From GuardDuty we get notifications about modifications to S3 buckets in the format
{"Records":[{"eventVersion":"2.1","eventSource":"aws:s3","awsRegion":"ap-southeast-1","eventTime":"DATETIME","eventName":"ObjectCreated:Put","userIdentity":{"principalId":"AWS:21CHARACTER"},"requestParameters":{"sourceIPAddress":"1.2.3.4"},"responseElements":{"x-amz-request-id":"X-AMZ-REQUEST-ID","x-amz-id-2":"X-AMZ-ID-2"},"s3":{"s3SchemaVersion":"1.0","configurationId":"CONFIGURATIONID","bucket":{"name":"BUCKETNAME","ownerIdentity":{"principalId":"14CHARACTER"},"arn":"arn:aws:s3:::BUCKETNAME"},"object":{"key":"FILE.NAME","size":1234,"eTag":"ETAG","sequencer":"SEQUENCER"}}}]}
- Why doesn't it report the user ARN?
- Why does IAM not show each user's (21-character) principal ID?
- Why does IAM not make principal ID searchable?
- Why does AWS CLI iam get-user not implement get by principal ID?
- Why does it have to be iam list-users to pull every user to manually check?
So executing aws iam list-users to get everybody's principal ID is, not sensitive?