追蹤 AMS Accelerate 帳戶中的變更 - AMS Accelerate 使用者指南
檢視您的變更記錄預設查詢變更記錄許可

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

追蹤 AMS Accelerate 帳戶中的變更

重要

自 2025 年 7 月 1 日起,變更記錄服務已棄用。

新帳戶無法加入變更記錄服務。

若要查詢 AMS Accelerate 帳戶中的 CloudTrail 資料,您可以使用這些服務:

  • 在 中 AWS CloudTrail,選擇事件歷史記錄,並使用查詢屬性篩選事件。您可以使用時間範圍篩選條件,並選擇依s3.amazon.aws.com指定事件來源篩選事件歷史記錄,或選擇依使用者名稱篩選事件歷史記錄。如需詳細資訊,請參閱使用 CloudTrail 事件歷史記錄

  • 使用 AWS CloudTrail Lake 透過查詢收集資料。在 AWS CloudTrail 選擇 Lake 中,然後選擇查詢。您可以建立自己的查詢、使用查詢產生器,或使用範例查詢來收集事件型資料。例如,您可以詢問過去一週誰刪除了 Amazon EC2 執行個體。如需詳細資訊,請參閱從 AWS CloudTrail 來源建立資料湖CloudTrailLake 查詢

  • 在 中建立 Amazon Athena 資料表, AWS CloudTrail 並將儲存位置設定為與您的線索相關聯的 Amazon S3 儲存貯體。確認您的線索和 Amazon S3 儲存貯體的主區域相同。在 Amazon Athena 中,使用查詢編輯器執行 Accelerate 提供的預設查詢,以搭配 Athena 主控台使用。如需如何建立 Athena 資料表以查詢 CloudTrail 日誌的詳細資訊,請參閱查詢 AWS CloudTrail 日誌

AWS Managed Services 透過使用 Amazon Athena (Athena) 主控台和 AMS Accelerate 日誌管理提供可查詢的界面,協助您追蹤 AMS Accelerate Operations 團隊和 AMS Accelerate 自動化所做的變更。

Athena 是一種互動式查詢服務,您可以使用標準結構化查詢語言 (SQL) 來分析 Amazon S3 中的資料 (請參閱 Amazon Athena 的 SQL 參考)。Athena 無伺服器,所以不需管理基礎設施,而且您只需支付所執行查詢的費用。AMS Accelerate 會透過 CloudTrail 日誌建立具有每日分割區的 Athena 資料表,並在主要 AWS 區域和 ams-change-record 工作群組中提供查詢。您可以選擇任何預設查詢,並視需要執行它們。若要進一步了解 Athena 工作群組,請參閱工作群組的運作方式

注意

只有 Accelerate 可以在 Accelerate 與您的 CloudTrail Organization trail 整合時,使用 Athena 查詢您 Accelerate 帳戶的 CloudTrail 事件,除非您的 Organization 管理員在加入期間部署了 IAM 角色以使用 Athena 查詢和分析您帳戶中的 CloudTrail 事件。

使用變更記錄,您可以輕鬆回答以下問題:

  • 誰 (AMS Accelerate Systems 或 AMS Accelerate Operators) 已存取您的帳戶

  • AMS Accelerate 在您帳戶中所做的變更

  • AMS Accelerate 何時在您的帳戶中執行變更

  • 在何處檢視您帳戶中所做的變更

  • 為什麼 AMS Accelerate 需要在您的帳戶中進行變更

  • 如何修改查詢,以取得所有非 AMS 變更問題的答案

檢視您的變更記錄

若要使用 Athena 查詢,請登入 AWS 管理主控台,然後導覽至主要 AWS 區域中的 Athena 主控台。

注意

如果您在執行任何步驟時看到 Amazon Athena 入門頁面,請按一下入門。即使您的變更記錄基礎設施已就緒,這也可能會為您顯示。

  1. 從 Athena 主控台的上方導覽面板中選擇工作群組

  2. 選擇 ams-change-record 工作群組,然後按一下切換工作群組

  3. 資料庫組合方塊中選擇 ams-change-record-databaseams-change-record-database 包含 ams-change-record-table 資料表。

