As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
# Rastreando alterações em suas contas do AMS Accelerate
**Importante**
O serviço Change Record foi descontinuado em 1º de julho de 2025.
Novas contas não podem ser integradas ao serviço Change Record.
Para consultar CloudTrail dados em suas contas do AMS Accelerate, você pode usar estes serviços:
Em AWS CloudTrail, escolha **Histórico de eventos** e filtre eventos usando atributos de pesquisa. Você pode usar o filtro de intervalo de tempo e optar por filtrar o histórico de eventos por fonte de eventos com a `s3.amazon.aws.com` especificação, ou optar por filtrar o histórico de eventos por nome de usuário. Para obter mais informações, consulte [Trabalhando com o histórico de CloudTrail eventos](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
Use o AWS CloudTrail Lake para coletar dados por meio de consultas. Em, AWS CloudTrail escolha **Lake** e, em seguida, escolha **Consulta**. Você pode criar suas próprias consultas, usar o gerador de consultas ou usar exemplos de consultas para coletar dados baseados em eventos. Por exemplo, você pode perguntar quem excluiu uma EC2 instância da Amazon na semana passada. Para obter mais informações, consulte [Criação de um data lake a partir de uma AWS CloudTrail fonte](https://docs.aws.amazon.com/lake-formation/latest/dg/getting-started-cloudtrail-tutorial.html) e [CloudTrailLake consultas.](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-queries.html)
Crie uma tabela do Amazon Athena AWS CloudTrail e defina o local de armazenamento como o bucket do Amazon S3 associado à sua trilha. Verifique se a região inicial da sua trilha e do bucket do Amazon S3 são iguais. No Amazon Athena, use o editor de consultas para executar [as consultas padrão](#acc-cr-canned-queries) que o Accelerate fornece para uso com o console do Athena. Para obter mais informações sobre como criar uma tabela do Athena para dois CloudTrail registros de consulta, consulte Registros de [consulta AWS CloudTrail](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html).
**Topics**
+ [Visualizando seus registros de alterações](#acc-cr-using)
+ [Consultas padrão](#acc-cr-canned-queries)
+ [Alterar permissões de registro](#acc-cr-permissions)
O AWS Managed Services ajuda você a monitorar as alterações feitas pela equipe de operações do AMS Accelerate e pela automação do AMS Accelerate, fornecendo uma interface que pode ser consultada usando o console [Amazon Athena](https://docs.aws.amazon.com/athena/) (Athena) e o gerenciamento de registros do AMS Accelerate.
O Athena é um serviço de consulta interativo que você pode usar para analisar dados no Amazon S3 usando a linguagem de consulta estruturada (SQL) padrão ([consulte a referência de SQL para o Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/ddl-sql-reference.html)). Como o Athena é sem servidor, não há infraestrutura para gerenciar, e você paga apenas pelas consultas executadas. O AMS Accelerate cria tabelas do Athena com partições diárias em CloudTrail registros e fornece consultas sobre sua AWS região principal e dentro do grupo de trabalho. **ams-change-record** Você pode escolher qualquer uma das consultas padrão e executá-las conforme necessário. Para saber mais sobre os grupos de trabalho do Athena, consulte [Como](https://docs.aws.amazon.com/athena/latest/ug/user-created-workgroups.html) funcionam os grupos de trabalho.
**nota**
Somente o Accelerate pode consultar CloudTrail eventos para sua conta do Accelerate usando o Athena quando o Accelerate [está integrado à trilha CloudTrail da sua organização](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-onb-trail-choices.html), a menos que o administrador da organização tenha implantado uma função do IAM para usar o Athena para consultar e analisar CloudTrail eventos em sua conta durante a integração.
Usando o registro de alterações, você pode responder facilmente a perguntas como:
+ Quem (AMS Accelerate Systems ou AMS Accelerate Operators) acessou sua conta
+ Quais alterações foram feitas pelo AMS Accelerate em sua conta
+ Quando o AMS Accelerate realizou alterações em sua conta?
