda. AWS
**catatan**
Jika Anda melihat halaman **Amazon Athena Memulai** saat melakukan salah satu langkah, klik **Memulai**. Ini mungkin muncul untuk Anda bahkan jika infrastruktur Change Record Anda sudah ada.
1. Pilih **Workgroup** dari panel navigasi atas di konsol Athena.
1. Pilih **ams-change-record**workgroup, lalu klik **Ganti Workgroup**.
1. Pilih **ams-change-record-database**dari kotak **Database Combo**. **ams-change-record-database**Termasuk **ams-change-record-table**tabel.
1. Pilih **Kueri Tersimpan** dari panel navigasi atas.
1. Jendela **Kueri Tersimpan** menampilkan daftar kueri yang disediakan AMS Accelerate, yang dapat Anda jalankan. Pilih kueri yang ingin Anda jalankan dari daftar **Kueri Tersimpan**. Misalnya, kueri **ams\_session\_accesses\_v1**.
Untuk daftar lengkap kueri Akselerasi AMS prasetel, lihat. [Kueri default](#acc-cr-canned-queries)
1. Sesuaikan filter **datetime** di kotak editor kueri sesuai kebutuhan; secara default, kueri hanya memeriksa perubahan dari hari terakhir.
1. Pilih **Run query** (Jalankan kueri).
## Kueri default
AMS Accelerate menyediakan beberapa kueri default yang dapat Anda gunakan dalam konsol Athena. Kueri default tercantum dalam tabel berikut.
**catatan**
Semua kueri menerima **rentang datetime** sebagai filter opsional; semua kueri berjalan selama 24 jam terakhir, secara default. Untuk masukan yang diharapkan, lihat ayat berikut,[Memodifikasi filter datetime dalam kueri](#acc-cr-canned-queries-mod-timestamp).
Masukan parameter yang dapat atau perlu Anda ubah ditampilkan dalam kueri seperti {{}} kawat gigi sudut. Ganti placeholder **dan** kurung gigi sudut dengan nilai parameter Anda.
Semua filter bersifat opsional. Dalam kueri, beberapa filter opsional dikomentari dengan tanda hubung ganda (--) di awal baris. Semua kueri akan berjalan tanpa mereka, dengan parameter default. Jika Anda ingin menentukan nilai parameter untuk filter opsional ini, hapus tanda hubung ganda (--) di awal baris dan ganti parameter yang Anda inginkan.
Semua kueri kembali `IAM PincipalId` dan `IAM SessionId` dalam output
Biaya yang dihitung untuk menjalankan kueri tergantung pada berapa banyak CloudTrail log yang dihasilkan untuk akun tersebut. Untuk menghitung biaya, gunakan Kalkulator [Harga AWS Athena](https://aws.amazon.com/athena/pricing/).
**Kueri kalengan**
[See the AWS documentation website for more details](http://docs.aws.amazon.com/id_id/managedservices/latest/accelerate-guide/acc-change-record.html)
### Memodifikasi filter datetime dalam kueri
Semua kueri menerima rentang **datetime** sebagai filter opsional. Semua kueri berjalan selama satu hari terakhir secara default.
Format yang digunakan untuk bidang **datetime** adalah yyyy/MM/dd (misalnya: 2021/01/01). Ingatlah bahwa itu hanya menyimpan tanggal dan bukan seluruh stempel waktu. **Untuk seluruh stempel waktu, gunakan field **eventime, yang menyimpan stempel waktu** dalam format ISO 8601 yyyy-MM-dd **T HH: mm: SS Z (misalnya: 2021-01-01T** 23:59:59 Z).** Namun, karena tabel [dipartisi](https://docs.aws.amazon.com/athena/latest/ug/partitions.html) pada bidang datetime, Anda harus meneruskan filter datetime dan eventtime ke kueri. Lihat contoh berikut.
