Audit User Actions Using CloudTrail - Part 2
By David Xiao
Overview
When auditing system events or performing an investigation to understand what happened, it is imperative to identify the IAM principal, to establish traceability and timelines.
In context of AWS CloudTrail, it means looking up events pertaining to the IAM principal and actions in question as well as looking for useful information inside such events.
When a user assumes role cross-account in a multi-account environment, it can be done two ways: either programatically or via AWS management console.
Since either way generates different CloudTrail events, I will disuss two examples in this post respectively.
Assume Role Programmatically Cross-Account
Assume Role via AWS Console Cross-Account
A typical investigation flow that involves cross-account assumerole goes like this:
-
Step 1: Identify an event on CloudTrail that needs investigation
-
Step 2: Identify the closest
AssumeRoleevent that happens before the event in question -
Step 3: Locate the closest
SwitchRoleevent that happens at the same time ofAssumeRole. If found, it indicates the user session was established via AWS Console -
Step 4: If you have access to the Identity Account, locate the AssumeRole
In the following example, we investigate a “suspicious” CreateUser event.
Identity Account: 203016562928
IAM username: bob@example.com
Role Account: 776613361644
Role Name: assume-admin-role-example
CreateUser
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJBP4A5WSXVNY72RLE:bob@example.com",
"arn": "arn:aws:sts::776613361644:assumed-role/assume-admin-role-example/bob@example.com",
"accountId": "776613361644",
"accessKeyId": "ASIA3JUODO7W6YEVI655",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAJBP4A5WSXVNY72RLE",
"arn": "arn:aws:iam::776613361644:role/assume-admin-role-example",
"accountId": "776613361644",
"userName": "assume-admin-role-example"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2020-09-17T19:04:10Z"
}
}
},
"eventTime": "2020-09-17T19:05:08Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "75.15.154.15",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"userName": "test-no-permission",
"tags": []
},
"responseElements": {
"user": {
"path": "/",
"userName": "test-no-permission",
"userId": "AIDA3JUODO7W7VCWFDJMM",
"arn": "arn:aws:iam::776613361644:user/test-no-permission",
"createDate": "Sep 17, 2020 7:05:08 PM"
}
},
"requestID": "cc58c060-fe96-4678-b0bf-b888f12bf008",
"eventID": "38d0221b-61e0-47d6-9c45-7eb2dc55125b",
"eventType": "AwsApiCall",
"recipientAccountId": "776613361644"
}
AssumeRole
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AIDAS6RF25DXSM2CA5KAD",
"accountId": "203016562928"
},
"eventTime": "2020-09-17T19:04:10Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"roleArn": "arn:aws:iam::776613361644:role/assume-admin-role-example",
"roleSessionName": "bob@example.com"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIA3JUODO7WTIO2PI64",
"expiration": "Sep 17, 2020 8:04:10 PM",
"sessionToken": "IQoJb3JpZ2luX2VjEAMaCXVzLWVhc3QtMSJIMEYCIQDsEwOWhE/9cNh+Xpg+V6r8ug3ULRnoOCPNCQhorh13xgIhAIfc+u8ttYNsjLQJRMvo7EnDXMkOAViMFuU7Mma8zjGEKqMCCBwQARoMNzc2NjEzMzYxNjQ1Igyt06eMsyzHkQJRK84qgAIF/jUW99caWE07piwWI2EGTHU2KMx6ioRz3uDbDS24GKy3XvQRalC+5YTZoOQDQvpziRmO33BEzM6Ws5TBTggo/yXGAJRQthB8IqiGkbsClbOG8cYsuhRXK3+yK8OHhCSfr0ehO2SYNiaqEClyT9n8QtEmkQawN56IiOoE9HBzTA7xxYbj7XULL/okog7D3l18NG32rxhHS1ACDN3ro9RGjrPicn9PHFfBqvK+uP3JJQVlcQZu6yGVvtH3rIiYdwAo5bSEc3G9G/LSEiwh47o7NrTOzrRsznARBgefSPs9K3qIgMpZHs3DgqJ0TID1k5y1w4KlPvL36C/+LEmxckNYMKrmjvsFOpwBGDQAVghEOsvntE328Yt2M9Yv0x55cZ5RPJ2pGtQW4geb8+aT2ThZ1zSGwlnvMM8TE+HAwUs0+GQwZbp5UpIiDYLzUeZ0pYWVBHmv/YzN3w0bSKTrC8Jc/0aAaUnxmKMkH5AWO6pBelw8KtVIvd9BwKgBQKVo+tsAVGEdKbVTlwOvLcuhWonCvjoxPCiPgNR05HF8QANbpWet0p+k"