+ Onde ir para ver as alterações feitas em sua conta
+ Por que o AMS Accelerate precisou fazer as alterações em sua conta
+ Como modificar as consultas para obter respostas a todas essas perguntas também para quaisquer alterações que não sejam do AMS
## Visualizando seus registros de alterações
Para usar as consultas do Athena, entre no console de AWS gerenciamento e navegue até o console do Athena na sua região principal. AWS
**nota**
Se você ver a página de introdução do **Amazon Athena enquanto executa qualquer uma das etapas, clique em **Começar****. Isso pode aparecer para você mesmo que sua infraestrutura de registro de alterações já esteja instalada.
1. Escolha **Grupo de trabalho** no painel de navegação superior no console do Athena.
1. Escolha o **ams-change-record**grupo de trabalho e clique em **Alternar grupo de trabalho**.
1. Escolha na caixa **ams-change-record-database**de **combinação de banco de** dados. **ams-change-record-database**Isso inclui a **ams-change-record-table**tabela.
1. Escolha **Consultas salvas** no painel de navegação superior.
1. A janela **Consultas salvas** mostra uma lista de consultas fornecidas pelo AMS Accelerate, que você pode executar. Escolha a consulta que você deseja executar na lista **Consultas salvas**. Por exemplo, consulta **ams\_session\_accesses\_v1**.
Para obter a lista completa das consultas predefinidas do AMS Accelerate, consulte. [Consultas padrão](#acc-cr-canned-queries)
1. Ajuste o filtro de **data e hora** na caixa do editor de consultas conforme necessário; por padrão, a consulta só verifica as alterações do último dia.
1. Selecione **Executar consulta**.
## Consultas padrão
O AMS Accelerate fornece várias consultas padrão que você pode usar no console do Athena. As consultas padrão estão listadas nas tabelas a seguir.
**nota**
Todas as consultas aceitam o **intervalo de data e hora** como um filtro opcional; todas as consultas são executadas nas últimas 24 horas, por padrão. Para informações esperadas, consulte a subseção a seguir,[Modificando o filtro de data e hora nas consultas](#acc-cr-canned-queries-mod-timestamp).
As entradas de parâmetros que você pode ou precisa alterar são mostradas na consulta como {{}} se fossem chaves angulares. Substitua o espaço reservado **e** as chaves angulares pelo valor do seu parâmetro.
Todos os filtros são opcionais. Nas consultas, alguns filtros opcionais são comentados com um traço duplo (--) no início da linha. Todas as consultas serão executadas sem elas, com parâmetros padrão. Se você quiser especificar valores de parâmetros para esses filtros opcionais, remova o traço duplo (--) no início da linha e substitua o parâmetro conforme desejar.
Todas as consultas retornam `IAM PincipalId` e `IAM SessionId` nas saídas
O custo calculado para executar uma consulta depende de quantos CloudTrail registros são gerados para a conta. Para calcular o custo, use a calculadora de [preços do AWS Athena](https://aws.amazon.com/athena/pricing/).
**Consultas predefinidas**
[See the AWS documentation website for more details](http://docs.aws.amazon.com/pt_br/managedservices/latest/accelerate-guide/acc-change-record.html)
### Modificando o filtro de data e hora nas consultas
Todas as consultas aceitam o intervalo de **data e hora** como um filtro opcional. Por padrão, todas as consultas são executadas no último dia.
O formato usado para o campo de **data e hora** é yyyy/MM/dd (por exemplo: 2021/01/01). Lembre-se de que ele armazena apenas a data e não o carimbo de data/hora inteiro. **Para todo o timestamp, use o campo **eventime**, que armazena o timestamp no formato ISO 8601 yyyy-MM-dd **T HH:mm:ss Z (por exemplo: 2021-01-01T** 23:59:59 Z).** No entanto, como a tabela é [particionada](https://docs.aws.amazon.com/athena/latest/ug/partitions.html) no campo datetime, você precisará passar os filtros datetime e eventtime para a consulta. Veja os exemplos de a seguir.