  4. 從上方導覽面板中選擇已儲存的查詢

  5. 儲存的查詢視窗會顯示 AMS Accelerate 提供的查詢清單,您可以執行。從已儲存的查詢清單中選擇您要執行的查詢。例如,ams_session_accesses_v1 查詢

    如需預設 AMS Accelerate 查詢的完整清單,請參閱 預設查詢

  6. 視需要調整查詢編輯器方塊中的日期時間篩選條件;預設情況下,查詢只會檢查從最後一天以來的變更。

  7. 選擇 Run query (執行查詢)。

預設查詢

AMS Accelerate 提供數個您可以在 Athena 主控台中使用的預設查詢。預設查詢會列在下表中。

注意

  • 所有查詢都接受日期範圍做為選用篩選條件;所有查詢預設會在過去 24 小時內執行。如需預期的輸入,請參閱下列小節:修改查詢中的日期時間篩選條件

  • 您可以或需要變更的參數輸入會在查詢中顯示為具有角括號的 <PARAMETER_NAME>。將預留位置角括號取代為您的參數值。

  • 所有篩選條件都是選用的。在查詢中,某些選用篩選條件會在行開頭以雙破折號 (--) 標註。所有查詢都會在沒有它們的情況下執行,並使用預設參數。如果您想要指定這些選用篩選條件的參數值,請移除行開頭的雙破折號 (--),並視需要取代 參數。

  • 所有查詢都會在輸出IAM SessionId中傳回 IAM PincipalId

  • 執行查詢的計算成本取決於為帳戶產生多少 CloudTrail 日誌。若要計算成本,請使用 AWS Athena 定價計算器

標準查詢
目的/描述 輸入 Outputs

查詢名稱ams_access_session_query_v1

追蹤 AMS Accelerate 存取工作階段

提供特定 AMS Accelerate 存取工作階段的相關資訊。查詢接受 IAM Principal ID 做為選用篩選條件,並傳回事件時間、存取帳戶的商業需求、請求者等。

您可以取消註解行,並在查詢編輯器中將預留位置 IAM PrincipalId 取代為特定 ID,以篩選特定 IAM Principal ID。

您也可以在查詢的 WHERE 子句中移除使用者代理程式篩選列,以列出非 AMS 存取工作階段。

(選用) IAM PrincipalId:嘗試存取之資源的 IAM Principal 識別符。格式為 UNIQUE_IDENTIFIERRESOURCE_NAME。如需詳細資訊,請參閱唯一識別符。您可以在沒有此篩選條件的情況下執行查詢,以決定您要篩選的確切 IAM PrincipalId。

  • EventTime:取得存取權的時間

  • EventName:AWS 事件名稱 (AssumeRole)

  • EventRegion:取得請求的 AWS 區域

  • EventId:CloudTrail 事件 ID

  • BusinessNeed 類型:存取帳戶的商業原因類型。允許的值為:SupportCase、OpsItem、 Issue、 Text。

  • BusinessNeed:企業需要存取帳戶。例如,支援案例 ID、Ops 項目 ID 等。

  • 申請者:存取帳戶的運算子 ID,或存取帳戶的自動化系統。

  • RequestAccessType:申請者類型 (System、OpsConsole、OpsAPI、Unset)

查詢名稱ams_events_query_v1

追蹤 AMS Accelerate 完成的所有變動動作

傳回使用該 AMS Accelerate 角色篩選條件對帳戶執行的所有寫入動作。

您也可以從查詢的 WHERE 子句中移除 useridentity.arn 篩選條件行,追蹤非 AMS 角色完成的變動動作。

 (選用)

僅限日期時間範圍。請參閱 修改查詢中的日期時間篩選條件

  • AccountId:AWS 帳戶 ID

  • RoleArn:申請者的 RoleArn

  • EventTime:取得存取權的時間

  • EventName:AWS 事件名稱 (AssumeRole)

