How to use Cloudtrail to get who created IAM user , how to get this from logs
If the IAM user was created inside the last 90 days, you can find who created the user using CloudTrail Event history.
Using the AWS CLI:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser --region us-east-1
Using the Console: Go to Event History in CloudTrail Service, choose the EventName filter with a value of CreateUser. You have to use the region us-east-1 to view the events.
If the IAM user was created outside the 90 days time window, you can still find out who created the user if you have a trail enabled in CloudTrail. You can use Amazon Athena or some other method to search the log files created by CloudTrail in S3.
References:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-cli.html (Note the disclaimer for global services post November 22, 2021)
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html
Related
I'm using AWS and I tried to generate a policy using access analyzer. The generated policy never contains the items I expect and am interested in most. I cannot figure out why. Moreover, the events I can see in the cloudtrail event logs do not include data events even though I've configured data events.
I have executed the following action
DynamoDB CreateTable aws dynamodb create-table --tablename ....
DynamoDB PutItem aws dynamodb put-item --table-name xxx --item file://contents.json
S3 list aws s3 ls s3://mygreatbucket
S3 download aws s3 cp s3://mygreatbucket/theevengreater/file .
The only relevant event that is being logged in the cloudtrail is the create-table event. The data events are missing. I can't figure out what I'm doing wrong. The cloud trail config says in the "data events" section "Log All Events" for both S3 and DynamoDB.
I followed the instructions in https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html. I know it says Data events not available – IAM Access Analyzer does not identify action-level activity for data events, such as Amazon S3 data events, in generated policies. but if so, what is the purpose of adding "Logging of data events" to the cloudtrail configuration?
is there a way to find out what all resources are using an IAM role. Because I want to modify that and wanted to check what all could affect my modification.
Not quite.
Services can "assume" a role. This happens when the activity is run (eg when an AWS Lambda function is invoked, or when an Amazon EC2 instance is launched). Thus, there is no permanent 'link' between roles and services. Therefore, it is not possible to say "list me everything that is using this IAM Role".
However, you could list services and see which roles they are configured to use. For example, you could describe EC2 instances and check what IAM Role they are configured to use. However, you would need to do this for all services that you know are potentially using the roles.
You can find where an IAM role is used from based on the past usage.
I can think of few ways.
method 1 - Access Advisor
click the "Access Advisor" tab section that appears when you click an IAM role
check last accessed time of each services
method 2 - Cloudtrail
the cli command will tell you which services/user assumed the role and also the action they performed.
aws cloudtrail lookup-events --max-results 20 --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:iam::012345678901:role/lambdaRole --output json --query "Events[*].[CloudTrailEvent]"
In short, I want to enable cloud trail for several objects in different S3 buckets. I am able to directly mention all the objects when creating CloudTrail from CloudFormation. But i want to add them at later point in time.
Create an AWS CloudTrail trail in a CloudFormation stack and export the trail's ARN.
Then when creating objects in S3 bucket to which i need CloudTrail data events for, I want to add them as this existing CloudTrail.
Here is the spot in console where I can manually add it.
CloudTrail AWS Console
So, Looking to add data events to an existing CloudTrail via CloudFormation.
Looked entire documentation several times, I can only see a way to add while creating the CloudTrail:
Create a CloudWatch Events Rule for an Amazon S3 Source (AWS CloudFormation Template) - CodePipeline
Please advice what is the resource type that supports this?
you can probably get some hint from the CFT I have created - from an S3 Event probably an putObject operations logs the events details into an separate bucket from where using CloudWatch Events trigger the execution of the Step Function State Machine.
cloudtrail:
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: Yes
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3:::s3-event-step-bucket/
IncludeManagementEvents: Yes
ReadWriteType: All
IncludeGlobalServiceEvents: Yes
IsLogging: Yes
IsMultiRegionTrail: Yes
S3BucketName: s3-event-step-bucket-storage
TrailName: xyz
When you deploy this CFT , it will update the existing Trail with CloudTrail data events as the Trigger Point.
Its possible to do object logging on a S3 bucket to Cloud trail using the following guide, but this is through the console.
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html
I've been trying to figure out a way to do this via the cli since want to do this for many buckets but haven't had much luck. I've setup a new cloud trail on my account and would like to map it to s3 buckets to do object logging. Is there a cli for this?
# This is to grant s3 log bucket access (no link to cloudtrail here)
aws s3api put-bucket-logging
It looks like you'll need to use the CloudTrail put_event_selectors() command:
DataResources
CloudTrail supports data event logging for Amazon S3 objects and AWS Lambda functions.
(dict): The Amazon S3 buckets or AWS Lambda functions that you specify in your event selectors for your trail to log data events.
Do a search for object-level in the documentation page.
Disclaimer: The comment by puji in the accepted answer works. This is an expansion of that answer with the resources.
Here is the AWS documentation on how to do this through the AWS CLI
https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html
The specific CLI command you are interested is the following from the above documentation. The original documentation lists two objects in the same bucket. I have modified it to cover all the objects in two buckets.
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::mybucket1/","arn:aws:s3:::mybucket2/"]}]}]'
If you want all the S3 buckets in your AWS accounts covered you can use arn:aws:s3::: instead of list of bucket arns like the following.
aws cloudtrail put-event-selectors --trail-name TrailName2 --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::"]}]}]'
I am trying to follow this job aid to create an API gateway rest endpiont with an s3 integration.
https://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-s3.html
However, when I try to create my execution role in IAM, there is only one use case at the bottom for API gateway. "Allows API Gateway to push logs to CloudWatch Logs." I am unable to attach an s3 policy the the API gateway role. Is this documentation out of date? How do I add the execution role for s3?
enter image description here
First you create the role with the cloudwatch policy,
then you go in your role list in IAM and find the role you just created ,
inside the role you can click on "attach policy" button and add any policies.
cheers