- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hi. We had exactly the same question and the response we received from AWS support was that Cloudtrail tracks API calls but generate-db-auth-token works locally and does not make any API calls, so Cloudtrail can't track it. Apparently this capability is on the backlog of feature requests but no ETA at present.
While the generation of a token (essentially pre-signing a URL) is purely client side, the verification of the token that happens inside the RDS service is not. Logging the generation of the token does not really make sense while logging the actual authentications with it does. The rdsauthproxy running in postgresql instances (or the PAM module calling it), for example could and should log (send to cloud trail?) the public part of the attributes from the token (database, host, db user and the access key).
Contenus pertinents
- demandé il y a un an
- demandé il y a 4 mois
- demandé il y a un an
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 3 ans