0Pricing
AWS Security Academy · Lesson

Building Tables Over CloudTrail Data

Define a schema that lets you query audit events directly.

Why You Need a Table

Athena cannot query raw S3 files until you tell it how to read them. A table maps the CloudTrail JSON files in your S3 bucket to named columns with types. Once the table exists, the rich structure of CloudTrail events becomes addressable with ordinary SQL.

CloudTrail Log Structure

CloudTrail delivers events as JSON, each record describing one API call with nested fields like userIdentity, eventName, sourceIPAddress, and requestParameters. The table schema must mirror this nesting, including struct types for objects, so queries can reach fields like userIdentity.arn.

All lessons in this course

  1. Querying S3 Logs with Athena
  2. Building Tables Over CloudTrail Data
  3. Investigating Incidents with SQL Queries
  4. Partitioning Logs for Speed and Cost
← Back to AWS Security Academy