By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why doesn't IAM show user principal IDs nor allow for searching?

0

From GuardDuty we get notifications about modifications to S3 buckets in the format

{"Records":[{"eventVersion":"2.1","eventSource":"aws:s3","awsRegion":"ap-southeast-1","eventTime":"DATETIME","eventName":"ObjectCreated:Put","userIdentity":{"principalId":"AWS:21CHARACTER"},"requestParameters":{"sourceIPAddress":"1.2.3.4"},"responseElements":{"x-amz-request-id":"X-AMZ-REQUEST-ID","x-amz-id-2":"X-AMZ-ID-2"},"s3":{"s3SchemaVersion":"1.0","configurationId":"CONFIGURATIONID","bucket":{"name":"BUCKETNAME","ownerIdentity":{"principalId":"14CHARACTER"},"arn":"arn:aws:s3:::BUCKETNAME"},"object":{"key":"FILE.NAME","size":1234,"eTag":"ETAG","sequencer":"SEQUENCER"}}}]}
  1. Why doesn't it report the user ARN?
  2. Why does IAM not show each user's (21-character) principal ID?
  3. Why does IAM not make principal ID searchable?
  4. Why does AWS CLI iam get-user not implement get by principal ID?
  5. Why does it have to be iam list-users to pull every user to manually check?
Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAmazon GuardDutyAWS Command Line Interface
Language
English
icelava
asked 2 years ago470 views
1 Answer
-1

There have been security findings that have indicated that the AWS account ID is sensitive. It therefore imperative, from a security standpoint, that the account ID be protected. Most of the things that you appear to desire would expose the account ID.

Nathan Zook--Carrum Health
answered 2 years ago
  • icelava
    2 years ago

    So executing aws iam list-users to get everybody's principal ID is, not sensitive?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content