TrailTool's core idea is to pre-aggregate CloudTrail events at ingest time into entity relationships — People, Sessions, Roles, Services, Resources — so queries are DynamoDB reads rather than log scans. The CLI talks directly to your DynamoDB tables using standard AWS credentials, no API layer needed.
The four workflows in the post (ClickOps detection, least-privilege policy generation, AccessDenied remediation, break-glass validation) all came from things I was actually doing manually. The session transcripts are real Claude Code runs using the tool.
Wondering if this feels useful to folks, or if there are other CloudTrail questions that could be pre-computed this way to accomplish common tasks.