What Is AWS CloudTrail?
Couple days ago I talked about switching IAM role between AWS accounts to achieve multiple account management from a central account. What about logs and how it looks like for the accounts when switching is performed? Well, let’s take a look.
I have two accounts, one named MASTER, another named MANAGED. I will access managed account from master account then delete a S3 bucket in managed account. Let’s see what CloudTrail logs will show.
From Master C.T, two logs show up which kinda make sense. First a role switch is performed, then assume a role to gain privilege.
From Managed C.T, only a switch log show up, which kinda make sense too.
Expand SwitchRole log from both account and see that their Event ID is different.
Expand Master C.T AssumeRole log to see more details. We can see that who, from where(IP), invoked sts service and assumed the IAM Role at the very bottom line.
Alright, so far we can track who from where at what time performed a role switch from both account. Next question, if I deleted a S3 bucket in the managed account after role switch, how will this action be logged? Let’s find out.
From Managed account, we can see that delete action was logged with who, from where, what action, to what resource.
Where from Master account, delete action is nowhere to be found. Even from Athena, no record can be found.
Do a cross check and find that it seems actions performed after role switched will not be recorded in the Master account.
We can see that from image above, no action is recorded after role switched but from Managed account C.T, we can see all actions performed.
So, it concludes that when switching role, both accounts will log the action where after switching role, actions performed in the Managed account will not be recorded/seen in the Master account. Let me know if you have different thinkings!