**catatan**
Untuk melihat semua cara yang diterima Anda dapat memodifikasi rentang, lihat [dokumentasi fungsi Presto](https://docs.aws.amazon.com/athena/latest/ug/presto-functions.html) terbaru berdasarkan versi mesin Athena yang saat ini digunakan untuk **Fungsi dan Operator Tanggal dan Waktu** untuk melihat semua cara yang diterima Anda dapat memodifikasi rentang.
**Level Tanggal: 1 hari terakhir atau 24 jam terakhir (Default)** Contoh: Jika CURRENT\_DATE='2021/01/01', filter akan mengurangi satu hari dari tanggal saat ini dan memformatnya sebagai datetime> '2020/12/31'
```
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
```
**Tingkat Tanggal: Contoh 2 bulan terakhir**:
```
datetime > date_format(date_add('month', - 2, CURRENT_DATE), '%Y/%m/%d')
```
**Tingkat Tanggal: Antara 2 tanggal** contoh:
```
datetime > '2021/01/01'
AND
datetime < '2021/01/10'
```
**Tingkat Stempel Waktu: Contoh 12 jam terakhir:**
Data partisi dipindai hingga 1 hari terakhir dan kemudian memfilter semua peristiwa dalam 12 jam terakhir
```
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND
eventtime > date_format(date_add('hour', - 12, CURRENT_TIMESTAMP), '%Y-%m-%dT%H:%i:%sZ')
```
**Tingkat Stempel Waktu: Antara 2 contoh stempel** waktu:
Dapatkan acara antara 1 Jan 2021 12:00 PM dan Jan 10, 2021 15.00.
```
datetime > '2021/01/01' AND datetime < '2021/01/10'
AND
eventtime > '2021-01-01T12:00:00Z' AND eventtime < '2021-01-10T15:00:00Z'
```
### Contoh kueri default
#### `ams_access_session_query_v1`
```
Name: ams_access_session_query_v1
Description: >-
The query provides more information on specific AMS access session.
The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
By default; the query filter last day events only, the user can change the datetime filter to search for more wide time range.
By default; the IAM PrincipalId filter is disabled. To enable it, remove "-- " from that line.
AthenaQueryString: |-
/*
The query provides list of AMS access sessions during specific time range.
The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
By default; the IAM Principal ID filter is disabled (it shows access sessions for all IAM principals).
If you want to only show access sessions for a particular IAM principal ID, remove the double-dash (--) from
the "IAM Principal ID" filter line in the WHERE clause of the query, and replace the placeholder "" with the specific ID that you want.
You can run the query without the filter to determine the exact IAM PrincipalId you want to filter with.
By default; the query only shows AMS access sessions. If you also want to show non-AMS access sessions,
remove the "useragent" filter in the WHERE clause of the query.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') AS "IAM PrincipalId",
json_extract_scalar(responseelements, '$.credentials.accessKeyId') AS "IAM SessionId",
eventtime AS "EventTime",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
json_extract_scalar(requestparameters, '$.tags[0].value') AS "BusinessNeed",
json_extract_scalar(requestparameters, '$.tags[1].value') AS "BusinessNeedType",
json_extract_scalar(requestparameters, '$.tags[2].value') AS "Requester",
json_extract_scalar(requestparameters, '$.tags[3].value') AS "AccessRequestType"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND eventname = 'AssumeRole'
AND useragent = 'access.managedservices.amazonaws.com'
-- AND json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') = ''
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of AMS access sessions during specific time range.
