Using JmesPath to filter CloudTrail logs

Three major issues in this line:

path = jmespath.search('logs',{'S3BucketName': ''}})

1. When using the JMESPath search function, you have to give the expression as first parameter and the JSON document as second parameter, when you are doing the opposite here.

   search(<jmespath expr>, <JSON document>) -> <return value>
   

   ^{Source: https://jmespath.org/specification.html#jmespath-specification}
   So you should rather have:

   path = jmespath.search('some-search-experssion', some_variable)
   

2. Your are passing a string 'logs' to the search function and not the variable logs containing the JSON document itself, so it should rather be

   path = jmespath.search('some-search-experssion', logs)
   

3. To search a simple object like you have, you just need to reference the key of the object right away, so your search expression should simply be: S3BucketName

   path = jmespath.search('S3BucketName', logs)
   

So, all together, with the script test.py:

import jmespath

logs = {
    "Name": "GoodTrail",
    "S3BucketName": "goodbucket3",
    "IncludeGlobalServiceEvents": True,
    "IsMultiRegionTrail": False,
    "TrailARN": "arn:aws:cloudtrail:us-east-1:562922379100:trail/GoodTrail",
    "LogFileValidationEnabled": False,
    "IsOrganizationTrail": False,
    "ResponseMetadata": {
        "RequestId": "520fdfae-02ea-4695-857c-c47c7bcb00dd",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amzn-requestid": "520fdfae-02ea-4695-857c-c47c7bcb00dd",
            "content-type": "application/x-amz-json-1.1",
            "content-length": "242",
            "date": "Fri, 18 Dec 2020 15:48:26 GMT"
        },
        "RetryAttempts": 0
    }
}

#print(logs)

path = jmespath.search('S3BucketName', logs)
print(path)

Gives:

$ python3 test.py 
goodbucket3