[英]Extract key values from CloudTrail Lookup-Events from AWS-CLI using jq
我运行命令以获取 AWS 帐户中 ConsoleLogin 活动的查找事件。我想从此给定的 json output 中提取 mfaAuthenticated、eventSource 和 eventType 的键值
我从上面的命令得到的 output
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "XXXXXXXXXXXXXXXXX:dkboss",
"arn": "XXXXXXXXXXXXXXXXXXXXXXXXX/dkboss",
"accountId": "XXXXXXXXXXXXXXXX",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
"arn": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"accountId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"userName": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-11-27T15:24:28Z",
"mfaAuthenticated": "false" ---------> i want this key value
}
}
},
"eventTime": "2022-11-27T15:24:29Z",
"eventSource": "signin.amazonaws.com", ---------> i want this key value
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"readOnly": false,
"eventType": "AwsConsoleSignIn", ---------> i want this key value
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXXXXXXXXXXXXX",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}
我运行此命令以获取上述 json output:
aws cloudtrail --region us-east-1 lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --start-time $(date -d "-60 minutes" +%s) --query '事件[ ].CloudTrailEvent.attributes' --输出文本 | jq
您没有给出任何条件如何 select 节点,或如何格式化您的 output。那么,如何遍历到它们的位置。 使用--raw-output
(或-r
)选项,jq 将 output 它们的解码值。 在过滤器中将其设置为 stream(通过用逗号,
分隔它们)将使其成为 output 中的换行符分隔列表。
jq --raw-output '
.userIdentity.sessionContext.attributes.mfaAuthenticated,
.eventSource,
.eventType
'
false
signin.amazonaws.com
AwsConsoleSignIn
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.