This morning, a clinic was unable to connect to their EC2 instance. After a simple Troubleshoot, it was discovered that the security group was changed, and their IP subnet was removed with 3389 access rights. Naturally, they could not connect remotely. Add the corresponding subnet, and it's all okay.
This operation is probably caused by an administrator unintentionally. We can delete and select through cloudtrail. For example, we can view the operation of revokesecuritygroupIngress to know who has deleted the security group inbound policy
If you want to see the details, we can click in to view Event Record
Of course, if there is a lot of data, we can query through Athena, click the button Create Athena Table in the upper right corner, select the corresponding S3 Bucket, and it will automatically generate the corresponding data
After opening Athena, he has generated a table, which we can query through SQL encounter. The structure of this table matches the JSON data in the Event Record we saw above.
What needs to be noted is the format of each column, some are string and some are struct. In the real JSON data, some data, such as useridenty and requestparameters, seem to be in nested JSON format, but in the Athena data table, they display different types. In this way, we have different types of The syntax of data is completely different when writing SQL statements.
Take a look at the following example, the nested key-value pairs in userIdentity can be called directly like objects, and the key-value pairs in my requestparameters, I need to use json_extract to get
select userIdentity.username as username, eventTime,sourceIPAddress, json_extract(requestparameters,'$.groupId') as sg , requestparameters from cloudtrail_logs_vetpartners_ec2logging
where (eventname='RevokeSecurityGroupIngress') The filtering results are as follows. When did XXX delete what security group, it is clear at a glance
