我运行该命令以获取AWS帐户中控制台登录活动的查找事件。我想从这个给定的json输出中提取mfaAuthenticated, eventSource和eventType的关键值
我从上面的命令
得到的输出{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "XXXXXXXXXXXXXXXXX:dkboss",
"arn": "XXXXXXXXXXXXXXXXXXXXXXXXX/dkboss",
"accountId": "XXXXXXXXXXXXXXXX",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
"arn": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"accountId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"userName": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-11-27T15:24:28Z",
"mfaAuthenticated": "false" ---------> i want this key value
}
}
},
"eventTime": "2022-11-27T15:24:29Z",
"eventSource": "signin.amazonaws.com", ---------> i want this key value
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"readOnly": false,
"eventType": "AwsConsoleSignIn", ---------> i want this key value
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXXXXXXXXXXXXX",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}
我运行这个命令来得到上面的json输出:
aws cloudtrail—region us-east-1 lookup-events—lookup-attributes AttributeKey=EventName,AttributeValue= consolellogin—start-time $(date -d "-60分钟"+%s)——查询"事件"[]. cloudtrailevent。属性——输出文本| jq
您没有给出如何选择节点或如何格式化输出的任何条件。那么,直接遍历到它们的位置怎么样?使用--raw-output(或-r)选项,jq将输出它们的解码值。使其成为过滤器中的流(通过用逗号,分隔它们)将使其在输出中成为换行分隔的列表。
jq --raw-output '
.userIdentity.sessionContext.attributes.mfaAuthenticated,
.eventSource,
.eventType
'
false
signin.amazonaws.com
AwsConsoleSignIn