How can I monitor the account activity of specific IAM users, roles, and AWS access keys?

I want to view and monitor the account activity of specific AWS Identity and Access Management (IAM) identities.

Short description

To view and monitor the account activity of specific IAM identities, you can use any of the following AWS services and features:

• IAM Access Advisor
• AWS CloudTrail event history
• Amazon CloudWatch log groups
• Amazon Athena queries

Resolution

Use IAM Access Advisor

IAM Access Advisor shows which AWS services that IAM groups, users, roles, or policies can access and when those services were last accessed. To view last accessed information for IAM on the Access Advisor tab in the IAM console, see Viewing last accessed information for IAM.

For a list of the AWS Services for which IAM action last accessed information, see IAM action last accessed information services and actions.

Use CloudTrail event history

Note: You can use CloudTrail to search event history for the past 90 days of events.

1. Open the CloudTrail console, and then in the navigation pane choose Event history.
2. In Lookup attributes, select the dropdown list, and then choose User name.
   Note: You can also filter by AWS access key.
3. In the Enter a user name text box, enter the IAM user's "friendly name" or the assumed role session name.
   Note: The role session name for a specific session is the value provided as a session name when the role is assumed.
4. In Filter by data and time, enter the desired time range. Then, choose Apply.
5. In Event name, choose the event name type to view the Event record.

The CloudTrail event record contains fields that help you determine what requested actions occurred and when and where the requests were made. The userIdentity element contains details about the type of IAM identity that made the request and the credentials provided.

Note: If you don't see user activity, then verify that the AWS service is supported and the API event is recorded by CloudTrail. For more information, see AWS service topics for CloudTrail.

Example userIdentity element that includes IAM user credentials used to make an API call

Note: Replace Alice with the username that you want to search for. Enter the IAM user's "friendly name" or the assumed role's "role session name." The role session name for a specific session is the value provided as a session name when the role is assumed. For API calls made by the IAM role, the value for the userName field isn't the role name.

"userIdentity": {  "type": "IAMUser",
  "principalId": "AIDAJ45Q7YFFAREXAMPLE",
  "arn": "arn:aws:iam::123456789012:user/Alice",
  "accountId": "123456789012",
  "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
  "userName": "Alice"
}

Example userIdentity element that includes temporary security credentials

"userIdentity": {    "type": "AssumedRole",
    "principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
    "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/AssumedRoleSessionName", 
    "accountId": "123456789012",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "20131102T010628Z"
      },
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAIDPPEZS35WEXAMPLE",
        "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
        "accountId": "123456789012",
        "userName": "RoleToBeAssumed"
      }
   }
}

Note: CloudTrail event history uses the assumed role session name as the username for filtered events.

The API call uses temporary security credentials obtained by assuming an IAM role. The element contains additional details about the role assumed to get credentials.

Use CloudWatch log groups

Note: You can use CloudWatch log groups to search API history beyond the last 90 days. You must have a trail created and configured to log to Amazon CloudWatch log groups. For more information, see Creating a trail with the CloudTrail console.

1. Open the CloudWatch console.
2. In the navigation pane, expand Logs, and then choose Log groups.
3. In Log Group, choose your log group.
4. From the log groups page, choose Search Log Group.
5. In Filter events, enter a query to either search for a user's API calls, or specific API actions. Then, choose the refresh icon.
6. In the log group search output, expand Timestamp to view the API call result details.

Example query to search logs for a user's API calls

Note: Replace Alice with the username for your search query. Enter the IAM user's "friendly name" or the assumed role's "role session name." The role session name for a specific session is the value provided as a session name when the role is assumed. For API calls made by the IAM role, the value for the userName field isn't the role name.

{ $.userIdentity.userName = "Alice" }

Example query to search logs for specific API actions

The following example query searches for the DescribeInstances API action:

{ ($.eventName = "DescribeInstances") && ($.userIdentity.userName = "Alice" ) }

Note: You can also analyze log data with CloudWatch Logs Insights. For more information, see How can I retrieve and then analyze my CloudTrail Logs with CloudWatch Logs Insights?

Use Athena queries

Note: You can use Athena to query CloudTrail logs over the past 90 days. You can also find data events which you can't view in CloudTrail event history.

1. Open the Athena console.
2. In the navigation pane, choose Query Editor.
3. Enter one of the following example queries based on your use case, and then choose Run.

Example query to return all CloudTrail events performed by a specific IAM user

Note: Replace athena-table with your Athena table name. Replace Alice with the IAM user "friendly name" that you want to view account activity for.

SELECT *
FROM athena-table
WHERE useridentity.type = 'IAMUser'
AND useridentity.username LIKE 'Alice';

Example query to filter all the API activity performed by an IAM role

Note: Replace role-name with your IAM role name.

SELECT *
FROM athena-table
WHERE useridentity.sessionContext.sessionissuer.arn LIKE '%role-name%'
AND useridentity.sessionContext.sessionissuer.type = 'Role';

Example query to match the role ARN

SELECT *
FROM athena-table
WHERE useridentity.sessionContext.sessionissuer.arn = 'arn:aws:iam::account-id123456789:role/role-name'
AND useridentity.sessionContext.sessionissuer.type = 'Role';

Example query to use the IAM access key ID to filter for all activity

Note: Replace AKIAIOSFODNN7EXAMPLE with your access key ID.

SELECT eventTime, eventName, userIdentity.principalId,eventSource
FROM athena-table
WHERE useridentity.accesskeyid like 'AKIAIOSFODNN7EXAMPLE'

Related information

How do I use AWS CloudTrail to track API calls to my Amazon EC2 instances?

How do I use CloudTrail to see if a security group or resource was changed in my AWS account?