Question 19677 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Record username while creating resources in AWS

Is there any way to record username while creating a new resource in AWS? For instance, if we want to check sometime later that who created a particular resource, can we save it or track it somewhere whilst creation itself.

Tags:

2

Answers


  1. 0

    When AWS receive an API call that requests a resource to be created, it verifies that the credentials are associated with an IAM User or IAM Role that has permission to create the resource.

    If they have the appropriate permissions, then the resource is created in the AWS Account associated with those credentials.

    However, information about the ‘user’ who requested the resource is not stored against the resource.

    Historical information about who issued the API request is available from AWS Config, including the identity that sent the API call, time, parameters and whether it was successful. This is the only true way to know which identity created the resource. (I say ‘identity’ because it might be an IAM User, an IAM Role or even temporary credentials generated via AWS Security Token Service.)

    If you want to store information about the user directly on the resource that was created, you would need a process that stores that information in a Tag associated with the resource. Some AWS services allow you to specify a tag in the same API call that created the resource, while other services would require you to tag the resource after the resource has been created. It is sometimes possible to write IAM policies that require a tag to be specified when the resource is created, but this does not apply to all AWS services.

    Login or Signup to reply.
  2. 0

    you can build athena query on top of cloudtrail to get the required details of API calls.

    pre-requisites:

    • enable cloudtrail for the aws account to store the logs to S3 bucket
    • create data source and athena table with partitions
    • use simple sql queries to identify

    more details can be found at:
    https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

    CREATE EXTERNAL TABLE [TABLE_NAME] (
    eventVersion STRING,
    userIdentity STRUCT<
        type: STRING,
        principalId: STRING,
        arn: STRING,
        accountId: STRING,
        invokedBy: STRING,
        accessKeyId: STRING,
        userName: STRING,
        sessionContext: STRUCT<
            attributes: STRUCT<
                mfaAuthenticated: STRING,
                creationDate: STRING>,
            sessionIssuer: STRUCT<
                type: STRING,
                principalId: STRING,
                arn: STRING,
                accountId: STRING,
                username: STRING>,
            ec2RoleDelivery: STRING,
            webIdFederationData: MAP<STRING,STRING>>>,
    eventTime STRING,
    eventSource STRING,
    eventName STRING,
    awsRegion STRING,
    sourceIpAddress STRING,
    userAgent STRING,
    errorCode STRING,
    errorMessage STRING,
    requestParameters STRING,
    responseElements STRING,
    additionalEventData STRING,
    requestId STRING,
    eventId STRING,
    resources ARRAY<STRUCT<
        arn: STRING,
        accountId: STRING,
        type: STRING>>,
    eventType STRING,
    apiVersion STRING,
    readOnly STRING,
    recipientAccountId STRING,
    serviceEventDetails STRING,
    sharedEventID STRING,
    vpcEndpointId STRING,
    tlsDetails STRUCT<
        tlsVersion: STRING,
        cipherSuite: STRING,
        clientProvidedHostHeader: STRING>
)
COMMENT 'CloudTrail table for [S3_BUCKET_NAME] bucket'
ROW FORMAT SERDE 'org.apache.hive.hcatalog.data.JsonSerDe'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION '[S3_BUCKET_URL]'
TBLPROPERTIES ('classification'='cloudtrail');

    sample query to know who created ec2 instance:

    SELECT DISTINCT eventsource, 
                eventname, 
                useridentity.username, 
                useridentity.principalid,
                eventtime,
                json_extract(responseelements, '$.instancesSet.items[0].instanceId') as instance_id  
                FROM [TABLE_NAME]
                WHERE account = 'XXXXXXXXXXXX'
                AND region = 'XXXXXXXX'
                AND eventname = 'RunInstances';
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search