# The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
#
# By default; the IAM Principal ID filter is disabled (it shows access sessions for all IAM principals).
# If you want to only show access sessions for a particular IAM principal ID, remove the # (#) from
# the "IAM Principal ID" filter of the query, and replace the placeholder "" with the specific ID that you want.
# You can run the query without the filter to determine the exact IAM PrincipalId you want to filter with.
#
# By default; the query only shows AMS access sessions. If you also want to show non-AMS access sessions,
# remove the "useragent" filter from the query.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter eventName="AssumeRole" AND userAgent="access.managedservices.amazonaws.com"
# | filter responseElements.assumedRoleUser.assumedRoleId= ""
| sort eventTime desc
| fields
responseElements.assumedRoleUser.assumedRoleId as IAMPrincipalId,
responseElements.credentials.accessKeyId as IAMSessionId,
eventTime as EventTime,
eventName as EventName,
awsRegion as EventRegion,
eventID as EventId,
requestParameters.tags.0.value as BusinessNeed,
requestParameters.tags.1.value as BusinessNeedType,
requestParameters.tags.2.value as Requester,
requestParameters.tags.3.value as AccessRequestType
```
#### `ams_events_query_v1`
```
ams_events_query_v1.yaml
/*
The query provides list of events to track write actions for all AMS changes.
The query returns all write actions done on the account using that AMS role filter.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
You can also track mutating actions done by non-AMS roles by removing the "useridentity.arn" filter lines from the WHERE clause of the query.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
useridentity.arn AS "RoleArn",
eventid AS "EventId",
eventname AS "EventName",
awsregion AS "EventRegion",
eventsource AS "EventService",
eventtime AS "EventTime",
requestparameters As "RequestParameters",
responseelements AS "ResponseElements",
useragent AS "UserAgent"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
readonly <> 'true'
AND
(
LOWER(useridentity.arn) LIKE '%/ams%'
OR LOWER(useridentity.arn) LIKE '%/customer_ssm_automation_role%'
)
ORDER BY eventtime
```
#### `ams_instance_access_sessions_query_v1`
```
ams_instance_access_sessions_query_v1
/*
The query provides list of AMS Instance accesses during specific time range.
The query returns the list of AMS instance accesses; every record includes the event time, the event AWS Region, the instance ID, the IAM session ID, and the SSM session ID.
You can use the IAM Principal ID to get more details on the business need for accessing the instance by using ams_access_session_query_v1 athena query.
You can use the SSM session ID to get more details on the instance access session, including the start and end time of the session and log details, using the AWS Session Manager Console in the instance's AWS Region.
You can also list non-AMS instance accesses by removing the "useridentity" filter line in the WHERE clause of the query.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
json_extract_scalar(requestparameters, '$.target') AS "InstanceId",
json_extract_scalar(responseelements, '$.sessionId') AS "SSM SessionId",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventsource AS "EventService",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
useridentity.sessionContext.sessionIssuer.arn like '%/ams_%'
AND eventname = 'StartSession'
ORDER BY eventtime
```
#### `ams_privilege_escalation_events_query_v1`
```
ams_privilege_escalation_events_query_v1.yaml
/*
The query provides list of events that can directly or potentially lead to a privilege escalation.
The query accepts ActionedBy as an optional filter and returns EventName, EventId, EventTime, ... etc.
All fields associated with the event are also returned. Some fields are blank if not applicable for that event.
You can use the IAM Session ID to get more details about events happened in that session by using ams_session_events_query_v1 query.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
By default, the ActionedBy filter is disabled (it shows privilege escalation events from all users).
To show events for a particular user or role, remove the double-dash (--) from the useridentity filter line in the WHERE clause of the query
and replace the placeholder "" with an IAM user or role name.