  • EventRegion:取得請求的 AWS 區域

  • EventId:CloudTrail 事件 ID

  • RequestParameters :請求的參數

  • ResponseElements:回應的回應元素。

  • UserAgent:AWS CloudTrail 使用者代理程式

查詢名稱ams_instance_access_sessions_query_v1

透過 AMS Accelerate 追蹤執行個體存取

傳回 AMS Accelerate 執行個體存取的清單;每個記錄都包含事件時間、事件區域、執行個體 ID、IAM Principal ID、IAM 工作階段 ID、SSM 工作階段 ID。您可以使用 IAM Principal ID,透過 ams_access_sessions_query_v1 Athena 查詢取得存取執行個體之業務需求的更多詳細資訊。您可以使用 SSM 工作階段 ID 取得執行個體存取工作階段的詳細資訊,包括工作階段的開始和結束時間、日誌詳細資訊,以及使用執行個體 AWS 區域中的 AWS Session Manager 主控台。

使用者也可以透過移除查詢的 WHERE 子句中的 useridentity 篩選列來列出非 AMS 執行個體存取。

僅有 datetime range。請參閱 修改查詢中的日期時間篩選條件

  • InstanceId:執行個體 ID

  • SSMSession ID:SSM 工作階段 ID

  • RoleArn:申請者的 RoleArn

  • EventTime:取得存取權的時間

  • EventName:AWS 事件名稱 (AssumeRole)

  • EventRegion:取得請求的 AWS 區域

  • EventId:CloudTrail 事件 ID

查詢名稱ams_privilege_escalation_events_query_v1

追蹤 AMS 和非 AMS 使用者的許可 (呈報) 事件

提供可直接或可能導致權限提升的事件清單。查詢接受 ActionedBy 作為選用篩選條件,並傳回 EventName、EventId、EventTime 等。也會傳回與事件相關聯的所有欄位。如果不適用於該事件,則欄位為空白。ActionedBy 篩選條件預設為停用;若要啟用,請從該行移除 "--"。

根據預設,ActionedBy 篩選條件已停用 (它會顯示來自所有使用者的權限提升事件)。若要顯示特定使用者或角色的事件,請從 WHERE 子句中的使用者身分篩選列中移除雙破折號 (--),並將預留位置 ACTIONEDBY_PUT_USER_NAME_HERE 取代為 IAM 使用者或角色名稱。您可以在沒有篩選條件的情況下執行查詢,以決定要篩選的確切使用者。

(選用) ACTIONEDBY_PUT_USER_NAME: actionedBy 使用者的使用者名稱。可以是 IAM 使用者或角色。例如,ams-access-admin。

(選用) datetime range。請參閱 修改查詢中的日期時間篩選條件

  • AccountId:帳戶 ID

  • ActionedBy:ActionedBy 使用者名稱

  • EventTime:取得存取權的時間

  • EventName:AWS 事件名稱 (AssumeRole)。

  • EventRegion:取得請求的 AWS 區域

  • EventId:CloudTrail 事件 ID

查詢名稱ams_resource_events_query_v1

追蹤特定資源 AMS 或非 AMS 的寫入事件

提供在特定資源上完成的事件清單。查詢接受資源 ID 做為篩選條件的一部分 (在查詢的 WHERE 子句中取代預留位置 RESOURCE_INFO),並傳回對該資源執行的所有寫入動作。

(必要) RESOURCE_INFO:資源識別符,可以是帳戶中任何 AWS 資源的 ID。請勿將此與資源 ARNs 混淆。例如,EC2 執行個體的執行個體 ID、DynamoDB 資料表的資料表名稱、CloudWatch Log 的 logGroupName 等。

(選用) datetime range。請參閱 修改查詢中的日期時間篩選條件

  • AccountId:帳戶 ID

  • ActionedBy:ActionedBy 使用者名稱

  • EventTime:取得存取權的時間

  • EventName:AWS 事件名稱 (AssumeRole)。

  • EventRegion:取得請求的 AWS 區域

  • EventId:CloudTrail 事件 ID

查詢名稱ams_session_events_query_v1

追蹤 AMS Accelerate 在特定工作階段期間執行的寫入動作

提供在特定工作階段上完成的事件清單。查詢接受 IAM Principal ID 做為篩選條件的一部分 (在查詢的 WHERE 子句中取代預留位置 PRINCIPAL_ID),並傳回對該資源執行的所有寫入動作。

