Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why doesn't IAM show user principal IDs nor allow for searching?

0

From GuardDuty we get notifications about modifications to S3 buckets in the format

{
    "Records": [
        {
            "eventVersion": "2.1",
            "eventSource": "aws:s3",
            "awsRegion": "ap-southeast-1",
            "eventTime": "DATETIME",
            "eventName": "ObjectCreated:Put",
            "userIdentity": {
                "principalId": "AWS:21CHARACTER"
            },
            "requestParameters": {
                "sourceIPAddress": "1.2.3.4"
            },
            "responseElements": {
                "x-amz-request-id": "X-AMZ-REQUEST-ID",
                "x-amz-id-2": "X-AMZ-ID-2"
            },
            "s3": {
                "s3SchemaVersion": "1.0",
                "configurationId": "CONFIGURATIONID",
                "bucket": {
                    "name": "BUCKETNAME",
                    "ownerIdentity": {
                        "principalId": "14CHARACTER"
                    },
                    "arn": "arn:aws:s3:::BUCKETNAME"
                },
                "object": {
                    "key": "FILE.NAME",
                    "size": 1234,
                    "eTag": "ETAG",
                    "sequencer": "SEQUENCER"
                }
            }
        }
    ]
}
  1. Why doesn't it report the user ARN?
  2. Why does IAM not show each user's (21-character) principal ID?
  3. Why does IAM not make principal ID searchable?
  4. Why does AWS CLI iam get-user not implement get by principal ID?
  5. Why does it have to be iam list-users to pull every user to manually check?
Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Command Line InterfaceAWS Identity and Access ManagementAmazon GuardDuty
Language
English
asked 4 years ago757 views
1 Answer
-1

There have been security findings that have indicated that the AWS account ID is sensitive. It therefore imperative, from a security standpoint, that the account ID be protected. Most of the things that you appear to desire would expose the account ID.

answered 4 years ago
  • icelava
    4 years ago

    So executing aws iam list-users to get everybody's principal ID is, not sensitive?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content