Using CloudWatch queries to search the Turbot Audit Trail

The CloudWatch log stream Turbot/AuditTrail can be used to audit events such as Turbot policy changes. Logs are found in the Turbot Master account.

  • More information on AWS CloudWatch query syntax can be found here.

Suppose the policy AWS > Athena > Enabled had an exception set on account aab in the cluster test. The following query can be used to find the log containing information such as user who made the change and at what time the change was made

{ ($.detail.request.params.policyName = "AWS:Athena:Enabled") && ($.detail.request.params.resourceUrn = "urn:turbot:test:aab") && ($.detail.request.method = "POST") }
  • $.detail.request.params.policyName = "AWS:Athena:Enabled" - This query can be modified with any policy value in Turbot. When viewing the policy in Turbot, the name will be found in the URL.


  • $.detail.request.params.resourceUrn = "urn:turbot:test:aab" - Account URN can be modified to search the entire cluster, a specific account, as well as an individual resource. In the same vein as the policy name, the account URN can be found in the URL when viewing the cluster, account, or resource. 


  • $.detail.request.method = "POST" - Restricts the results to logs that are generated from the request that changed a policy. 

The query string can be modified to be more or less specific depending on the scope of the information needed. In general, it is recommended to narrow the search time frame as much as possible - larger time ranges can take significantly longer to display results.

Any questions regarding using CloudWatch queries to search the Turbot audit trail can be directed to

Was this article helpful?
0 out of 0 found this helpful