You can use the CloudTrail Lake query generator to produce a query from an English language prompt that you provide. The query generator uses generative artificial intelligence (generative AI) to produce a ready-to-use SQL query from your prompt, which you can then choose to run in Lake's query editor, or further fine tune. You don't need to have extensive knowledge of SQL or CloudTrail event fields to use the query generator.
The prompt can be a question or a statement about the event data in your CloudTrail Lake event data store. For example, you can enter prompts like "What are my top errors in the past month?" and “Give me a list of users that used SNS.”
A prompt can have a minimum of 3 characters and a maximum of 500 characters.
There are no charges for generating queries; however, when you run queries, you incur
charges based on the amount of optimized and compressed data scanned. To help control
costs, we recommend that you constrain queries by adding starting and ending
eventTime timestamps to queries.
Note
You can provide feedback about a generated query by choosing the thumbs up or thumbs down button that appears below the generated query. When you provide feedback, CloudTrail saves your prompt and the generated query.
Do not include any personally identifying, confidential, or sensitive information in your prompts.
This feature uses generative AI large language models (LLMs); we recommend double-checking the LLM response.
You can access the query generator using the CloudTrail console and AWS CLI.
To use the query generator on the CloudTrail console
-
Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
. -
From the navigation pane, under Lake, choose Query.
-
On the Query page, choose the Editor tab.
-
Choose the event data store you want to create a query for.
-
In the Query generator area, enter a prompt in plain English. For examples, see Example prompts.
-
Choose Generate query. The query generator will attempt to generate a query from your prompt. If successful, the query generator provides the SQL query in the editor. If the prompt is unsuccessful, rephrase your prompt and try again.
-
(Optional) You can provide feedback about the generated query. To provide feedback, choose the thumbs up or thumbs down button that appears below the prompt. When you provide feedback, CloudTrail saves your prompt and the generated query.
-
(Optional) Choose Run to run the query.
Note
When you run queries, you incur charges based on the amount of optimized and compressed data scanned. To help control costs, we recommend that you constrain queries by adding starting and ending
eventTimetimestamps to queries. -
(Optional) If you run the query and there are results, you can choose Summarize results to generate a natural language summary in English of the query results. This option uses generative artificial intelligence (generative AI) to produce the summary. For more information about this option, see Summarize query results in natural language.
You can provide feedback about the summary by choosing the thumbs up or thumbs down button that appears below the generated summary.
Note
The query summarization feature is in preview release for CloudTrail Lake and is subject to change. This feature is available in the following regions: Asia Pacific (Tokyo), US East (N. Virginia), and US West (Oregon).
Required permissions
The AWSCloudTrail_FullAccess
and AdministratorAccess managed policies both provide the
necessary permissions to use this feature.
You can also include the cloudtrail:GenerateQuery action in a new or existing customer managed or inline policy.
Region support
This feature is supported in the following AWS Regions:
-
Asia Pacific (Mumbai) Region (ap-south-1)
-
Asia Pacific (Sydney) Region (ap-southeast-2)
-
Asia Pacific (Tokyo) Region (ap-northeast-1)
-
Canada (Central) Region (ca-central-1)
-
Europe (London) Region (eu-west-2)
-
US East (N. Virginia) Region (us-east-1)
-
US West (Oregon) Region (us-west-2)
Limitations
The following are limitations of the query generator:
-
The query generator can only accept prompts in English.
-
The query generator can only generate queries for event data stores that collect CloudTrail events (management events, data events, network activity events).
-
The query generator cannot generate queries for prompts that do not pertain to CloudTrail Lake event data.
Example prompts
This section provides example prompts and the resulting SQL queries generated from the prompts.
If you choose to run
the example queries in this section, replace eds-id with the ID of the
event data store that you want to query and replace the timestamps with the
appropriate timestamps for your use case. Timestamps have the following format:
YYYY-MM-DD HH:MM:SS.
Prompt: What are my top errors in the past month?
SQL query:
SELECT
errorMessage,
COUNT(*) as eventCount
FROM
eds-id
WHERE
errorMessage IS NOT NULL
AND eventTime >= timestamp '2024-05-01 00:00:00'
AND eventTime <= timestamp '2024-05-31 23:59:59'
GROUP BY 1
ORDER BY 2 DESC
LIMIT 2;Prompt: Give me a list of users that used SNS.
SQL query:
SELECT
DISTINCT userIdentity.arn AS user
FROM
eds-id
WHERE
eventSource = 'sns.amazonaws.com'Prompt: What are my API counts each day for read and write events in the past month?
SQL query:
SELECT date(eventTime) AS event_date,
SUM(
CASE
WHEN readonly = true THEN 1
ELSE 0
END
) AS read_events,
SUM(
CASE
WHEN readonly = false THEN 1
ELSE 0
END
) AS write_events
FROM
eds-id
WHERE
eventTime >= timestamp '2024-05-04 00:00:00'
AND eventTime <= timestamp '2024-06-04 23:59:59'
GROUP BY 1
ORDER BY 1 ASC;Prompt: Show any events with access denied errors for the past three weeks.
SQL query:
SELECT *
FROM
eds-id
WHERE
WHERE (errorCode = 'AccessDenied' OR errorMessage = 'Access Denied')
AND eventTime >= timestamp '2024-05-16 01:00:00'
AND eventTime <= timestamp '2024-06-06 01:00:00'