Skip to content

AWS Monitoring

Work in Progress

This section is a work in progress: It will probably drastically change in the upcoming days.


Link Description
Expel The power of orchestration: how we automated enrichments for AWS alerts
  • There are a few ways a role is typically assumed:
    • SAML/Web identity integration
    • AWS web console
    • AWS native services
    • CLI / SDK
  • The logic is conducted in the following steps:
    • SAML or WebFederation through the API event name (AssumeRoleWithSAML and AssumeRoleWithWebIdentity)
    • The Web Console by looking the invoked by field (AWS Internal), source ip and UserAgent
    • An AWS Service by looking at the invoked by field
    • If none of the first three criteria were matches, then the interface is determined to be the AWS CLI or SDK
AWS How to Easily Identify Your Federated Users by Using AWS CloudTrail
  • CloudTrail records two additional STS API calls: AssumeRoleWithWebIdentity and AssumeRoleWithSAML
  • To identify the federated user that terminated the EC2 instance, Alice signs in to the AWS Management Console and performs the following steps:
    1. Alice searches the CloudTrail event logs for the eventName called TerminateInstances
    2. In the userIdentity section of the event log found in Step 1, Alice determines the ARN, including the role session name, of the IAM role assumed by the federated user
    3. Alice searches the CloudTrail event logs for the eventName called AssumeRoleWithSAML that includes the IAM role’s ARN identified in Step 2
    4. Finally, Alice identifies the federated user in the username attribute in the CloudTrail event log she found in Step 3