You can run the query without the filter to determine the exact user you want to filter with.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventtime AS "EventTime",
json_extract_scalar(requestparameters, '$.userName') AS "UserName",
json_extract_scalar(requestparameters, '$.roleName') AS "RoleName",
json_extract_scalar(requestparameters, '$.groupName') AS "GroupName",
json_extract_scalar(requestparameters, '$.policyArn') AS "PolicyArn",
json_extract_scalar(requestparameters, '$.policyName') AS "PolicyName",
json_extract_scalar(requestparameters, '$.permissionsBoundary') AS "PermissionsBoundary",
json_extract_scalar(requestparameters, '$.instanceProfileName') AS "InstanceProfileName",
json_extract_scalar(requestparameters, '$.openIDConnectProviderArn') AS "OpenIDConnectProviderArn",
json_extract_scalar(requestparameters, '$.serialNumber') AS "SerialNumber",
json_extract_scalar(requestparameters, '$.serverCertificateName') AS "ServerCertificateName",
json_extract_scalar(requestparameters, '$.accessKeyId') AS "AccessKeyId",
json_extract_scalar(requestparameters, '$.certificateId') AS "CertificateId",
json_extract_scalar(requestparameters, '$.newUserName') AS "NewUserName",
json_extract_scalar(requestparameters, '$.newGroupName') AS "NewGroupName",
json_extract_scalar(requestparameters, '$.newServerCertificateName') AS "NewServerCertificateName",
json_extract_scalar(requestparameters, '$.name') AS "SAMLProviderName",
json_extract_scalar(requestparameters, '$.sAMLProviderArn') AS "SAMLProviderArn",
json_extract_scalar(requestparameters, '$.sSHPublicKeyId') AS "SSHPublicKeyId",
json_extract_scalar(requestparameters, '$.virtualMFADeviceName') AS "VirtualMFADeviceName"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
(
-- More event names can be found at https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html
eventname LIKE 'Add%' OR
eventname LIKE 'Attach%' OR
eventname LIKE 'Delete%' AND eventname != 'DeleteAccountAlias' OR
eventname LIKE 'Detach%' OR
eventname LIKE 'Create%' AND eventname != 'CreateAccountAlias' OR
eventname LIKE 'Put%' OR
eventname LIKE 'Remove%' OR
eventname LIKE 'Update%' OR
eventname LIKE 'Upload%' OR
eventname = 'DeactivateMFADevice' OR
eventname = 'EnableMFADevice' OR
eventname = 'ResetServiceSpecificCredential' OR
eventname = 'SetDefaultPolicyVersion'
)
AND eventsource = 'iam.amazonaws.com'
ORDER BY eventtime
```
#### `ams_resource_events_query_v1`
```
Name: ams_resource_events_query_v1
Description: >-
The query provides list of events done on specific resource.
The query accepts resource id as part of the filters, and return all write actions done on that resource.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides list of events done on specific resource.
The query accepts the resource ID as part of the filters (replace the placeholder "" in the WHERE clause of the query),
and returns all write actions done on that resource. The resource ID can be an ID for any AWS resource in the account.
Example: An instance ID for an EC2 instance, table name for a DynamoDB table, logGroupName for a CloudWatch Log, etc.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventsource AS "EventService",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND readonly <> 'true'
AND
(
requestparameters LIKE '%%'
OR responseelements LIKE '%%'
)
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of events done on specific resource.
#
# The query accepts the resource ID as part of the filters (replace the placeholder "" in the filter of the query),
# and returns all write actions done on that resource. The resource ID can be an ID for any AWS resource in the account.
# Example: An instance ID for an EC2 instance, table name for a DynamoDB table, logGroupName for a CloudWatch Log, etc.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter readOnly=0
| parse @message '"requestParameters":{*}' as RequestParameters
| parse @message '"responseElements":{*}' as ResponseElements
# | filter RequestParameters like "RESOURCE_INFO" or ResponseElements like ""
| fields
userIdentity.principalId as IAMPrincipalId,
userIdentity.accessKeyId as IAMSessionId,
userIdentity.accountId as AccountId,
userIdentity.arn as ActionedBy,
eventName as EventName,
awsRegion as EventRegion,
eventID as EventId,
eventSource as EventService,
eventTime as EventTime
| display IAMPrincipalId, IAMSessionId, AccountId, ActionedBy, EventName, EventRegion, EventId, EventService, EventTime
| sort eventTime desc
```
#### `ams_session_events_query_v1`
```
Name: ams_session_events_query_v1
Description: >-
The query provides list of events done on specific session.
