Why doesn't IAM show user principal IDs nor allow for searching?

Question

From GuardDuty we get notifications about modifications to S3 buckets in the format

```
{"Records":[{"eventVersion":"2.1","eventSource":"aws:s3","awsRegion":"ap-southeast-1","eventTime":"DATETIME","eventName":"ObjectCreated:Put","userIdentity":{"principalId":"AWS:21CHARACTER"},"requestParameters":{"sourceIPAddress":"1.2.3.4"},"responseElements":{"x-amz-request-id":"X-AMZ-REQUEST-ID","x-amz-id-2":"X-AMZ-ID-2"},"s3":{"s3SchemaVersion":"1.0","configurationId":"CONFIGURATIONID","bucket":{"name":"BUCKETNAME","ownerIdentity":{"principalId":"14CHARACTER"},"arn":"arn:aws:s3:::BUCKETNAME"},"object":{"key":"FILE.NAME","size":1234,"eTag":"ETAG","sequencer":"SEQUENCER"}}}]}
```

1. Why doesn't it report the user ARN?
2. Why does IAM *not* show each user's (21-character) principal ID?
3. Why does IAM *not* make principal ID searchable?
4. Why does AWS CLI iam get-user *not* implement get by principal ID?
5. Why does it have to be iam list-users to pull *every* user to manually check?

Answer

There have been security findings that have indicated that the AWS account ID is sensitive.  It therefore imperative, from a security standpoint, that the account ID be protected.  Most of the things that you appear to desire would expose the account ID.

Why doesn't IAM show user principal IDs nor allow for searching?

Relevanter Inhalt