awslabs.cloudtrail-mcp-server 0.0.2__py3-none-any.whl → 0.0.4__py3-none-any.whl

awslabs/cloudtrail_mcp_server/__init__.py

@@ -14,5 +14,5 @@
 
 """awslabs.cloudtrail-mcp-server"""
 
-__version__ = '0.0.2'
+__version__ = '0.0.4'
 MCP_SERVER_VERSION = __version__

awslabs/cloudtrail_mcp_server/tools.py

@@ -254,14 +254,104 @@ class CloudTrailTools:
         IMPORTANT LIMITATIONS:
         - CloudTrail Lake only supports SELECT statements using Trino-compatible SQL syntax
         - INSERT, UPDATE, DELETE, CREATE, DROP, and other DDL/DML operations are not supported
+        - Do not use Common Table Expression (CTE)
         - Your SQL query MUST include a valid Event Data Store (EDS) ID in the FROM clause
         - Use the list_event_data_stores tool first to get available EDS IDs, then reference the EDS ID
           directly in your FROM clause
-
-        Valid SQL query examples:
-        - SELECT eventname, count(*) FROM 0233062b-51c6-4d18-8dec-a8c90da840d9 WHERE eventtime > '2023-01-01' GROUP BY eventname
-        - SELECT useridentity.username, eventname, eventtime FROM your-eds-id WHERE errorcode IS NOT NULL
-        - SELECT DISTINCT awsregion FROM your-eds-id WHERE eventname = 'CreateUser'
+        - Always use a start and end time using eventtime or have a limit on total output by default
+
+        CLOUDTRAIL EVENT SCHEMA:
+        All CloudTrail events contain these key fields that you can query:
+
+        Core Fields (Always Present):
+        - eventTime: UTC timestamp when request completed
+        - eventVersion: Log format version (current: 1.11)
+        - eventSource: AWS service name (e.g., "s3.amazonaws.com")
+        - eventName: API action name
+        - awsRegion: AWS region where request was made
+        - sourceIPAddress: IP address of requester
+        - eventID: Unique GUID for this event
+        - eventType: AwsApiCall, AwsServiceEvent, AwsConsoleAction, AwsConsoleSignIn, AwsVpceEvent
+        - eventCategory: Management, Data, NetworkActivity, Insight
+
+        UserIdentity Object (Always Present):
+        - userIdentity.type: Root, IAMUser, AssumedRole, Role, FederatedUser, Directory, AWSAccount, AWSService, IdentityCenterUser, SAMLUser, WebIdentityUser, Unknown
+        - userIdentity.principalId: Unique identifier for the entity
+        - userIdentity.arn: ARN of the principal
+        - userIdentity.accountId: Account that owns the entity
+        - userIdentity.accessKeyId: Access key used (may be empty for security)
+        - userIdentity.userName: Friendly name (when available)
+        - userIdentity.invokedBy: AWS service that made the request
+        - userIdentity.identityProvider: External identity provider (SAML/Web)
+        - userIdentity.credentialId: Bearer token credential ID
+        - userIdentity.sessionContext: For temporary credentials (AssumedRole, FederatedUser)
+          - sessionIssuer.type: Source type (Root, IAMUser, Role)
+          - sessionIssuer.principalId: Internal ID of issuer
+          - sessionIssuer.arn: ARN of issuer
+          - sessionIssuer.accountId: Account of issuer
+          - sessionIssuer.userName: Name of credential issuer
+          - attributes.mfaAuthenticated: "true"/"false" if MFA was used
+          - attributes.creationDate: When credentials were issued (ISO 8601)
+          - webIdFederationData.federatedProvider: Identity provider name
+          - webIdFederationData.attributes: Provider-specific attributes
+          - sourceIdentity: Original user identity for role chaining
+          - ec2RoleDelivery: "1.0" or "2.0" for IMDS version
+          - assumedRoot: True for AssumeRoot sessions
+        - userIdentity.onBehalfOf: IAM Identity Center user info