(必要)PRINCIPAL_ID:工作階段的主體 ID。格式為 UNIQUE_IDENTIFIERRESOURCE_NAME。如需詳細資訊,請參閱唯一識別符。您可以執行查詢 "ams_session_ids_by_requester_v1",以取得申請者的 IAM 主體 IDs 清單。您也可以在沒有此篩選條件的情況下執行查詢,以決定要篩選的確切 IAM PrincipalId。

(選用) datetime range。請參閱 修改查詢中的日期時間篩選條件

  • AccountId:帳戶 ID

  • ActionedBy:ActionedBy 使用者名稱

  • EventTime:取得存取權的時間

  • EventName:AWS 事件名稱 (AssumeRole)

  • EventRegion:取得請求的 AWS 區域

  • EventId:CloudTrail 事件 ID

查詢名稱ams_session_ids_by_requester_v1

追蹤特定請求者的 IAM 主體/工作階段 IDs。

查詢接受「請求者」(在查詢的 WHERE 子句中取代預留位置請求者),並在指定的時間範圍內傳回該請求者的所有 IAM 主體 ID。

(必要) Requester:存取帳戶的運算子 ID (例如:運算子的別名),或存取帳戶的自動化系統 (例如:OsConfiguration、AlarmManager 等)。

(選用) datetime range。請參閱 修改查詢中的日期時間篩選條件

  • IAM PrincipalId - 工作階段的 IAM Principal ID。格式為 UNIQUE_IDENTIFIERRESOURCE_NAME。如需詳細資訊,請參閱唯一識別符。您可以在沒有此篩選條件的情況下執行查詢,以決定要篩選的確切 IAM PrincipalId。

  • IAM SessionId - 存取工作階段的 IAM 工作階段 ID

  • EventTime:取得存取權的時間

修改查詢中的日期時間篩選條件

所有查詢都接受日期範圍做為選用篩選條件。根據預設,所有查詢都會在過去一天執行。

用於日期時間欄位的格式為 yyyy/MM/dd (例如:2021/01/01)。請記住,它只會存放日期,而不是整個時間戳記。對於整個時間戳記,請使用 欄位平衡時間,其會將時間戳記以 ISO 8601 格式 yyyy-MM-ddT HH:mm:ssZ (例如:2021-01-01T23:59:59Z) 存放。不過,由於資料表在日期時間欄位上進行分割,因此您需要同時將日期時間和事件時間篩選條件傳遞至查詢。請參閱以下範例。

注意

若要查看修改範圍的所有已接受方法,請參閱目前用於日期和時間函數和運算子的 Athena 引擎版本的最新 Presto 函數文件,以查看修改範圍的所有已接受方法。

日期層級:過去 1 天或過去 24 小時 (預設) 範例:如果 CURRENT_DATE='2021/01/01',篩選條件會從目前日期減去一天,並將其格式化為日期時間 > '2020/12/31'

datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')

日期層級:過去 2 個月範例:

datetime > date_format(date_add('month', - 2, CURRENT_DATE), '%Y/%m/%d')

日期層級:介於 2 個日期之間範例:

datetime > '2021/01/01'
      AND
      datetime < '2021/01/10'

時間戳記層級:過去 12 小時範例:

掃描到過去 1 天的分割區資料,然後篩選過去 12 小時內的所有事件

datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
      AND
      eventtime > date_format(date_add('hour', - 12, CURRENT_TIMESTAMP), '%Y-%m-%dT%H:%i:%sZ')

時間戳記層級:介於 2 個時間戳記之間範例:

取得 2021 年 1 月 1 日中午 12:00 到 2021 年 1 月 10 日下午 3:00 之間的事件。

datetime > '2021/01/01' AND datetime < '2021/01/10'
      AND
      eventtime > '2021-01-01T12:00:00Z' AND eventtime < '2021-01-10T15:00:00Z'

預設查詢範例

Name: ams_access_session_query_v1

Description: >-
   The query provides more information on specific AMS access session.
   The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
   By default; the query filter last day events only, the user can change the datetime filter to search for more wide time range.
   By default; the IAM PrincipalId filter is disabled. To enable it, remove "-- " from that line.

AthenaQueryString: |-
   /*
     The query provides list of AMS access sessions during specific time range.
     The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.

     By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.