**nota**
Para ver todas as formas aceitas de modificar o intervalo, consulte a [documentação mais recente da função Presto](https://docs.aws.amazon.com/athena/latest/ug/presto-functions.html) com base na versão do mecanismo Athena usada atualmente para **as funções e operadores de data e hora** para ver todas as formas aceitas de modificar o intervalo.
**Nível de data: Último dia ou últimas 24 horas (padrão)** Exemplo: se o CURRENT\_DATE='2021/01/01', o filtro subtrairá um dia da data atual e o formatará como data/hora > '2020/12/31'
```
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
```
**Nível de data: exemplo dos últimos 2 meses**:
```
datetime > date_format(date_add('month', - 2, CURRENT_DATE), '%Y/%m/%d')
```
**Nível de data: Entre 2 datas**, exemplo:
```
datetime > '2021/01/01'
AND
datetime < '2021/01/10'
```
**Nível de registro de data e hora: exemplo das últimas 12 horas**:
Particione os dados digitalizados para durar 1 dia e, em seguida, filtre todos os eventos nas últimas 12 horas
```
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND
eventtime > date_format(date_add('hour', - 12, CURRENT_TIMESTAMP), '%Y-%m-%dT%H:%i:%sZ')
```
**Nível de timestamp: entre 2 timestamps**, exemplo:
Obtenha eventos entre 1º de janeiro de 2021 às 12h e 10 de janeiro de 2021 às 15h.
```
datetime > '2021/01/01' AND datetime < '2021/01/10'
AND
eventtime > '2021-01-01T12:00:00Z' AND eventtime < '2021-01-10T15:00:00Z'
```
### Exemplos de consulta padrão
#### `ams_access_session_query_v1`
```
Name: ams_access_session_query_v1
Description: >-
The query provides more information on specific AMS access session.
The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
By default; the query filter last day events only, the user can change the datetime filter to search for more wide time range.
By default; the IAM PrincipalId filter is disabled. To enable it, remove "-- " from that line.
AthenaQueryString: |-
/*
The query provides list of AMS access sessions during specific time range.
The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
By default; the IAM Principal ID filter is disabled (it shows access sessions for all IAM principals).
If you want to only show access sessions for a particular IAM principal ID, remove the double-dash (--) from
the "IAM Principal ID" filter line in the WHERE clause of the query, and replace the placeholder "" with the specific ID that you want.
You can run the query without the filter to determine the exact IAM PrincipalId you want to filter with.
By default; the query only shows AMS access sessions. If you also want to show non-AMS access sessions,
remove the "useragent" filter in the WHERE clause of the query.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') AS "IAM PrincipalId",
json_extract_scalar(responseelements, '$.credentials.accessKeyId') AS "IAM SessionId",
eventtime AS "EventTime",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
json_extract_scalar(requestparameters, '$.tags[0].value') AS "BusinessNeed",
json_extract_scalar(requestparameters, '$.tags[1].value') AS "BusinessNeedType",
json_extract_scalar(requestparameters, '$.tags[2].value') AS "Requester",
json_extract_scalar(requestparameters, '$.tags[3].value') AS "AccessRequestType"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND eventname = 'AssumeRole'
AND useragent = 'access.managedservices.amazonaws.com'
-- AND json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') = ''
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of AMS access sessions during specific time range.
# The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
#
# By default; the IAM Principal ID filter is disabled (it shows access sessions for all IAM principals).
# If you want to only show access sessions for a particular IAM principal ID, remove the # (#) from
# the "IAM Principal ID" filter of the query, and replace the placeholder "" with the specific ID that you want.
# You can run the query without the filter to determine the exact IAM PrincipalId you want to filter with.
#
# By default; the query only shows AMS access sessions. If you also want to show non-AMS access sessions,
# remove the "useragent" filter from the query.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter eventName="AssumeRole" AND userAgent="access.managedservices.amazonaws.com"
# | filter responseElements.assumedRoleUser.assumedRoleId= ""
| sort eventTime desc
| fields
responseElements.assumedRoleUser.assumedRoleId as IAMPrincipalId,
responseElements.credentials.accessKeyId as IAMSessionId,
eventTime as EventTime,
eventName as EventName,
awsRegion as EventRegion,
eventID as EventId,
requestParameters.tags.0.value as BusinessNeed,
requestParameters.tags.1.value as BusinessNeedType,
requestParameters.tags.2.value as Requester,
requestParameters.tags.3.value as AccessRequestType
```
#### `ams_events_query_v1`
```
ams_events_query_v1.yaml
/*
The query provides list of events to track write actions for all AMS changes.
