By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to obtain the credential (Access key ID) of the user who sent the message in the log of sent a message SMS.

0

I send SMS messages via SNS aws-sdk. These are unique messages for each phone number. I created an IAM user with permission to send messages for each application that will be able to send messages. How can I filter in the log (AWS CloudTrail or Amazon CloudWatch Logs) which credential (Access key ID) was used to sent the message?

  • Mandrado
    2 years ago

    Rephrasing the question:

    Right now I'm sending SMS messages using SNS, but without using topics, i.e. directly to the destination phone number.

    I have SNS set up to log delivery status of SMS messages to cloudwatch.

    Problem:

    However, the object received in the logs does not include the credential (access key) , is there a way to do so ?

    I need it:

    I need to know which IAM user credential (access key) was used to have access to send the message SMS via aws-sdk.

  • Mandrado
    2 years ago

    Whereas that:

    1. AWSService: is a request was made by an AWS service account. Many AWS services use service accounts to perform automated actions in my behalf.
    2. AssumedRole: is a request was made with temporary credentials obtained by using the AWS Security Token Service (STS) AssumeRole operation.
    3. Whereas that: AssumedRoles obfuscate the name of the user who performed the action.
    • The question is: How to Interpret the initial identity of an ‘Assumed Role’ CloudTrail log of a "userIdentity" of the type "AWSService", "invokedBy": "sns.amazonaws.com"?
  • Mandrado
    2 years ago
    • Follow the log:
    {
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "sns.amazonaws.com"
    },
    "eventTime": "2022-07-18T00:00:00Z",
    "eventSource": "sts.amazonaws.com",
    "eventName": "AssumeRole",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "sns.amazonaws.com",
    "userAgent": "sns.amazonaws.com",
    "requestParameters": {
        "roleArn": "arn:aws:iam::1111111111111:role/SNSSuccessFeedback",
        "roleSessionName": "AWS-SNS"
    },
    "responseElements": {
        "credentials": {
            "accessKeyId": "ASIAVY2MDDDDDDDDDDDD",
            "sessionToken": ....,
            "expiration": "Jul 18, 2022, 00:00:00 AM"
        },
        "assumedRoleUser": {
            "assumedRoleId": "AROAVY2MAAAAAAAAAAAAA:AWS-SNS",
            "arn": "arn:aws:sts::1111111111111:assumed-role/SNSSuccessFeedback/AWS-SNS"
        }
    },
    "requestID": "db01-4b68-...-a3f20ac5",
    "eventID": "a78f-49dd-....-098fa88b",
    "readOnly": false,
    "resources": [
        {
            "accountId": "1111111111111",
            "type": "AWS::IAM::Role",
            "ARN": "arn:aws:iam::1111111111111:role/SNSSuccessFeedback"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "1111111111111",
    "sharedEventID": "88888888-....-fes343ade",
    "eventCategory": "Management"
}
Topics
Application IntegrationManagement & Governance
Tags
Amazon Simple Notification Service (SNS)AWS CloudTrailAmazon CloudWatch Logs
Language
English
Mandrado
asked 2 years ago253 views
1 Answer
0

Assuming you are using CloudTrail, here are instructions for how to filter the log events:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html

profile pictureAWS
Rodney Lester
answered 2 years ago
  • Mandrado
    2 years ago

    Thanks so much for trying to help.

    In the CloudTrail logs, the credential of the IAM user that was used to send the message is not arriving.

    Should I send only via Topic instead of directly?

    How can I force the application developer to send an ID and identification?

  • Rodney Lester
    2 years ago

    The CloudTrail entry includes the userIdentity element here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html Have you looked at the raw entry?

  • Mandrado
    2 years ago

    I have this log in CloudWatch :

    CloudWatch > Log groups > sns/sa-east-1/111111111111/DirectPublishToPhoneNumber

    { "notification": { "messageId": "d2352d76-xxxx-yyyy-zzzz-76346da44859", "timestamp": "2022-07-08 14:34:09.558" }, "delivery": { "mnc": 6, "numberOfMessageParts": 1, "destination": "+5511999999999", "priceInUSD": 0.02297, "smsType": "Transactional", "mcc": 724, "providerResponse": "Message has been accepted by phone", "dwellTimeMs": 31, "dwellTimeMsUntilDeviceAck": 3323 }, "status": "SUCCESS" }

    how can i know which credential was used to send this sms message?

    I have little experience, I'm trying to find some reference in cloudTrail, but without success.

  • Mandrado
    2 years ago

    @Rodney Lester I read your indication, but in it I found the indication of the creation of the log, but not of the sending of the SMS message.

  • Rodney Lester
    2 years ago

    You are looking in CloudWatch Logs, not CloudTrail, which is the audit trail for API calls. Do you have CloudTrail enabled? The first trail is free, except for storage in S3, which you can lifecycle policy to regularly delete.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content