     By default; the IAM Principal ID filter is disabled (it shows access sessions for all IAM principals).
     If you want to only show access sessions for a particular IAM principal ID, remove the double-dash (--) from
     the "IAM Principal ID" filter line in the WHERE clause of the query, and replace the placeholder "<IAM PrincipalId>" with the specific ID that you want.
     You can run the query without the filter to determine the exact IAM PrincipalId you want to filter with.

     By default; the query only shows AMS access sessions. If you also want to show non-AMS access sessions,
     remove the "useragent" filter in the WHERE clause of the query.

     For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
   */

   SELECT
      json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') AS "IAM PrincipalId",
      json_extract_scalar(responseelements, '$.credentials.accessKeyId') AS "IAM SessionId",
      eventtime AS "EventTime",
      eventname AS "EventName",
      awsregion AS "EventRegion",
      eventid AS "EventId",
      json_extract_scalar(requestparameters, '$.tags[0].value') AS "BusinessNeed",
      json_extract_scalar(requestparameters, '$.tags[1].value') AS "BusinessNeedType",
      json_extract_scalar(requestparameters, '$.tags[2].value') AS "Requester",
      json_extract_scalar(requestparameters, '$.tags[3].value') AS "AccessRequestType"
   FROM
       "{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
   WHERE
      datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
      AND eventname = 'AssumeRole'
      AND useragent = 'access.managedservices.amazonaws.com'
      -- AND  json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') = '<IAM PrincipalId>'
   ORDER BY eventtime

InsightsQueryString: |-
   # The query provides list of AMS access sessions during specific time range.
   # The query accepts IAM Principal Id as an optional filter and returns event time, business need for accessing the account, requester, ... etc.
   #
   # By default; the IAM Principal ID filter is disabled (it shows access sessions for all IAM principals).
   # If you want to only show access sessions for a particular IAM principal ID, remove the # (#) from
   # the "IAM Principal ID" filter of the query, and replace the placeholder "<IAM PrincipalId>" with the specific ID that you want.
   # You can run the query without the filter to determine the exact IAM PrincipalId you want to filter with.
   #
   # By default; the query only shows AMS access sessions. If you also want to show non-AMS access sessions,
   # remove the "useragent" filter from the query.
   #
   # For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries

   filter eventName="AssumeRole" AND userAgent="access.managedservices.amazonaws.com"
   # | filter responseElements.assumedRoleUser.assumedRoleId= "<IAM PrincipalId>"
   | sort eventTime desc
   | fields
      responseElements.assumedRoleUser.assumedRoleId as IAMPrincipalId,
      responseElements.credentials.accessKeyId as IAMSessionId,
      eventTime as EventTime,
      eventName as EventName,
      awsRegion as EventRegion,
      eventID as EventId,
      requestParameters.tags.0.value as BusinessNeed,
      requestParameters.tags.1.value as BusinessNeedType,
      requestParameters.tags.2.value as Requester,
      requestParameters.tags.3.value as AccessRequestType


ams_events_query_v1.yaml
/*
  The query provides list of events to track write actions for all AMS changes.
  The query returns all write actions done on the account using that AMS role filter.

  By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.

  You can also track mutating actions done by non-AMS roles by removing the "useridentity.arn" filter lines from the WHERE clause of the query.

  For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/

SELECT
   useridentity.principalId AS "IAM PrincipalId",
   useridentity.accesskeyid AS "IAM SessionId",
   useridentity.accountid AS "AccountId",
   useridentity.arn AS "RoleArn",
   eventid AS "EventId",
   eventname AS "EventName",
   awsregion AS "EventRegion",
   eventsource AS "EventService",
   eventtime AS "EventTime",
   requestparameters As "RequestParameters",
   responseelements AS "ResponseElements",
   useragent AS "UserAgent"
FROM
   "{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
   readonly <> 'true'
   AND
   (
      LOWER(useridentity.arn) LIKE '%/ams%'
      OR LOWER(useridentity.arn) LIKE '%/customer_ssm_automation_role%'
   )
ORDER BY eventtime
ams_instance_access_sessions_query_v1
/*
  The query provides list of AMS Instance accesses during specific time range.