The query returns all write actions done on the account using that AMS role filter.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
You can also track mutating actions done by non-AMS roles by removing the "useridentity.arn" filter lines from the WHERE clause of the query.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
useridentity.arn AS "RoleArn",
eventid AS "EventId",
eventname AS "EventName",
awsregion AS "EventRegion",
eventsource AS "EventService",
eventtime AS "EventTime",
requestparameters As "RequestParameters",
responseelements AS "ResponseElements",
useragent AS "UserAgent"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
readonly <> 'true'
AND
(
LOWER(useridentity.arn) LIKE '%/ams%'
OR LOWER(useridentity.arn) LIKE '%/customer_ssm_automation_role%'
)
ORDER BY eventtime
```
#### `ams_instance_access_sessions_query_v1`
```
ams_instance_access_sessions_query_v1
/*
The query provides list of AMS Instance accesses during specific time range.
The query returns the list of AMS instance accesses; every record includes the event time, the event AWS Region, the instance ID, the IAM session ID, and the SSM session ID.
You can use the IAM Principal ID to get more details on the business need for accessing the instance by using ams_access_session_query_v1 athena query.
You can use the SSM session ID to get more details on the instance access session, including the start and end time of the session and log details, using the AWS Session Manager Console in the instance's AWS Region.
You can also list non-AMS instance accesses by removing the "useridentity" filter line in the WHERE clause of the query.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
json_extract_scalar(requestparameters, '$.target') AS "InstanceId",
json_extract_scalar(responseelements, '$.sessionId') AS "SSM SessionId",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventsource AS "EventService",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
useridentity.sessionContext.sessionIssuer.arn like '%/ams_%'
AND eventname = 'StartSession'
ORDER BY eventtime
```
#### `ams_privilege_escalation_events_query_v1`
```
ams_privilege_escalation_events_query_v1.yaml
/*
The query provides list of events that can directly or potentially lead to a privilege escalation.
The query accepts ActionedBy as an optional filter and returns EventName, EventId, EventTime, ... etc.
All fields associated with the event are also returned. Some fields are blank if not applicable for that event.
You can use the IAM Session ID to get more details about events happened in that session by using ams_session_events_query_v1 query.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
By default, the ActionedBy filter is disabled (it shows privilege escalation events from all users).
To show events for a particular user or role, remove the double-dash (--) from the useridentity filter line in the WHERE clause of the query
and replace the placeholder "" with an IAM user or role name.
