AWS CloudWatch Insights.md 539 B
Some handy searches in CW insights
What is causing AccessDenied?
Sometimes we'll get a rash of AccessDenied errors, that trip a cloudwatch metric we have from CIS hardening catalog. This search helps to figure out what is happening
fields @timestamp, @message
| filter errorCode="AccessDenied"
| fields coalesce(userIdentity.invokedBy,userIdentity.principalId) as whoo, coalesce(requestParameters.bucketName,errorMessage) as target
| stats count() as count by bin(1d) as time, whoo, eventName, target
| sort count desc