  The query returns the list of AMS instance accesses; every record includes the event time, the event AWS Region, the instance ID, the IAM session ID, and the SSM session ID.
  You can use the IAM Principal ID to get more details on the business need for accessing the instance by using ams_access_session_query_v1 athena query.
  You can use the SSM session ID to get more details on the instance access session, including the start and end time of the session and log details, using the AWS Session Manager Console in the instance's AWS Region.

  You can also list non-AMS instance accesses by removing the "useridentity" filter line in the WHERE clause of the query.

  By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.

  For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/

SELECT
   useridentity.principalId AS "IAM PrincipalId",
   useridentity.accesskeyid AS "IAM SessionId",
   json_extract_scalar(requestparameters, '$.target') AS "InstanceId",
   json_extract_scalar(responseelements, '$.sessionId') AS "SSM SessionId",
   eventname AS "EventName",
   awsregion AS "EventRegion",
   eventid AS "EventId",
   eventsource AS "EventService",
   eventtime AS "EventTime" 
FROM
   "{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
   useridentity.sessionContext.sessionIssuer.arn like '%/ams_%' 
   AND eventname = 'StartSession' 
ORDER BY eventtime
ams_privilege_escalation_events_query_v1.yaml
/*
  The query provides list of events that can directly or potentially lead to a privilege escalation.

  The query accepts ActionedBy as an optional filter and returns EventName, EventId, EventTime, ... etc.
  All fields associated with the event are also returned. Some fields are blank if not applicable for that event.
  You can use the IAM Session ID to get more details about events happened in that session by using ams_session_events_query_v1 query.

  By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.

  By default, the ActionedBy filter is disabled (it shows privilege escalation events from all users).
  To show events for a particular user or role, remove the double-dash (--) from the useridentity filter line in the WHERE clause of the query
  and replace the placeholder "<ACTIONEDBY_PUT_USER_NAME_HERE>" with an IAM user or role name.
  You can run the query without the filter to determine the exact user you want to filter with.

  For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
*/

SELECT
   useridentity.principalId AS "IAM PrincipalId",
   useridentity.accesskeyid AS "IAM SessionId",
   useridentity.accountid AS "AccountId",
   reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
   eventname AS "EventName",
   awsregion AS "EventRegion",
   eventid AS "EventId",
   eventtime AS "EventTime",
   json_extract_scalar(requestparameters, '$.userName') AS "UserName",
   json_extract_scalar(requestparameters, '$.roleName') AS "RoleName",
   json_extract_scalar(requestparameters, '$.groupName') AS "GroupName",
   json_extract_scalar(requestparameters, '$.policyArn') AS "PolicyArn",
   json_extract_scalar(requestparameters, '$.policyName') AS "PolicyName",
   json_extract_scalar(requestparameters, '$.permissionsBoundary') AS "PermissionsBoundary",
   json_extract_scalar(requestparameters, '$.instanceProfileName') AS "InstanceProfileName",
   json_extract_scalar(requestparameters, '$.openIDConnectProviderArn') AS "OpenIDConnectProviderArn",
   json_extract_scalar(requestparameters, '$.serialNumber') AS "SerialNumber",
   json_extract_scalar(requestparameters, '$.serverCertificateName') AS "ServerCertificateName",
   json_extract_scalar(requestparameters, '$.accessKeyId') AS "AccessKeyId",
   json_extract_scalar(requestparameters, '$.certificateId') AS "CertificateId",
   json_extract_scalar(requestparameters, '$.newUserName') AS "NewUserName",
   json_extract_scalar(requestparameters, '$.newGroupName') AS "NewGroupName",
   json_extract_scalar(requestparameters, '$.newServerCertificateName') AS "NewServerCertificateName",
   json_extract_scalar(requestparameters, '$.name') AS "SAMLProviderName",
   json_extract_scalar(requestparameters, '$.sAMLProviderArn') AS "SAMLProviderArn",
   json_extract_scalar(requestparameters, '$.sSHPublicKeyId') AS "SSHPublicKeyId",
   json_extract_scalar(requestparameters, '$.virtualMFADeviceName') AS "VirtualMFADeviceName"
FROM
   "{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
WHERE
   (
     -- More event names can be found at https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html
     eventname LIKE 'Add%' OR
     eventname LIKE 'Attach%' OR
     eventname LIKE 'Delete%' AND eventname != 'DeleteAccountAlias' OR
     eventname LIKE 'Detach%' OR
     eventname LIKE 'Create%' AND eventname != 'CreateAccountAlias' OR
     eventname LIKE 'Put%' OR
     eventname LIKE 'Remove%' OR
     eventname LIKE 'Update%' OR
     eventname LIKE 'Upload%' OR
     eventname = 'DeactivateMFADevice' OR
     eventname = 'EnableMFADevice' OR
     eventname = 'ResetServiceSpecificCredential' OR
     eventname = 'SetDefaultPolicyVersion'
   )
   AND eventsource = 'iam.amazonaws.com'
ORDER BY eventtime
Name: ams_resource_events_query_v1

