1 Answer
- Newest
- Most votes
- Most comments
1
Using the AWS Console
- Open your Amazon CloudWatch console and specify a region.
- On the left hand menu, select Insights under Logs.
- Select your CloudTrail Logs group from the dropdown near the top.
- On the right, choose a relative time frame to search.
- Enter the following command into the query input, and click Run query:
filter errorCode like /Unauthorized|Denied|Forbidden/ | fields awsRegion,
userIdentity.arn, eventSource, eventName, sourceIPAddress, userAgent
You could do the same with Athena from your S3 bucket trail
Information source https://www.blinkops.com/blog/getting-a-list-of-accessdenied-events-with-users-and-source-ip-addresses
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 6 months ago