You can run the query without the filter to determine the exact user you want to filter with.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventtime AS "EventTime",
json_extract_scalar(requestparameters, '$.userName') AS "UserName",
json_extract_scalar(requestparameters, '$.roleName') AS "RoleName",
json_extract_scalar(requestparameters, '$.groupName') AS "GroupName",
json_extract_scalar(requestparameters, '$.policyArn') AS "PolicyArn",
json_extract_scalar(requestparameters, '$.policyName') AS "PolicyName",
json_extract_scalar(requestparameters, '$.permissionsBoundary') AS "PermissionsBoundary",
json_extract_scalar(requestparameters, '$.instanceProfileName') AS "InstanceProfileName",
json_extract_scalar(requestparameters, '$.openIDConnectProviderArn') AS "OpenIDConnectProviderArn",
json_extract_scalar(requestparameters, '$.serialNumber') AS "SerialNumber",
json_extract_scalar(requestparameters, '$.serverCertificateName') AS "ServerCertificateName",
json_extract_scalar(requestparameters, '$.accessKeyId') AS "AccessKeyId",
json_extract_scalar(requestparameters, '$.certificateId') AS "CertificateId",
json_extract_scalar(requestparameters, '$.newUserName') AS "NewUserName",
json_extract_scalar(requestparameters, '$.newGroupName') AS "NewGroupName",
json_extract_scalar(requestparameters, '$.newServerCertificateName') AS "NewServerCertificateName",
json_extract_scalar(requestparameters, '$.name') AS "SAMLProviderName",
json_extract_scalar(requestparameters, '$.sAMLProviderArn') AS "SAMLProviderArn",
json_extract_scalar(requestparameters, '$.sSHPublicKeyId') AS "SSHPublicKeyId",
json_extract_scalar(requestparameters, '$.virtualMFADeviceName') AS "VirtualMFADeviceName"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
(
-- More event names can be found at https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html
eventname LIKE 'Add%' OR
eventname LIKE 'Attach%' OR
eventname LIKE 'Delete%' AND eventname != 'DeleteAccountAlias' OR
eventname LIKE 'Detach%' OR
eventname LIKE 'Create%' AND eventname != 'CreateAccountAlias' OR
eventname LIKE 'Put%' OR
eventname LIKE 'Remove%' OR
eventname LIKE 'Update%' OR
eventname LIKE 'Upload%' OR
eventname = 'DeactivateMFADevice' OR
eventname = 'EnableMFADevice' OR
eventname = 'ResetServiceSpecificCredential' OR
eventname = 'SetDefaultPolicyVersion'
)
AND eventsource = 'iam.amazonaws.com'
ORDER BY eventtime
```
#### `ams_resource_events_query_v1`
```
Name: ams_resource_events_query_v1
Description: >-
The query provides list of events done on specific resource.
The query accepts resource id as part of the filters, and return all write actions done on that resource.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides list of events done on specific resource.
The query accepts the resource ID as part of the filters (replace the placeholder "" in the WHERE clause of the query),
and returns all write actions done on that resource. The resource ID can be an ID for any AWS resource in the account.
Example: An instance ID for an EC2 instance, table name for a DynamoDB table, logGroupName for a CloudWatch Log, etc.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventid AS "EventId",
eventsource AS "EventService",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND readonly <> 'true'
AND
(
requestparameters LIKE '%%'
OR responseelements LIKE '%%'
)
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of events done on specific resource.
#
# The query accepts the resource ID as part of the filters (replace the placeholder "" in the filter of the query),
# and returns all write actions done on that resource. The resource ID can be an ID for any AWS resource in the account.
# Example: An instance ID for an EC2 instance, table name for a DynamoDB table, logGroupName for a CloudWatch Log, etc.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter readOnly=0
| parse @message '"requestParameters":{*}' as RequestParameters
| parse @message '"responseElements":{*}' as ResponseElements
# | filter RequestParameters like "RESOURCE_INFO" or ResponseElements like ""
| fields
userIdentity.principalId as IAMPrincipalId,
userIdentity.accessKeyId as IAMSessionId,
userIdentity.accountId as AccountId,
userIdentity.arn as ActionedBy,
eventName as EventName,
awsRegion as EventRegion,
eventID as EventId,
eventSource as EventService,
eventTime as EventTime
| display IAMPrincipalId, IAMSessionId, AccountId, ActionedBy, EventName, EventRegion, EventId, EventService, EventTime
| sort eventTime desc
```
#### `ams_session_events_query_v1`
```
Name: ams_session_events_query_v1
Description: >-
The query provides list of events done on specific session.
The query accepts IAM Principal Id as part of the filters, and return all write actions done on that resource.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides a list of events executed on a specific session.