Description: >-
   The query provides list of events done on specific resource.
   The query accepts resource id as part of the filters, and return all write actions done on that resource.
   By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.

AthenaQueryString: |-
   /*
     The query provides list of events done on specific resource.

     The query accepts the resource ID as part of the filters (replace the placeholder "<RESOURCE_INFO>" in the WHERE clause of the query),
     and returns all write actions done on that resource. The resource ID can be an ID for any AWS resource in the account.
     Example: An instance ID for an EC2 instance, table name for a DynamoDB table, logGroupName for a CloudWatch Log, etc.

     By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.

     For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
   */

   SELECT
      useridentity.principalId AS "IAM PrincipalId",
      useridentity.accesskeyid AS "IAM SessionId",
      useridentity.accountid AS "AccountId",
      reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
      eventname AS "EventName",
      awsregion AS "EventRegion",
      eventid AS "EventId",
      eventsource AS "EventService",
      eventtime AS "EventTime" 
   FROM
       "{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
   WHERE
      datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
      AND readonly <> 'true'
      AND 
      (
         requestparameters LIKE '%<RESOURCE_INFO>%' 
         OR responseelements LIKE '%<RESOURCE_INFO>%'
      )
   ORDER BY eventtime

InsightsQueryString: |-
   # The query provides list of events done on specific resource.
   #
   # The query accepts the resource ID as part of the filters (replace the placeholder "<RESOURCE_INFO>" in the filter of the query),
   # and returns all write actions done on that resource. The resource ID can be an ID for any AWS resource in the account.
   # Example: An instance ID for an EC2 instance, table name for a DynamoDB table, logGroupName for a CloudWatch Log, etc.
   #
   # For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries

   filter readOnly=0
   | parse @message '"requestParameters":{*}' as RequestParameters
   | parse @message '"responseElements":{*}' as ResponseElements
   # | filter RequestParameters like "RESOURCE_INFO" or ResponseElements like "<RESOURCE_INFO>"
   | fields
      userIdentity.principalId as IAMPrincipalId,
      userIdentity.accessKeyId as IAMSessionId,
      userIdentity.accountId as AccountId,
      userIdentity.arn as ActionedBy,
      eventName as EventName,
      awsRegion as EventRegion,
      eventID as EventId,
      eventSource as EventService,
      eventTime as EventTime
   | display IAMPrincipalId, IAMSessionId, AccountId, ActionedBy, EventName, EventRegion, EventId, EventService, EventTime
   | sort eventTime desc
Name: ams_session_events_query_v1

Description: >-
   The query provides list of events done on specific session.
   The query accepts IAM Principal Id as part of the filters, and return all write actions done on that resource.
   By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.

AthenaQueryString: |-
   /*
     The query provides a list of events executed on a specific session.

     The query accepts the IAM principal ID as part of the filters (replace the placeholder "<PRINCIPAL_ID>" in the WHERE clause of the query),
     and returns all write actions done on that resource.

     By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.

