1

I am trying to figure out usage of an AD user, using AWS via AssumeRoleWithSAML, following this ink, https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/.

However, i dont see AssumeRoleWithSAML event at all in my Cloudtrails, though i can clearly see activity from this user. I went all the way to early July in cloudtrail to look up AssumeRoleWithSaml and dont see any event.

Am i missing something? Bcos of this event not coming, i am not able to correlate what this user is doing in AWS.

Thanks Amit

Amit
  • 83
  • 1
  • 7
  • At my company we only use federated user, and I can confirm it logs on Cloudtrail the event AssumeRoleWithSAML. If you want on Monday I can put here one example of my event. – Azize Aug 03 '19 at 00:43

1 Answers1

1

You are right, there should be an event with name AssumeRoleWithSAML in the CloudTrail logs.

You already referenced the correct AWS security blog post which describes how to "identify a SAML federated user". [1]

Let's go into detail.
The IAM docs [2] contain an example how the AssumeRoleWithSAML event should look like:

    {
      "eventVersion": "1.05",
      "userIdentity": {
        "type": "WebIdentityUser",
        "principalId": "accounts.google.com:[id-of-application].apps.googleusercontent.com:[id-of-user]",
        "userName": "[id of user]",
        "identityProvider": "accounts.google.com"
      },
      "eventTime": "2016-03-23T01:39:51Z",
      "eventSource": "sts.amazonaws.com",
      "eventName": "AssumeRoleWithWebIdentity",
      "awsRegion": "us-east-2",
      "sourceIPAddress": "192.0.2.101",
      "userAgent": "aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5",
      "requestParameters": {
        "durationSeconds": 3600,
        "roleArn": "arn:aws:iam::444455556666:role/FederatedWebIdentityRole",
        "roleSessionName": "MyAssignedRoleSessionName"
      },
      "responseElements": {
        "provider": "accounts.google.com",
        "subjectFromWebIdentityToken": "[id of user]",
        "audience": "[id of application].apps.googleusercontent.com",
        "credentials": {
          "accessKeyId": "ASIACQRSTUVWRAOEXAMPLE",
          "expiration": "Mar 23, 2016 2:39:51 AM",
          "sessionToken": "[encoded session token blob]"
        },
        "assumedRoleUser": {
          "assumedRoleId": "AROACQRSTUVWRAOEXAMPLE:MyAssignedRoleSessionName",
          "arn": "arn:aws:sts::444455556666:assumed-role/FederatedWebIdentityRole/MyAssignedRoleSessionName"
        }
      },
      "resources": [
        {
          "ARN": "arn:aws:iam::444455556666:role/FederatedWebIdentityRole",
          "accountId": "444455556666",
          "type": "AWS::IAM::Role" 
        }
      ],
      "requestID": "6EXAMPLE-e595-11e5-b2c7-c974fEXAMPLE",
      "eventID": "bEXAMPLE-0b30-4246-b28c-e3da3EXAMPLE",
      "eventType": "AwsApiCall",
      "recipientAccountId": "444455556666"
    }

As we can see, the requestParameters contain an element durationSeconds which is the value you are looking for.

Why is the event missing?

  1. First of all, it is necessary to know if you are using the AWS CloudTrail Console or if you are parsing the CloudTrail files which were delivered to the S3 bucket. If you use the CloudTrail console, you are able the view the last 90 days of recorded API activity and events in an AWS Region only!! [3]
    So make sure that you use AWS Athena or another solution if you must go further back in time.

  2. You must look into the trail of the correct region! You do this by inspecting the respective S3 prefix for a multi-region trail or by clicking onto the desired region in the top right corner if you use the AWS CloudTrail Console. This is important because regional services are logging to their respective trail!! AWS mentions this as follows:

    If you activate AWS STS endpoints in Regions other than the default global endpoint, then you must also turn on CloudTrail logging in those Regions. This is necessary to record any AWS STS API calls that are made in those Regions. For more information, see Turning On CloudTrail in Additional Regions in the AWS CloudTrail User Guide. [4]

  3. Make sure to look into the correct account! You must inspect the trail of the account whose role was assumed. I mention this explicitly because there are multi-account environments which might use centralized identity accounts etc.

References

[1] https://aws.amazon.com/de/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
[3] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

Martin Löper
  • 6,471
  • 1
  • 16
  • 40
  • Thanks for the detailed info Martin. Indeed the assumedRole traces were present in the us-east-1 cloudtrail, and i was looking at a different region. – Amit Aug 06 '19 at 14:22