0

I have a case where I need to add IAM users dynamically and send their credentials to their emails so that they can login to the AWS account and do some operations like creating vpcs, ec2 instances, s3 buckets, deleting resources etc.

I also need to check what are the events that they have done in the AWS account after logging in using the IAM username.

I'm able to create IAM users dynamically and send the credentials to user's emails.

I'm stuck at creating a cloudtrail for each user separately. The basic idea is to have a separate cloudtrail for each user whose events will be logged to it and stored in an S3 bucket which has access permission for only specific username.

I have gone through boto3 cloudtrail's create_trail() documentation. But didn't find an option where we can specify the user's name for which the cloudtrail should log the events.

Something like user1_trail, user2_trail, user3_trail which will be recording the events from user1, user2, user3 accordingly and will be storing in an S3 bucket with names like user1_trails_file, user2_trails_file, user3_trails_file.

I was able to filter the cloudtrail events based on user name in Cloudtrail section in AWS console.

AWS console

Is there any way to log the events for each user separately in different cloudtrails ?

Underoos
  • 4,708
  • 8
  • 42
  • 85
  • Many CloudTrail events don't have a physical user. What is the _actual_ problem that you're trying to solve? – kdgregory Dec 29 '19 at 11:13
  • @kdgregory I have a set of tasks that every user needs to perform after logging into the account. I need to verify if the user has actually did those tasks and how long it took for him/her to do and basically everything that the user did after logging into the account. – Underoos Dec 29 '19 at 11:17
  • 1
    From that description, it seems that the best solution is to put all of your events into a single bucket and then use an Athena query to extract the ones belonging to a particular user. – kdgregory Dec 29 '19 at 11:47
  • Re your edit: that's the [LookupEvent](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html) API, which will do a search over the retained events (the ones that aren't bucketed). It can't be used to distribute those events unless you want to write a program. And if you do that, I think a Lambda responding to bucketed events is a better solution. – kdgregory Dec 29 '19 at 11:48
  • So, will the created trail contains latest events too? Will the logs in S3 be updated instantly? When I query the logs on S3 bucket, will I get most recent logs? Is there any such config that I can setup while creating trail in boto3. I haven't found any in boto3 documentation. – Underoos Dec 29 '19 at 14:41

0 Answers0