I have a lambda function in an admin account that is triggered by an SQS queue, which receives messages from an SNS topic in a managed account, triggered by a compliance change for a Config Rule ("access-keys-rotated") in this same managed account.
I have noticed that the messages received from SNS only include the IAM User ID, not a User Name. In order to apply a policy/role to a user programmatically I have to have the UserName parameter.
Is there a way to resolve UserName from User ID that I just haven't stumbled upon yet? I've poured over the boto IAM API docs but every call I can think of to make requires a UserName.
Alternatively, is there a better way of architecting this workflow so that it is reliable AND provides me with the UserName for an IAM user?
Related
My requirement is to:
Trace the log event in cloud trail when a SSO user assumes a
specific role (developer-full-access) using AWS SSO home page.
Send an email notification to a destination that says which SSO user
has assumed that role.
What is Event Name called when a SSO users assumes a role to login into a specific account? I can see there is a new IAM event called DescribeAccountAttributes upon user assuming a role, but I am wondering if there is any better event to act upon in this scenario?
Can my requirements be full filled by creating a new Rule in AWS EventBridge or do I need to have a custom parser running in Lambda for example that parse every single event in CloudTrail and filter the ones I am interested?
Let's break your question in parts:
What is Event Name called when a SSO users assumes a role to login into a specific account
EventName is AssumeRole. ( you can verify about this event in cloudtrail -> EventHistory -> EventName(lookup attributes) -> AssumeRole (value) )
Coming to your requirement
Trace the log event in cloud trail when a SSO user assumes a specific role (developer-full-access) using AWS SSO home page.
Send an email notification to a destination that says which SSO user has assumed that role.
You will need to setup cloudwatch alarm for cloudtrail event ( in your case assume role)
It would be something like this :-
Create a metric filter based on Assumerole Event name
Create an alarm
Configure SNS as action to alarm whenever alarm is in active
To that sns topic conjure your email
I configured the user pool to allow both username and email sign-in. On passing email in as the username during migration I was able to verify the email and password against an external system and return successfully from the user migration lambda trigger. However, I received the following exception and the user was not migrated: Username cannot be of email format since user pool is configured for email alias. This makes no sense to me at all. When I recreated the user pool to only allow sign-in with email everything works as expected--the user is authenticated and created in the user pool. I'm looking for clarification as to how the user pool should be configured and how to pass in the proper values during sign-in, and specifically: how to handle this during a migration event.
The comment by Al-Mustafa Azhari in the following thread seems like it would work as well but this convention is not in the AWS documentation--not that I can see anyway. Cognito and Java - Username cannot be of email format since user pool is configured for email alias
AWS Cognito migration lambda docs: Migrate user Lambda trigger - Amazon Cognito
AWS Cognito user pool docs: Migrate user Lambda trigger - Amazon Cognito
If the answer is buried somewhere in the docs, I have yet to find it.
I have a usecase where there are multiple aws accounts sending message to my sqs queue and I want to uniquely identify who sent what. In the SQS message, I see a Sender Account ID which is the userId for the IAM user/role who sent the message.
Is there a way I can convert this userId to userArn so that I can identify, which account the message came from. The only API I see is GetUser but it expects authorizartion credentials. I don't want to use the userId as it'll increase the operation overhead on my end to figure out all the userId of all the users/roles Arns who have permission to send message.
<User>
<UserId>AIDACKCEVSQ6C2EXAMPLE</UserId>
<Path>/division_abc/subdivision_xyz/</Path>
<UserName>Bob</UserName>
<Arn>arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob</Arn>
<CreateDate>2013-10-02T17:01:44Z</CreateDate>
<PasswordLastUsed>2014-10-10T14:37:51Z</PasswordLastUsed>
</User>
This userId is a non read friendly unique identifier present for every user/role. What I want to achieve is the userArn by passing the userId.
This documentation provides info about userId.
On a more theoretical note, if I can't get the userArn from userId publically without user credentials, what can be the reasoning behind not providing it.
If we look at one of the responses of getUser API, it looks something like this -
AWS doesn't really provide details of "who" does things in an AWS Account. If a user has sufficient permissions to execute an API call (eg SendMessage() to send a message to an SNS queue), it is the AWS Account that actually sends the message, not the individual user.
The same goes for objects stored on Amazon S3 (there is no 'user' who owns the object), and Amazon EC2 instances (there is no "owner" of the instance).
The one place where you can identify who does things is in AWS CloudTrail, which provides an audit trail of API calls. It will show each API call, with a timestamp and details of the user who made the request.
In your SQS Message, Sender Account ID is the ID of the AWS Account that was used by the sender. It is not an ID of that particular user (just the AWS Account they used).
AWS Cognito User Pools have some pre-defined events to handle user signup, confirmation etc. The full list is here.
However, there is no apparent trigger for deleting a user.
So, is there any way one can trigger a Lambda function when a user is deleted from Cognito User Pool (of course, with arguments like username and/or email address)?
If you are using "Amazon Cognito Sync":
Amazon Cognito raises the Sync Trigger event when a dataset is synchronized. You can use the Sync Trigger event to take an action when a user is updated or deleted.
Please have a look on below official document for more information and steps.
Ref: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-events.html
Records updated by the app user will have the 'op' field set as “replace” and the records deleted will have 'op' field as "remove".
According to above point in referenced documentation op field can help you to identify operation, So if value is "removed" in op then you can perform your actions for your business logic requirement.
If you are not using "Amazon Cognito Sync":
Create user records in DynamoDB table "user" using Post Confirmation Lambda Trigger.
Build your own user listing based on DynamoDB table "user".
Build your own user delete api using lambda function and aws api gateway.
You lambda function should handle delete user from cognito & also your business logic that you want to perform.
I'm trying to associate my user's Cognito identity with the SNS endpoints they create when registering for push notifications. I've created a Lambda functions connected to the SNS application's EndpointAdded topic. It is fired whenever an endpoint is created, but it does not include any information I can see that I can use to associate the endpoint to a user.
I see many examples where people are adding the user ID as custom user data, but this allows any user to sign up for any other user's notifications. Is there a more secure way to make this association?
If you front registering the endpoint with Lambda or APIGateway and you use SigV4 credentials vended by Cognito to make the call, the context passed in will contain the Cognito Identity Id extracted from the credentials that made the call. This will ensure that the identity id you associate with the endpoint hasn't been tampered with.