-
Notifications
You must be signed in to change notification settings - Fork 0
/
organization_trail_athena_table.sql
93 lines (93 loc) · 2.93 KB
/
organization_trail_athena_table.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
Example of Amazon Athena query to create a table to query Amazon CloudTrail logs recorded by your organization trail
Placeholders are between [ ]
[TABLE_NAME]
Name of the Athena table, example: cloudtrail_logs
[BUCKET_NAME_WITH_PREFIX]
Name of your Amazon S3 bucket that hosts CloudTrail logs
[ORGANIZATION_ID]
ID of your AWS organization
Example: o-xxxxxxxx
This field is present by default for organizational trail on the S3 path, if you have a custom setup you need to adapt below rows:
LOCATION 's3://[BUCKET_NAME_WITH_PREFIX]/AWSLogs/[ORGANIZATION_ID]/'
'storage.location.template'='s3://[BUCKET_NAME_WITH_PREFIX]/AWSLogs/[ORGANIZATION_ID]/${p_account}/CloudTrail/${p_region}/${p_date}'
[REGIONS]
List of AWS regions that you use
Add by default us-east-1 to query events on global resources, example: IAM or CloudFront
Example: eu-west-3,us-east-1
*/
CREATE EXTERNAL TABLE IF NOT EXISTS [TABLE_NAME] (
eventVersion STRING,
userIdentity STRUCT<
type: STRING,
principalId: STRING,
arn: STRING,
accountId: STRING,
invokedBy: STRING,
accessKeyId: STRING,
userName: STRING,
sessionContext: STRUCT<
attributes: STRUCT<
mfaAuthenticated: STRING,
creationDate: STRING>,
sessionIssuer: STRUCT<
type: STRING,
principalId: STRING,
arn: STRING,
accountId: STRING,
userName: STRING>,
ec2RoleDelivery: STRING,
webIdFederationData: MAP<STRING,STRING>>>,
eventTime STRING,
eventSource STRING,
eventName STRING,
awsRegion STRING,
sourceIpAddress STRING,
userAgent STRING,
errorCode STRING,
errorMessage STRING,
requestParameters STRING,
responseElements STRING,
additionalEventData STRING,
requestId STRING,
eventId STRING,
readOnly STRING,
resources ARRAY<STRUCT<
arn: STRING,
accountId: STRING,
type: STRING>>,
eventType STRING,
apiVersion STRING,
recipientAccountId STRING,
serviceEventDetails STRING,
sharedEventID STRING,
vpcEndpointId STRING,
tlsDetails STRUCT<
tlsVersion:string,
cipherSuite:string,
clientProvidedHostHeader:string
>
)
PARTITIONED BY (
`p_account` string,
`p_region` string,
`p_date` string
)
ROW FORMAT SERDE 'org.apache.hive.hcatalog.data.JsonSerDe'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://[BUCKET_NAME_WITH_PREFIX]/AWSLogs/[ORGANIZATION_ID]/'
TBLPROPERTIES (
'projection.enabled'='true',
'projection.p_date.type'='date',
'projection.p_date.format'='yyyy/MM/dd',
'projection.p_date.interval'='1',
'projection.p_date.interval.unit'='DAYS',
'projection.p_date.range'='2022/01/01,NOW',
'projection.p_region.type'='enum',
'projection.p_region.values'='[REGIONS]',
'projection.p_account.type'='injected',
'storage.location.template'='s3://[BUCKET_NAME_WITH_PREFIX]/AWSLogs/[ORGANIZATION_ID]/${p_account}/CloudTrail/${p_region}/${p_date}'
)