I have enabled an organizational cloudtrail. In each account I can see the events specific for the account which is fine. But also in my management account where I created the organizational trail I only see the events of that account. In the centralized logging bucket I can see log files of each account. Is it possible to see all events of all accounts in my management account? I want to create some eventbridge rules on them, and I prefer to do it in one centralized account then to do it in ever account in the organization.
Related
We have an AWS account with an IAM group, this group contains practically 6 users and most operations in the account are done by this 6 users.
There are 12 Lambda Functions that have been created in the account and there is a particular lambda function (created by one of the 6 users) that I am trying to know who created it (The Lambda function owner).
Please is there a way to do this ?
Resources created in AWS Accounts are associated with the Account, not the IAM User that created the account.
When a user requests AWS to create resources, IAM verifies that the user has permission to create resources. If so, then the resources are created in the Account, but no relationship with the user is kept on that resource.
You can, however, use AWS CloudTrail to view information about the API request that created the resource.
From What Is AWS CloudTrail? - AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
I was invited to an AWS organization.
Now, after I logged into AWS Console as root user, I could not see anything created by the organization in (lambda, s3, etc).
Is there any additional step I should take except accepting the invitation?
Or is this some config missing on the organization side?
Thank you
AWS Organizations is a way of combining individual AWS Accounts into a hierarchy. Billing can 'roll-up' the hierarchy and permissions can 'go down'.
However, when you login to a specific AWS Account, you will only be able to view/access resources in that particular account. If you wish to view/access resources in another account within the organization, you could need to use an IAM Role to login to that other account.
I'm trying to create an AWS Control Tower landing zone for my AWS organization, and am getting a message saying You must unsubscribe your organization from AWS CloudTrail so that AWS Control Tower can proceed. During the setup process, AWS Control Tower creates a new trail in the audit account that's part of your landing zone. How do I do this? Does this mean stopping all CloudTrail trails from sending logs, or is there an organization-wide setting to disable?
AWS Control Tower needs trusted access to be disabled for both Cloudtrail and Config. To disable this you need to login into the Organization management account, and go to AWS Organizations > Services > Disable Config/Cloudtrail.
Trusted access enabled at an Organization level enables these services to inject service roles in all member accounts where they need to change something. Disabling this for Cloudtrail would result in the Organization trail not working anymore, however the master trail would still be intact. All shadow trails in member accounts would be disabled. AWS still allows you to search/filter/download cloudtrail management events in each of the member accounts for last 90 days, just that they wouldn't be transferred to a central s3 bucket for storage.
I am attempting to use CloudWatch AWS/Billing metrics to consolidate cost information in a central aggregator.
All the guides I can find seem to just point to setting "Receive Billing Alerts" on the master payer account. After doing that the metrics appear on that 'root' account. But none of the other accounts or users can see them.
UPDATE: I can get the data if I make a new IAM user in the Root Account, but i felt that since my user could see the Billing dashboard, it should also be able to see the CloudWatch metrics
I would like to write a policy for a new IAM user so that he can have a full access to AWS Services such as EC2, RDS, Cloud Front, S3, etc. However he should be only able to view (describe) and manage the instances/services that he launches. He can't see other existing/future instances/services created by other users.
This case happens in a company that wants to outsource some projects to an outsourced company. So the new IAM user is for giving access to the outsourced company to setup the staging & production environments in AWS that belongs to the company. How can I achieve this?
Thanks.
Best Regards,
Mark
AFAICT there are no conditions on creator.
One obvious alternative is having a separated dependent and linked account with consolidated billing. You can find some detail in the third scenario of this paper
https://media.amazonwebservices.com/AWS_Setting_Up_Multiuser_Environments_Education.pdf
[...] an administrator creates separate AWS accounts for each user who
needs a new AWS account. These accounts can optionally be linked
together and a single AWS account can be designated as the paying
account using consolidated billing, which provides a single bill for
multiple AWS accounts. The administrator then creates an IAM user in
each AWS account and applies an access control policy to each user.
Users are given access to the IAM user within their AWS account, but
do not have access to the root credentials of the AWS account.
Users can log into the AWS Management Console with their IAM
credentials and then they can launch and access different AWS
services, subject to the access control policies applied to their
account. Users have direct control over the access credentials for
their resources and they can also share these resources with other
users as necessary.