Is there a way to create an EventBridge rule that extract a log of any AssumedRole event and any ARN which assume the role ?

Question

i tried two solutions but it does not work :

1. an arn with the wilcard

```
`{
  "source": ["aws.signin"],
  "detail-type": ["AWS Console Sign In via CloudTrail"],
  "detail": {
    "userIdentity": {
      "type": ["AssumedRole"],
      "arn": ["arn:aws:sts::1234567890:assumed-role/Role1/*"]
    },
    "eventName": ["SwitchRole"]
  }
}`
```

2. and the prefix, but it doesn't work :

```
`{
  "source": ["aws.signin"],
  "detail-type": ["AWS Console Sign In via CloudTrail"],
  "detail": {
    "userIdentity": {
      "type": ["AssumedRole"],
     "arn": [{
          "prefix": "arn:aws:sts::1234567890:assumed-role/Role1/"
        }]
    },
    "eventName": ["SwitchRole"]
  }
}
`
```

It only works with a specific arn with a username known in advance like this :

```
`{
  "source": ["aws.signin"],
  "detail-type": ["AWS Console Sign In via CloudTrail"],
  "detail": {
    "userIdentity": {
      "type": ["AssumedRole"],
      "arn": ["arn:aws:sts::1234567890:assumed-role/Role1/banza.caleb"]
    },
    "eventName": ["SwitchRole"]
  }
}`
```

Can anyone have a solution please?

Answer

Since you're using AWS CloudTrail as the source of your AWS EventBridge Rule, then you must verify in AWS CloudTrail how the event is being registered.

In AWS CloudTrail the event you're trying to use is registered as 'AssumeRole', not 'AssumedRole'.

Here is the documentation link on how to view your event history in AWS Cloud Trail:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html

Is there a way to create an EventBridge rule that extract a log of any AssumedRole event and any ARN which assume the role ?

Relevant content