+          - userId: Identity Center user ID
+          - identityStoreArn: Identity store ARN
+        - userIdentity.inScopeOf: Service scope information
+          - sourceArn: Invoking resource ARN
+          - sourceAccount: Source account ID
+          - issuerType: Credential issuer type
+          - credentialsIssuedTo: Credential target resource
+
+        Optional Fields (Conditionally Present):
+        - userAgent: Client that made the request (max 1KB)
+        - errorCode: AWS service error code if request failed (max 1KB)
+        - errorMessage: Error description if request failed (max 1KB)
+        - requestParameters: Request parameters (object, max 100KB)
+        - responseElements: Response elements for write operations (object, max 100KB)
+        - additionalEventData: Additional event data (object, max 28KB)
+        - requestID: Service-generated request identifier (max 1KB)
+        - apiVersion: API version for AwsApiCall events
+        - managementEvent: True if management event
+        - readOnly: true/false if read-only operation
+        - resources: Array of resources accessed
+          - resources[].type: Resource type (e.g., "AWS::S3::Object", "AWS::DynamoDB::Table")
+          - resources[].ARN: Resource ARN
+          - resources[].accountId: Resource owner account
+        - recipientAccountId: Account that received the event
+        - serviceEventDetails: Service event details (object, max 100KB)
+        - sharedEventID: Shared GUID for cross-account events
+        - vpcEndpointId: VPC endpoint identifier (for network events)
+        - vpcEndpointAccountId: VPC endpoint owner account
+        - addendum: Information about delayed/updated events
+          - reason: Why event was delayed (DELIVERY_DELAY, UPDATED_DATA, SERVICE_OUTAGE)
+          - updatedFields: Event record fields updated by addendum
+          - originalRequestID: Original unique ID of request
+          - originalEventID: Original event ID
+        - sessionCredentialFromConsole: "true" if from console session
+        - eventContext: Enriched event context (tags, IAM conditions)
+          - requestContext: IAM condition keys evaluated during authorization
+          - tagContext: Tags associated with resources and IAM principals
+            - resourceTags: Array of resource tag information
+              - resourceTags[].arn: ARN of the tagged resource
+              - resourceTags[].tags: Object containing tag key-value pairs
+            - principalTags: Tags associated with the IAM principal making the request
+        - edgeDeviceDetails: Edge device information (object, max 28KB)
+        - tlsDetails: TLS connection information
+          - tlsVersion: TLS version used
+          - cipherSuite: Cipher suite used
+          - clientProvidedHostHeader: Client-provided hostname
+
+        Example SQL queries:
+        - SELECT eventname, count(*) FROM eds-id WHERE eventtime > '2025-01-01 00:00:00' GROUP BY eventname
+        - SELECT errorcode, errormessage, eventname FROM eds-id WHERE errorcode IS NOT NULL OR errormessage IS NOT NULL LIMIT 10
+        - SELECT eventname, resources FROM eds-id WHERE any_match(resources, x -> x.type = 'AWS::S3::Object') LIMIT 10
+        - SELECT useridentity.sessioncontext.sessionissuer.username FROM eds-id WHERE useridentity.type = 'AssumedRole' LIMIT 10
+        - SELECT sourceipaddress, count(*) FROM eds-id WHERE eventname = 'ConsoleLogin' GROUP BY sourceipaddress LIMIT 10
+        - SELECT eventname, filter(resources, x -> x.type = 'AWS::Lambda::Function') as lambda_resources FROM eds-id WHERE cardinality(filter(resources, x -> x.type = 'AWS::Lambda::Function')) > 0 LIMIT 5
 
