Hello,
I am currently working on a query / report that displays MFA information for users in my AWS organizations.
The table is as follows:
account_id | UserName | AccessKeyMetadata{}.AccessKeyId |Days Since Last Login | MFA Present |MFA Detail
I'm looking to pull the age of the AccessKeyID but am having trouble.
Any suggestions?
I am currently using the stats command to pull all current MFA related info:
| stats latest(days_since_login) as "Days Since Last Login", latest(mfa_present) as "MFA Present", latest(mfa_detail) as "MFA Detail" by account_id, UserName, AccessKeyMetadata{}.AccessKeyId
Ideally -- I would like to pull the age of AccessKeyID.
Any help would be greatly appreciated.
Thanks,
Do you have access to the time created for the AccessKeyId as a field?
I've calculated the age of items before using eval; the following example actually calculates the age of an EBS volume in AWS; concept is similar if you have access to the time the accesskeyid was created.
| eval VolumeAgeSeconds = round(now()-strptime(create_time, "%Y-%m-%dT%H:%M:%S.%N%Z"),2), VolumeAge=tostring(VolumeAgeSeconds, "duration")