AWS Monitoring
Work in Progress
This section is a work in progress:
It will probably drastically change in the upcoming days.
Practical
| Link |
Description |
| Expel The power of orchestration: how we automated enrichments for AWS alerts |
- There are a few ways a role is typically assumed:
- SAML/Web identity integration
- AWS web console
- AWS native services
- CLI / SDK
- The logic is conducted in the following steps:
- SAML or WebFederation through the API event name (
AssumeRoleWithSAML and AssumeRoleWithWebIdentity) - The Web Console by looking the invoked by field (AWS Internal), source ip and UserAgent
- An AWS Service by looking at the invoked by field
- If none of the first three criteria were matches, then the interface is determined to be the AWS CLI or SDK
 |
| AWS How to Easily Identify Your Federated Users by Using AWS CloudTrail |
- CloudTrail records two additional STS API calls:
AssumeRoleWithWebIdentity and AssumeRoleWithSAML - To identify the federated user that terminated the EC2 instance, Alice signs in to the AWS Management Console and performs the following steps:
- Alice searches the CloudTrail event logs for the
eventName called TerminateInstances - In the
userIdentity section of the event log found in Step 1, Alice determines the ARN, including the role session name, of the IAM role assumed by the federated user - Alice searches the CloudTrail event logs for the
eventName called AssumeRoleWithSAML that includes the IAM role’s ARN identified in Step 2 - Finally, Alice identifies the federated user in the
username attribute in the CloudTrail event log she found in Step 3
|