The query accepts IAM Principal Id as part of the filters, and return all write actions done on that resource.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides a list of events executed on a specific session.
The query accepts the IAM principal ID as part of the filters (replace the placeholder "" in the WHERE clause of the query),
and returns all write actions done on that resource.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventsource AS "EventService",
eventtime AS "EventTime",
requestparameters As "RequestParameters",
responseelements AS "ResponseElements",
useragent AS "UserAgent"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate WHERE
useridentity.principalid = ''
AND datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND readonly <> 'true'
ORDER BY eventtime
InsightsQueryString: |-
# The query provides a list of events executed on a specific session.
#
# The query accepts the IAM principal ID as part of the filters (replace the placeholder "" in the filter of the query),
# and returns all write actions done on that resource.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter readOnly=0 AND userIdentity.principalId = ""
| sort eventTime desc
| fields
userIdentity.accessKeyId as IAMSessionId,
userIdentity.principalId as IAMPrincipalId,
userIdentity.accountId as AccountId,
userIdentity.arn as ActionedBy,
eventName as EventName,
awsRegion as EventRegion,
eventSource as EventService,
eventTime as EventTime,
userAgent as UserAgent
| parse @message '"requestParameters":{*}' as RequestParameters
| parse @message '"responseElements":{*}' as ResponseElements
```
#### `ams_session_ids_by_requester_v1`
```
Name: ams_session_ids_by_requester_v1
Description: >-
The query provides list of IAM Principal/Session Ids for specific requester.
The query accepts requester and return all IAM Principal/Session Ids by that requester during specific time range.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides list of IAM Principal IDs for a specific requester.
The query accepts the requester (replace placeholder "" in the WHERE clause of the query),
and returns all IAM Principal IDs by that requester during a specific time range.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') AS "IAM PrincipalId",
json_extract_scalar(responseelements, '$.credentials.accessKeyId') AS "IAM SessionIId",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND json_extract_scalar(requestparameters, '$.tags[2].value') = ''
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of IAM Principal IDs for a specific requester.
#
# The query accepts the requester (replace placeholder "" in the filter of the query),
# and returns all IAM Principal IDs by that requester during a specific time range.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter eventName="AssumeRole" AND requestParameters.tags.2.value=""
| sort eventTime desc
| fields
responseElements.assumedRoleUser.assumedRoleId as IAMPrincipalId,
responseElements.credentials.accessKeyId as IAMSessionId,
eventTime as EventTime
```
## Ubah izin rekaman
Izin berikut diperlukan untuk menjalankan kueri catatan perubahan:
+ **Athena**
+ Athena: GetWorkGroup
+ Athena: StartQueryExecution
+ Athena: ListDataCatalogs
+ Athena: GetQueryExecution
+ Athena: GetQueryResults
+ Athena: BatchGetNamedQuery
+ Athena: ListWorkGroups
+ Athena: UpdateWorkGroup
+ Athena: GetNamedQuery
+ Athena: ListQueryExecutions
+ Athena: ListNamedQueries
+ **AWS KMS**
+ kms:Decrypt
+ AWS KMS [ID kunci AMSCloudTrailLogManagement, atau ID AWS KMS kunci Anda, jika Accelerate menggunakan peristiwa CloudTrail jejak penyimpanan data bucket Amazon S3 menggunakan enkripsi SSE-KMS.](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html)
+ **AWS Glue**
+ lem: GetDatabase
+ lem: GetTables
+ lem: GetDatabases
+ lem: GetTable
+ **Akses baca Amazon S3**
+ CloudTrail Data bucket Amazon S3: ams-a {{AccountId}} -cloudtrail-{{primary region}}, atau nama bucket Amazon S3 Anda, acara jejak penyimpanan data bucket Amazon S3. CloudTrail
+ **Akses tulis Amazon S3**
+ Hasil kueri acara Athena Bucket Amazon S3: ams-a athena-results- {{AccountId}} {{primary region}}