- 최신
- 최다 투표
- 가장 많은 댓글
You're on the right track. Any time a role is assumed, the API call is stored in CloudTrail. Try looking back in CloudTrail for any events named AssumeRole. If you have multiple users/accounts assuming multiple roles throughout the day, you may have to dig through a few events to find the one(s) from LucidScale. I've pasted an example CloudTrail log below of a user named 'jsmith' assuming a role so you can see sort of what you're looking for and what information is included.
{
"version": "0",
"id": "c204c067-a376-47a8-a760-f0bf97b89aae",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.sts",
"account": "1111111111111",
"time": "2016-04-05T20:39:37Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.04",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAIDVUOOO7V6R6HKL6E",
"arn": "arn:aws:iam::1111111111111:user/jsmith",
"accountId": "1111111111111",
"accessKeyId": "AKIAJ2DZP3QVQ3D6VJBQ",
"userName": "jsmith"
},
"eventTime": "2016-04-05T20:39:37Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "global",
"sourceIPAddress": "72.21.196.66",
Once you have this information, you can use EventBridge to create a rule to send an alert to an SNS topic any time that role is assumed. More info here. The rule would look something like this, assuming that the account Lucid is assuming the role with is 111111111111:
{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["cloudtrail.amazonaws.com"],
"eventName": ["AssumeRole"],
"accountid": ["1111111111111"]
}
}
Using this method, you can get an email, text, or even Slack notification anytime the role is assumed. One thing to note is CloudTrail is not real time, so when receive the alert there could have been up to a 15 minute delay since the role was actually assumed. Hope this helps!
