CloudTrail audit feed
Last 4 events shown. Full JSON at /audit/cloudtrail.
| Time | Event | User | Source IP | Detail |
|---|---|---|---|---|
| 2026-05-10T08:14:32Z | ConsoleLogin | intern.summer2025 | 185.220.101.7 | |
| 2026-05-10T08:16:01Z | GetObject | intern.summer2025 | 185.220.101.7 | arn:aws:s3:::keensafe-private-backups-eu-west-1/tf-state/keensafe-prod.tfstate |
| 2026-05-11T02:44:11Z | CreateAccessKey | devops | — | {'userName': 'ci-runner'} |
| 2026-05-12T22:01:03Z | PutBucketAcl | intern.summer2025 | — | {'bucketName': 'keensafe-private-backups-eu-west-1', 'AccessControlPolicy': {'Grants': [{'Permission': 'READ', 'Grantee': 'AllUsers'}]}} |
Notable activity:
intern.summer2025logged in from185.220.101.7(Tor exit node) with no MFA.- Same user opened
keensafe-private-backups-eu-west-1toAllUsersviaPutBucketAcl. devopsrotatedci-runner's access key — the new key is visible in the response payload of the event.