0

When receiving a request from a user, the following flow gets executed in my serverless infrastructure:

API Gateway => Custom authorizer (performs a bunch of checks and sets principalId with user id) => Lambda function.

The lambda function has a role, lb-role.

I have setup cloudtrail to log DynamoDB data event (GetItem / DeleteItem ...). It is working as expected and whenever my lambda gets called and access data, it logs the access from lb-role.

However, I would also like the log to contain the end user accessing this data. Is it somehow possible ?

AnonBird
  • 570
  • 13
  • 27

1 Answers1

2

Its not possible for Cloudtrail events to contain custom information. You could however, add the user to the item which you are storing in DynamoDB.

You may also be able to achieve this by using API GW VTL Mappings, instead of invoking a Lambda function. That way the cognito user invoking API GW would be logged in CloudTrail and not your Lambda functions role. I've not tested this, but it sounds logically correct in my head.

Leeroy Hannigan
  • 11,409
  • 3
  • 14
  • 31
  • 1- Yes I have been trying to think about this kind of dirty solutions. One other way to do it would be to add a `ConditionExpression` which contains the user id and always match. Since `requestParameters` get logged, this would allow me to know the end user. However this seems not ideal. I would need to wrap all my commands to add the conditional expression and this doesn't feel right. 2- Regarding the other solution, I'm not sure how applicable it is for my use case. My lambda function isn't just a wrapper around dynamodb request but perform a whole bunch of other things – AnonBird Mar 17 '23 at 08:27
  • Noticed the `userAgent` is also logged. It's possible to manipulate user agent in `DynamoDBDocumentClient` so I think I will go with appending user id to it, if there is not cleaner way to do it ? – AnonBird Mar 17 '23 at 08:58