The query accepts the IAM principal ID as part of the filters (replace the placeholder "" in the WHERE clause of the query),
and returns all write actions done on that resource.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
useridentity.principalId AS "IAM PrincipalId",
useridentity.accesskeyid AS "IAM SessionId",
useridentity.accountid AS "AccountId",
reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
eventname AS "EventName",
awsregion AS "EventRegion",
eventsource AS "EventService",
eventtime AS "EventTime",
requestparameters As "RequestParameters",
responseelements AS "ResponseElements",
useragent AS "UserAgent"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate WHERE
useridentity.principalid = ''
AND datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND readonly <> 'true'
ORDER BY eventtime
InsightsQueryString: |-
# The query provides a list of events executed on a specific session.
#
# The query accepts the IAM principal ID as part of the filters (replace the placeholder "" in the filter of the query),
# and returns all write actions done on that resource.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter readOnly=0 AND userIdentity.principalId = ""
| sort eventTime desc
| fields
userIdentity.accessKeyId as IAMSessionId,
userIdentity.principalId as IAMPrincipalId,
userIdentity.accountId as AccountId,
userIdentity.arn as ActionedBy,
eventName as EventName,
awsRegion as EventRegion,
eventSource as EventService,
eventTime as EventTime,
userAgent as UserAgent
| parse @message '"requestParameters":{*}' as RequestParameters
| parse @message '"responseElements":{*}' as ResponseElements
```
#### `ams_session_ids_by_requester_v1`
```
Name: ams_session_ids_by_requester_v1
Description: >-
The query provides list of IAM Principal/Session Ids for specific requester.
The query accepts requester and return all IAM Principal/Session Ids by that requester during specific time range.
By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.
AthenaQueryString: |-
/*
The query provides list of IAM Principal IDs for a specific requester.
The query accepts the requester (replace placeholder "" in the WHERE clause of the query),
and returns all IAM Principal IDs by that requester during a specific time range.
By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.
For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/
SELECT
json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') AS "IAM PrincipalId",
json_extract_scalar(responseelements, '$.credentials.accessKeyId') AS "IAM SessionIId",
eventtime AS "EventTime"
FROM
"{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
AND json_extract_scalar(requestparameters, '$.tags[2].value') = ''
ORDER BY eventtime
InsightsQueryString: |-
# The query provides list of IAM Principal IDs for a specific requester.
#
# The query accepts the requester (replace placeholder "" in the filter of the query),
# and returns all IAM Principal IDs by that requester during a specific time range.
#
# For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
filter eventName="AssumeRole" AND requestParameters.tags.2.value=""
| sort eventTime desc
| fields
responseElements.assumedRoleUser.assumedRoleId as IAMPrincipalId,
responseElements.credentials.accessKeyId as IAMSessionId,
eventTime as EventTime
```
## Alterar permissões de registro
As seguintes permissões são necessárias para executar consultas de registro de alterações:
+ **Athena**
+ Atena: GetWorkGroup
+ Atena: StartQueryExecution
+ Atena: ListDataCatalogs
+ Atena: GetQueryExecution
+ Atena: GetQueryResults
+ Atena: BatchGetNamedQuery
+ Atena: ListWorkGroups
+ Atena: UpdateWorkGroup
+ Atena: GetNamedQuery
+ Atena: ListQueryExecutions
+ Atena: ListNamedQueries
+ **AWS KMS**
+ kms:Decrypt
+ AWS KMS ID de chave ou seus IDs de AWS KMS chave AMSCloudTrailLogManagement, se o Accelerate estiver usando seu armazenamento de dados de bucket Amazon S3 de eventos de CloudTrail trilha usando criptografia [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html).
+ **AWS Glue**
+ cola: GetDatabase
+ cola: GetTables
+ cola: GetDatabases
+ cola: GetTable
+ **Acesso de leitura ao Amazon S3**
+ CloudTrail Armazenamento de dados de bucket do Amazon S3: ams-a {{AccountId}} -cloudtrail-{{primary region}}, ou o nome do seu bucket do Amazon S3, eventos de trilha Armazenamento de dados do bucket do Amazon S3. CloudTrail
+ **Acesso de gravação ao Amazon S3**
+ Resultados da consulta de eventos do Athena Amazon S3 bucket: ams-a athena-results- {{AccountId}} {{primary region}}