amazon-web-servicesamazon-iamassume-roleamazon-guardduty

Identify AWS IAM user that assumed an IAM role


I'm working on a system that receives new findings from Amazon GuardDuty. Most access in our organization is delegated to IAM roles instead of directly to users, so the findings usually result from the actions of assumed roles, and the actor identity of the GuardDuty finding looks something like this:

  "resource": {
    "accessKeyDetails": {
      "accessKeyId": "ASIALXUWSRBXSAQZECAY",
      "principalId": "AROACDRML13PHK3X7J1UL:129545928468",
      "userName": "my-permitted-role",
      "userType": "AssumedRole"
    },
    "resourceType": "AccessKey"
  },

I know that the accessKeyId is created when a security principal performs the iam:AssumeRole action. But I can't tell who assumed the role in the first place! If it was an IAM user, I want to know the username. Is there a way to programmatically map temporary AWS STS keys (starts with ASIA...) back to an original user?

Ideally I'm looking for a method that runs in less than 30 seconds so I can use it as part of my security event pipeline to enrich GuardDuty findings with the missing information.

I've already looked at aws-cli and found aws cloudtrail lookup-events but it lacks the ability to narrow the query to a specific accessKeyId so it takes a loooong time to run. I've explored the CloudTrail console but it's only about as capable as aws-cli here. I tried saving my CloudTrail logs to S3 and running an Athena query, but that was pretty slow too.

This seems like it would be a common requirement. Is there something obvious that I'm missing?


Solution

  • Actually, aws-cli can perform a lookup on the session! Just make sure to specify ResourceName as the attribute key in the lookup attributes.

    $ aws cloudtrail lookup-events \
      --lookup-attributes 'AttributeKey=ResourceName,AttributeValue=ASIALXUWSRBXSAQZECAY' \
      --query 'Events[*].Username'
    
    [
        "the.user@example.com"
    ]