athena_query_events

Query AWS CloudTrail logs using Athena to filter by event names, time ranges, and optional parameters like IP address, user ARN, or bucket name. Store results in an S3 bucket for detailed analysis and troubleshooting.

Instructions

Query Athena for granular granular searches on CloudTrail logs.

<IMPORTANT>
Before calling this tool, you must call the athena_create_cloudtrail_table tool to create the table.
If the user asks for a different region, you must call the athena_create_cloudtrail_table tool to create the table in that region.
</IMPORTANT>

Parameters:
  aws_region: The AWS region - use 'us-east-1' if not specified.
  start_time: ISO string of the start time
  end_time: ISO string of the end time
  database: Athena database name to be used - use 'default' if not specified.
  output_bucket: S3 bucket URI (e.g. 's3://my-athena-query-results/') for query results - different from cloudtrail_bucket.
  event_names: List of event names to filter on (e.g. ["GetObject", "DeleteObject"])
  principal_id: Optional principal ID to filter on. Use the percent sign (%) as a wildcard character.
  user_arn: Optional user ARN to filter on. Use the percent sign (%) as a wildcard character.
  user_name: Optional user name to filter on.
  role_name: Optional role name to filter on.
  ip_address: Optional IP address to filter on. Use the percent sign (%) as a wildcard character.
  bucket_name: Optional bucket name to filter on. Use the percent sign (%) as a wildcard character.
  limit: Maximum number of results to return (default is 50).

Returns:
  str: JSON-formatted result of the Athena query.

Input Schema

Name	Required	Description	Default
`aws_region`	Yes
`bucket_name`	No
`database`	Yes
`end_time`	Yes
`event_names`	Yes
`ip_address`	No
`limit`	No
`output_bucket`	Yes
`principal_id`	No
`role_name`	No
`start_time`	Yes
`user_arn`	No
`user_name`	No

Input Schema (JSON Schema)

{
  "properties": {
    "aws_region": {
      "title": "Aws Region",
      "type": "string"
    },
    "bucket_name": {
      "default": null,
      "title": "Bucket Name",
      "type": "string"
    },
    "database": {
      "title": "Database",
      "type": "string"
    },
    "end_time": {
      "title": "End Time",
      "type": "string"
    },
    "event_names": {
      "items": {},
      "title": "Event Names",
      "type": "array"
    },
    "ip_address": {
      "default": null,
      "title": "Ip Address",
      "type": "string"
    },
    "limit": {
      "default": 50,
      "title": "Limit",
      "type": "integer"
    },
    "output_bucket": {
      "title": "Output Bucket",
      "type": "string"
    },
    "principal_id": {
      "default": null,
      "title": "Principal Id",
      "type": "string"
    },
    "role_name": {
      "default": null,
      "title": "Role Name",
      "type": "string"
    },
    "start_time": {
      "title": "Start Time",
      "type": "string"
    },
    "user_arn": {
      "default": null,
      "title": "User Arn",
      "type": "string"
    },
    "user_name": {
      "default": null,
      "title": "User Name",
      "type": "string"
    }
  },
  "required": [
    "aws_region",
    "start_time",
    "end_time",
    "database",
    "output_bucket",
    "event_names"
  ],
  "title": "athena_query_eventsArguments",
  "type": "object"
}

AWS‑IReveal‑MCP

athena_query_events

Instructions

Input Schema

Input Schema (JSON Schema)

Other Tools from AWS‑IReveal‑MCP

Related Tools