         Returns:
         --------

{awslabs_cloudtrail_mcp_server-0.0.2.dist-info → awslabs_cloudtrail_mcp_server-0.0.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: awslabs.cloudtrail-mcp-server
-Version: 0.0.2
+Version: 0.0.4
 Summary: An AWS Labs Model Context Protocol (MCP) server for cloudtrail
 Project-URL: homepage, https://awslabs.github.io/mcp/
 Project-URL: docs, https://awslabs.github.io/mcp/servers/cloudtrail-mcp-server/

awslabs_cloudtrail_mcp_server-0.0.4.dist-info/RECORD

@@ -0,0 +1,12 @@
+awslabs/__init__.py,sha256=WuqxdDgUZylWNmVoPKiK7qGsTB_G4UmuXIrJ-VBwDew,731
+awslabs/cloudtrail_mcp_server/__init__.py,sha256=C_LtN4tOM1vJRubUUhTUC3I5krcrhU84s_mUzgGmmEg,708
+awslabs/cloudtrail_mcp_server/common.py,sha256=X8viTngRsPrEn-VGqEg3CRn3HzQtoFJAmdVtgVQxcsU,4679
+awslabs/cloudtrail_mcp_server/models.py,sha256=TJT0TUFfN5Ig9M8xYNXI9MCf2pD_yooxxbxw7vNqfYg,3154
+awslabs/cloudtrail_mcp_server/server.py,sha256=7AixDu0sMC_0RMWySaybfPjVpIrpBSr-VY-DfCrAhw0,1798
+awslabs/cloudtrail_mcp_server/tools.py,sha256=NAPWH7zmJ65RJGHD3E_Q7zGKc6n8d9vznOSBqdE4ye4,29702
+awslabs_cloudtrail_mcp_server-0.0.4.dist-info/METADATA,sha256=4ZNM2LYkzOR0nzRJ09prcs7o8ryXXyC9U13tFU1mD70,8826
+awslabs_cloudtrail_mcp_server-0.0.4.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+awslabs_cloudtrail_mcp_server-0.0.4.dist-info/entry_points.txt,sha256=ivDpa1YKhlUbKTzXWXtwTEHvTMNVGy73KNzTX6SBJ1A,92
+awslabs_cloudtrail_mcp_server-0.0.4.dist-info/licenses/LICENSE,sha256=CeipvOyAZxBGUsFoaFqwkx54aPnIKEtm9a5u2uXxEws,10142
+awslabs_cloudtrail_mcp_server-0.0.4.dist-info/licenses/NOTICE,sha256=sjH_X33G3MouXhZuOV8c7dN3IAvn6dSPrGLWA7tHjfQ,97
+awslabs_cloudtrail_mcp_server-0.0.4.dist-info/RECORD,,

awslabs_cloudtrail_mcp_server-0.0.2.dist-info/RECORD

@@ -1,12 +0,0 @@
-awslabs/__init__.py,sha256=WuqxdDgUZylWNmVoPKiK7qGsTB_G4UmuXIrJ-VBwDew,731
-awslabs/cloudtrail_mcp_server/__init__.py,sha256=zy216mvjlc8RsnSv4NxvhBp32gM1Jp_nFGwRBxCcZGI,708
-awslabs/cloudtrail_mcp_server/common.py,sha256=X8viTngRsPrEn-VGqEg3CRn3HzQtoFJAmdVtgVQxcsU,4679
-awslabs/cloudtrail_mcp_server/models.py,sha256=TJT0TUFfN5Ig9M8xYNXI9MCf2pD_yooxxbxw7vNqfYg,3154
-awslabs/cloudtrail_mcp_server/server.py,sha256=7AixDu0sMC_0RMWySaybfPjVpIrpBSr-VY-DfCrAhw0,1798
-awslabs/cloudtrail_mcp_server/tools.py,sha256=O2DzikW8LmRzxAxfeI0ectw3dzKxRktLE4Y3ywb2MGM,23894
-awslabs_cloudtrail_mcp_server-0.0.2.dist-info/METADATA,sha256=AZzciupjZzdvDb9AxRiKPJLwbI2XqBdJR3pfRQzi-I4,8826
-awslabs_cloudtrail_mcp_server-0.0.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-awslabs_cloudtrail_mcp_server-0.0.2.dist-info/entry_points.txt,sha256=ivDpa1YKhlUbKTzXWXtwTEHvTMNVGy73KNzTX6SBJ1A,92
-awslabs_cloudtrail_mcp_server-0.0.2.dist-info/licenses/LICENSE,sha256=CeipvOyAZxBGUsFoaFqwkx54aPnIKEtm9a5u2uXxEws,10142
-awslabs_cloudtrail_mcp_server-0.0.2.dist-info/licenses/NOTICE,sha256=sjH_X33G3MouXhZuOV8c7dN3IAvn6dSPrGLWA7tHjfQ,97
-awslabs_cloudtrail_mcp_server-0.0.2.dist-info/RECORD,,