     For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
   */

   SELECT
      useridentity.principalId AS "IAM PrincipalId",
      useridentity.accesskeyid AS "IAM SessionId",
      useridentity.accountid AS "AccountId",
      reverse(split_part(reverse(useridentity.arn), ':', 1)) AS "ActionedBy",
      eventname AS "EventName",
      awsregion AS "EventRegion",
      eventsource AS "EventService",
      eventtime AS "EventTime",
      requestparameters As "RequestParameters",
      responseelements AS "ResponseElements",
      useragent AS "UserAgent"
   FROM
       "{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate   WHERE
      useridentity.principalid = '<PRINCIPAL_ID>'
      AND datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d')
      AND readonly <> 'true'
   ORDER BY eventtime

InsightsQueryString: |-
   # The query provides a list of events executed on a specific session.
   #
   # The query accepts the IAM principal ID as part of the filters (replace the placeholder "<PRINCIPAL_ID>" in the filter of the query),
   # and returns all write actions done on that resource.
   #
   # For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries

   filter readOnly=0 AND userIdentity.principalId = "<IAM Principal>"
   | sort eventTime desc
   | fields
      userIdentity.accessKeyId as IAMSessionId,
      userIdentity.principalId as IAMPrincipalId,
      userIdentity.accountId as AccountId,
      userIdentity.arn as ActionedBy,
      eventName as EventName,
      awsRegion as EventRegion,
      eventSource as EventService,
      eventTime as EventTime,
      userAgent as UserAgent
   | parse @message '"requestParameters":{*}' as RequestParameters
   | parse @message '"responseElements":{*}' as ResponseElements
Name: ams_session_ids_by_requester_v1

Description: >-
   The query provides list of IAM Principal/Session Ids for specific requester.
   The query accepts requester and return all IAM Principal/Session Ids by that requester during specific time range.
   By default; the query list the accesses for last day, the user can change the time range by changing the datetime filter.

AthenaQueryString: |-
   /*
     The query provides list of IAM Principal IDs for a specific requester.

     The query accepts the requester (replace placeholder "<Requester>" in the WHERE clause of the query),
     and returns all IAM Principal IDs by that requester during a specific time range.

     By default, the query filters the last day's events only; you can change the "datetime" filter to search for a wider time range.

     For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
   */

   SELECT
      json_extract_scalar(responseelements, '$.assumedRoleUser.assumedRoleId') AS "IAM PrincipalId",
      json_extract_scalar(responseelements, '$.credentials.accessKeyId') AS "IAM SessionIId",
      eventtime AS "EventTime"
   FROM
       "{DATABASE NAME HERE}".{TABLENAME HERE} <- This should auto-populate
   WHERE
      datetime > date_format(date_add('day', - 1, CURRENT_DATE), '%Y/%m/%d') 
      AND json_extract_scalar(requestparameters, '$.tags[2].value') = '<Requester>'
   ORDER BY eventtime

InsightsQueryString: |-
   # The query provides list of IAM Principal IDs for a specific requester.
   #
   # The query accepts the requester (replace placeholder "<Requester>" in the filter of the query),
   # and returns all IAM Principal IDs by that requester during a specific time range.
   #
   # For expected inputs and scenarios, refer to AMS Documentation -> Tracking changes in your AMS Accelerate accounts -> Default Queries
   filter eventName="AssumeRole" AND requestParameters.tags.2.value="<Requester>"
   | sort eventTime desc
   | fields
      responseElements.assumedRoleUser.assumedRoleId as IAMPrincipalId,
      responseElements.credentials.accessKeyId as IAMSessionId,
      eventTime as EventTime

變更記錄許可

執行變更記錄查詢需要下列許可:

  • Athena

    • athena:GetWorkGroup

    • athena:StartQueryExecution

    • athena:ListDataCatalogs

    • athena:GetQueryExecution

    • athena:GetQueryResults

    • athena:BatchGetNamedQuery

    • athena:ListWorkGroups

    • athena:UpdateWorkGroup

    • athena:GetNamedQuery

    • athena:ListQueryExecutions

    • athena:ListNamedQueries

  • AWS KMS

  • AWS Glue

    • glue:GetDatabase

    • glue:GetTables

    • glue:GetDatabases

    • glue:GetTable

  • Amazon S3 讀取存取

    • Amazon S3 儲存貯體 CloudTrail 資料存放區:ams-aAccountId-cloudtrail-primary region,或您的 Amazon S3 儲存貯體名稱、CloudTrail 追蹤事件 Amazon S3 儲存貯體資料存放區。

  • Amazon S3 寫入存取

    • Athena 事件查詢結果 Amazon S3 儲存貯體:ams-aAccountId athena-results-primary region