Comment on page
Timeline of AWS key usage
A common question is "What is this AWS key being used for?". AWS will natively show what AWS service, and when, was the last time the key was used. But when keys are re-used in multiple places, remedying the bad hygiene can be difficult.
Make sure you use your own AccessKey, and set the param
since to the number of hours into the past you want to search.$ runreveal query run aws-key-timeline --param key=AKIATWC67Q3JXOBJFIPH --param since=24
+-------------------+-----------------------+-----------------+------------------+----------+----------------------+
| eventName | userIdentity.userName | sourceIPAddress | srcASCountryCode | readOnly | eventTime |
+-------------------+-----------------------+-----------------+------------------+----------+----------------------+
| DescribeInstances | exampleKey | 70.122.134.143 | US | true | 2023-07-08T18:05:13Z |
| ListBuckets | exampleKey | 70.122.134.143 | US | true | 2023-07-08T18:05:07Z |
| ListBuckets | exampleKey | 70.122.134.143 | US | true | 2023-07-08T18:02:45Z |
| ListBuckets | exampleKey | 70.122.134.143 | US | true | 2023-07-08T18:01:45Z |
| ListBuckets | exampleKey | 70.122.134.143 | US | true | 2023-07-08T18:00:53Z |
| ListBuckets | exampleKey | 70.122.134.143 | US | true | 2023-07-08T18:00:40Z |
| ListBuckets | exampleKey | 70.122.134.143 | US | true | 2023-07-08T18:00:34Z |
+-------------------+-----------------------+-----------------+------------------+----------+----------------------+
Params Used: 'key=AKIATWC67Q3JXOBJFIPH' 'since=24'
Ran Query: select eventName, userIdentity.userName, sourceIPAddress, srcASCountryCode, readOnly, eventTime from cloudtrail_logs where eventTime>= subtractHours(now('UTC'), toInt32(@since)) AND userIdentity.accessKeyId=@key order by eventTime desc
Retrieved 7 rows in 809.789333ms
If you'd like to update this query to include other information or columns consult the named query docs:
