What is the suggested method to track user's actions after assuming a cross-account role

2

I need to be able to guarantee that a user's actions can always be traced back to their account regardless of which role they have assumed in another account. What methods are required to guarantee this for?

  • Assuming a cross-account role in the console
  • Assuming a cross-account role via the cli

I have run tests and can see that when a user assumes a role in the CLI, temporary credentials are generated. These credentials are seen in CloudTrail logs under responseElements.credentials for the assumeRole event. All future events generated by actions taken in the session include the accessKeyId and I can therefore track all of the actions in this case.

Using the web console, the same assumeRole event is generated, also including an accessKeyId. Unfortunately, future actions taken by the user don't include the same accessKeyId. At some point a different access key is generated and the session makes use of this new key. I can't find any way to link the two and therefore am not sure of how to attribute actions taken by the role to the user that assumed the role.

I can see that when assuming a role in the console, the user can't change the sts:sessionName and this is always set to their username. Is this the suggested method for tracking actions? Whilst this seems appropriate for roles within the same account, as usernames are not globally unique I am concerned about using this for cross account attribution.

It seems placing restrictions on the value of sts:sourceIdentity is not supported when assuming roles in the web console.

1 Answer
0

The way to do this is a combination of naming your sessions, and transitive tags. As you've discovered, you can't do this by looking at access key ID's because roles use short-term credentials, so they're always changing.

You can force sessions to be named as part of your policies by checking the sts:RoleSessionName condition key, check this AWS blog post for a bit more detail.

Transitive tags set on a session will persist across role assumptions, and cannot be overwritten by later assume role calls

profile picture
rowanu
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions