cloudtrail_lookup_events
Query AWS CloudTrail management events to audit who changed what and from which source IP, with optional filters by event name, username, or resource type.
Instructions
Look up AWS CloudTrail management events with optional filters (event name, username, resource type). Useful for auditing who changed what, and from which source IP.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| region | No | AWS region. Empty queries the configured default region (or all regions if unset). | |
| username | No | Filter by the IAM username. | |
| event_name | No | Filter by CloudTrail event name (e.g. 'RunInstances'). | |
| hours_back | No | How many hours back to search. 0 uses the configured default lookback. | |
| max_results | No | Maximum events to return (0 = unlimited, capped at 10000). | |
| resource_type | No | Filter by resource type (e.g. 'AWS::EC2::Instance'). |