The Python script can be used to download the CloudTrail logs across all regions.



The Invictus-AWS Python script can be used to retrieve information about the environment (service usage and configuration) and export logs from a number of sources (CloudTrail, CloudWatch, S3 Access Logs, …) to an S3 bucket. Invictus-AWS is region bound.

In addition to the ReadOnlyAccess managed policy Invictus-AWS also requires specific permissions, as defined in the provided policy.

As stated in Invictus-AWS’s readme, the tools is divided into 4 different steps (that can be run independently):

  • The first step performs enumeration of activated AWS services and its details.

  • The second step retrieves configuration details about the activated services.

  • The third step extracts available logs for the activated services.

  • The fourth and last step analyze CloudTrail logs, and only CloudTrail logs, by running Athena queries against it.

By default, the steps one to three are executed. The step 4 is optional and must be run separately.

# Configures the required API access.
aws configure

# -r <REGION>: defines the specified region (such as "us-east-1") to retrieve the logs from.
# -A <REGION>: retrieves the logs from all regions, starting with the specified region.
# -w <local | cloud>: defines if the results should stored in an S3 bucket only or if the results should also be downloaded to the local storage.
python3 [-r <REGION> | -A <REGION>] -w <local | cloud>

# Downloads locally the exported / collected elements from
aws s3 cp --recursive s3://<INVICTUS_BUCKET> <EXPORT_FOLDER>


The awslogs utility can be used to access and filter the AWS CloudWatch logs. awslogs requires the permissions associated with the CloudWatchLogsReadOnlylAccess policy.

awslogs <get | groups | streams> [--aws-region "<AWS_REGION>"] [--aws-access-key-id "<ACCESS_KEY_ID>"] [--aws-secret-access-key "<ACCESS_KEY_SECRET>"]

# Lists the existing logs groups.
awslogs groups

# Lists the streams in the specified log group.
awslogs streams <LOG_GROUP>

# Retrieves the logs in all or the specified log group / stream.
# The start / end filtering support multiple filtering options: DD/MM/YYYY HH:mm, <INT><m | h | d | w>.
awslogs get <ALL | LOG_GROUP> <ALL | LOG_GROUP_STREAM> -s <START> -e <END>

Tags: aws

View on GitHub