All posts
September 13, 20251 min read

AWS CLI + CloudTrail: Instant Incident Investigation

When you run critical systems on AWS, speed matters. Detecting, investigating, and acting before a small issue becomes an outage is the job of a good runbook. When that runbook can query AWS CloudTrail with the AWS CLI directly, decisions happen in seconds, not hours. AWS CloudTrail logs every API call and event in your account. The AWS CLI turns those logs into instant answers. With a few lines in a terminal, you can find who made a change, from where, and when. No clicks. No guesswork. To qu

Free White Paper

AWS CloudTrail + Cloud Incident Response: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

When you run critical systems on AWS, speed matters. Detecting, investigating, and acting before a small issue becomes an outage is the job of a good runbook. When that runbook can query AWS CloudTrail with the AWS CLI directly, decisions happen in seconds, not hours.

AWS CloudTrail logs every API call and event in your account. The AWS CLI turns those logs into instant answers. With a few lines in a terminal, you can find who made a change, from where, and when. No clicks. No guesswork.

To query CloudTrail fast, you combine two things:

  1. The lookup-events command from the aws cloudtrail namespace.
  2. Filters like --lookup-attributes to zero in on the user, resource, or event name.

Example:

aws cloudtrail lookup-events \
 --lookup-attributes AttributeKey=Username,AttributeValue=devops-user \
 --max-results 10

This pulls the most recent 10 events for a given user. From here, you can pivot to event IDs, source IPs, or AWS services called. This is the raw material of an incident investigation workflow.

Continue reading? Get the full guide.

AWS CloudTrail + Cloud Incident Response: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Runbooks that include AWS CLI + CloudTrail lookups mean incidents don’t stall while you fumble through consoles. Investigators can grab context right in the terminal:

  • Identify suspicious access patterns.
  • Confirm configuration changes.
  • Trace resource creation or deletion.

The key is to define these commands in automation or scripts you can trigger on demand. Store them in version control. Treat them as code. And make them easy for anyone on-call to execute without breaking their flow.

From there, you can expand. Pipe results into jq for clean JSON parsing. Use --query with JMESPath to extract only the needed values. Feed that into notification systems or automated rollback scripts.

The power of an AWS CLI CloudTrail query runbook is that it shuts down the delay between detection and verification. You don’t wait for dashboards to load. You don’t click refresh. You know, and you act.

If you want to see this in action without setting everything up yourself, hoop.dev lets you spin up real, working runbooks in minutes. Try it live and watch those CloudTrail queries turn from shell commands into operational muscle.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts