How many accounts could send cloudwatch events to AWS logs destination? - amazon-web-services

Trying to have a central account processing cloudwatch logs. (Cross account logs forwarding)
Following https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateDestination.html
After step 7a is complete, in the log data recipient account,
associate an access policy with the destination. This policy enables
the log data sender account (111111111111) to access the destination
in the log data recipient account (999999999999).
There is a limitation * is not possible to be defined in Priciple AWS accounts.
If multiple accounts are sending logs to this destination, each sender
account must be listed separately in the policy. This policy does not
support specifying * as the Principal or the use of the
aws:PrincipalOrgId global key.
Is there any limitation of how many accounts could be granted/attached using access policy ?

With resource policies for cloudwatch logs your only limit is a max policy document length of 5120 characters. Depending on the number of accounts and the size/maturity of your organization I would recommend configuring aws organizations. With aws organizations you can use the principleOrgID condition key in the resource policy to grant any account in your organization permissions to write logs. More information on that strategy can be found here.

Related

Cross account CW query from python lambda

I have two accounts A and B. I have a service in Account B that writes its logs to CloudWatch. In account A I have a AWS lambda that periodically needs to run a CloudWatch insights query to retrieve logs that match a pattern.
I can't seem to find a way to setup permissions for this or how to make a cross account cloud watch query from Lambda in Account A to CloudWatch logs in Account B. Is this even possible? If so, how?
You can do it, using cross-account access IAM role, assuming the role from the B account.
A good detailed explanation with examples can be found here.
Essentially, you have to assume a role from account B which allows your Lambda function in account A to access certain resources in account B. In the trust policy of the IAM role your AWS account A ID has to be set, so your Lambda can access resources based on what the account B policy allows.

How to know the IAM user who created a Lambda function

We have an AWS account with an IAM group, this group contains practically 6 users and most operations in the account are done by this 6 users.
There are 12 Lambda Functions that have been created in the account and there is a particular lambda function (created by one of the 6 users) that I am trying to know who created it (The Lambda function owner).
Please is there a way to do this ?
Resources created in AWS Accounts are associated with the Account, not the IAM User that created the account.
When a user requests AWS to create resources, IAM verifies that the user has permission to create resources. If so, then the resources are created in the Account, but no relationship with the user is kept on that resource.
You can, however, use AWS CloudTrail to view information about the API request that created the resource.
From What Is AWS CloudTrail? - AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

How to Identify the exact IAM user permissions used by a Programatic access user

In production I just wanted to give only the required permissions in the policy for IAM user.
Currently I have given S3FullAccess Policy for the IAM user, is there any way to identify which all permissions in that s3 bucket are been utilized by the IAMuser, Do we have any kind of logs that states this? So if I could get those permissions I could create a custom policy for the user with only specific permissions that the user requires.
Use Amazon S3 server access logging, AWS CloudTrail logs or a combination of both to identify what the user is accessing from the S3 service. Here is the difference between the two approaches.

is there a way to set alarm for inactive aws user

Is there any way to set an alarm for AWS users that been inactive for e.g. 60 days? I mean I need an alarm to be created which will send notification if an AWS user account have been inactive for a period of time
From GenerateServiceLastAccessedDetails - AWS Identity and Access Management:
GenerateServiceLastAccessedDetails() Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours.
From GetServiceLastAccessedDetails - AWS Identity and Access Management:
GetServiceLastAccessedDetails() Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. You can use the JobId parameter in GetServiceLastAccessedDetails to retrieve the status of your report job. When the report is complete, you can retrieve the generated report. The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.
So, take a look at those commands (available via AWS CLI or AWS SDK) and find the latest date of all the services that the user has accessed.
See also: Identify unused IAM roles and remove them confidently with the last used timestamp | AWS Security Blog
Yes and no. There is no plain Alarm that can do that. AWS CloudWatch Alarms can only alarm based on CloudWatch Metrics and IAM Users do not send any metrics to here.
You could write a Lambda, have it iterate through IAM Users and get their last active date. Then add an EventRule which will run this Lambda regularly, such as once per day. If Users are inactive, you could send a message to an SNS Topic, or if you wanted more adjustable alarms, send some metrics to CloudWatch Metrics in a custom namespace, then create a CloudWatch Alarm to alert on those metrics.

How to create a separate cloudtrail for each IAM user in AWS S3 buckets using boto3?

I have a case where I need to add IAM users dynamically and send their credentials to their emails so that they can login to the AWS account and do some operations like creating vpcs, ec2 instances, s3 buckets, deleting resources etc.
I also need to check what are the events that they have done in the AWS account after logging in using the IAM username.
I'm able to create IAM users dynamically and send the credentials to user's emails.
I'm stuck at creating a cloudtrail for each user separately. The basic idea is to have a separate cloudtrail for each user whose events will be logged to it and stored in an S3 bucket which has access permission for only specific username.
I have gone through boto3 cloudtrail's create_trail() documentation. But didn't find an option where we can specify the user's name for which the cloudtrail should log the events.
Something like user1_trail, user2_trail, user3_trail which will be recording the events from user1, user2, user3 accordingly and will be storing in an S3 bucket with names like user1_trails_file, user2_trails_file, user3_trails_file.
I was able to filter the cloudtrail events based on user name in Cloudtrail section in AWS console.
Is there any way to log the events for each user separately in different cloudtrails ?