# Some handy searches in CW insights


# What is causing AccessDenied?

Sometimes we'll get a rash of AccessDenied errors, that trip a cloudwatch
metric we have from CIS hardening catalog.  This search helps to figure
out what is happening

```
fields @timestamp, @message 
| filter errorCode="AccessDenied" 
| fields coalesce(userIdentity.invokedBy,userIdentity.principalId) as whoo,  coalesce(requestParameters.bucketName,errorMessage) as target
| stats count() as count by bin(1d) as time, whoo, eventName, target
| sort count desc
```