0

My requirement is to:

  1. Trace the log event in cloud trail when a SSO user assumes a specific role (developer-full-access) using AWS SSO home page.

  2. Send an email notification to a destination that says which SSO user has assumed that role.

What is Event Name called when a SSO users assumes a role to login into a specific account? I can see there is a new IAM event called DescribeAccountAttributes upon user assuming a role, but I am wondering if there is any better event to act upon in this scenario?

Can my requirements be full filled by creating a new Rule in AWS EventBridge or do I need to have a custom parser running in Lambda for example that parse every single event in CloudTrail and filter the ones I am interested?

enter image description here

Jatin Mehrotra
  • 9,286
  • 4
  • 28
  • 67
Benjamin
  • 3,499
  • 8
  • 44
  • 77

1 Answers1

1

Let's break your question in parts:

What is Event Name called when a SSO users assumes a role to login into a specific account

EventName is AssumeRole. ( you can verify about this event in cloudtrail -> EventHistory -> EventName(lookup attributes) -> AssumeRole (value) )

Coming to your requirement

Trace the log event in cloud trail when a SSO user assumes a specific role (developer-full-access) using AWS SSO home page.

Send an email notification to a destination that says which SSO user has assumed that role.

You will need to setup cloudwatch alarm for cloudtrail event ( in your case assume role)

It would be something like this :-

  • Create a metric filter based on Assumerole Event name
  • Create an alarm
  • Configure SNS as action to alarm whenever alarm is in active
  • To that sns topic conjure your email
Jatin Mehrotra
  • 9,286
  • 4
  • 28
  • 67