},
"assumedRoleUser": {
"assumedRoleId": "AROAJBP4A5WSXVNY72RLE:bob@example.com",
"arn": "arn:aws:sts::776613361644:assumed-role/assume-admin-role-example/bob@example.com"
}
},
"requestID": "fdbb008c-63ce-4207-8171-b041d6f38672",
"eventID": "40b4d219-0448-436f-9420-cdd3dc654b44",
"resources": [
{
"accountId": "776613361644",
"type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::776613361644:role/assume-admin-role-example"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "776613361644",
"sharedEventID": "19ee34b2-52bd-4dfa-8c8e-cf68344062a6"
}
SwitchRole
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJBP4A5WSXVNY72RLE:bob@example.com",
"arn": "arn:aws:sts::776613361644:assumed-role/assume-admin-role-example/bob@example.com",
"accountId": "776613361644"
},
"eventTime": "2020-09-17T19:04:10Z",
"eventSource": "signin.amazonaws.com",
"eventName": "SwitchRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "75.15.154.15",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36",
"requestParameters": null,
"responseElements": {
"SwitchRole": "Success"
},
"additionalEventData": {
"SwitchFrom": "arn:aws:iam::203016562928:user/bob@example.com",
"RedirectTo": "https://console.aws.amazon.com/console/home"
},
"eventID": "70627092-0c9c-4163-9975-42ffcc50a37a",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "776613361644"
}
in the source account look up for AssumeRole around the same time with the same “sharedEventID” AssumeRole
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAS6RF25DXSM2CA5KAD",
"arn": "arn:aws:iam::203016562928:user/bob@example.com",
"accountId": "203016562928",
"accessKeyId": "ASIAS6RF25DXQR3PH2AX",
"userName": "bob@example.com",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2020-09-17T13:58:45Z"
}
},
"invokedBy": "AWS Internal"
},
"eventTime": "2020-09-17T19:04:10Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"roleArn": "arn:aws:iam::776613361644:role/assume-admin-role-example",
"roleSessionName": "bob@example.com"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIA3JUODO7WTIO2PI64",
"expiration": "Sep 17, 2020 8:04:10 PM",
"sessionToken": "IQoJb3JpZ2luX2VjEAMaCXVzLWVhc3QtMSJIMEYCIQDsEwOWhE/9cNh+Xpg+V6r8ug3ULRnoOCPNCQhorh13xgIhAIfc+u8ttYNsjLQJRMvo7EnDXMkOAViMFuU7Mma8zjGEKqMCCBwQARoMNzc2NjEzMzYxNjQ1Igyt06eMsyzHkQJRK84qgAIF/jUW99caWE07piwWI2EGTHU2KMx6ioRz3uDbDS24GKy3XvQRalC+5YTZoOQDQvpziRmO33BEzM6Ws5TBTggo/yXGAJRQthB8IqiGkbsClbOG8cYsuhRXK3+yK8OHhCSfr0ehO2SYNiaqEClyT9n8QtEmkQawN56IiOoE9HBzTA7xxYbj7XULL/okog7D3l18NG32rxhHS1ACDN3ro9RGjrPicn9PHFfBqvK+uP3JJQVlcQZu6yGVvtH3rIiYdwAo5bSEc3G9G/LSEiwh47o7NrTOzrRsznARBgefSPs9K3qIgMpZHs3DgqJ0TID1k5y1w4KlPvL36C/+LEmxckNYMKrmjvsFOpwBGDQAVghEOsvntE328Yt2M9Yv0x55cZ5RPJ2pGtQW4geb8+aT2ThZ1zSGwlnvMM8TE+HAwUs0+GQwZbp5UpIiDYLzUeZ0pYWVBHmv/YzN3w0bSKTrC8Jc/0aAaUnxmKMkH5AWO6pBelw8KtVIvd9BwKgBQKVo+tsAVGEdKbVTlwOvLcuhWonCvjoxPCiPgNR05HF8QANbpWet0p+k"
},
"assumedRoleUser": {
"assumedRoleId": "AROAJBP4A5WSXVNY72RLE:bob@example.com",
"arn": "arn:aws:sts::776613361644:assumed-role/assume-admin-role-example/bob@example.com"
}
},
"requestID": "fdbb008c-63ce-4207-8171-b041d6f38672",
"eventID": "14fb06e3-5649-4fc3-a274-226ba85c8be6",
"resources": [
{
"accountId": "776613361644",
"type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::776613361644:role/assume-admin-role-example"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "203016562928",
"sharedEventID": "19ee34b2-52bd-4dfa-8c8e-cf68344062a6"
}
Reference
How to Audit Cross-Account Roles Using AWS CloudTrail and Amazon CloudWatch Events