more information in AWS IAM audit logs
We are using MongoDB-AWS for authentication, and have set up the audit log to log events taken by AWS roles. However, there is insufficient information in the logs to identify who is doing those actions, as roles can be assumed by multiple people.
An example log line in the current audit log:
{ "atype" : "authenticate", "ts" : { "$date" : "2021-01-05T00:21:52.628+00:00" }, "local" : { "ip" : "192.168.248.203", "port" : 27017 }, "remote" : { "ip" : "172.31.0.5", "port" : 54195 }, "users" : [ { "user" : "arn:aws:sts::555555555555:assumed-role/developer-role/", "db" : "$external" } ], "roles" : [ { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "clusterMonitor", "db" : "admin" }, { "role" : "backup", "db" : "admin" }, { "role" : "atlasAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "enableSharding", "db" : "admin" } ], "param" : { "user" : "arn:aws:sts::555555555555:assumed-role/developer-role/", "db" : "$external", "mechanism" : "MONGODB-AWS" }, "result" : 0 }
The user is identified as "arn:aws:sts::555555555555:assumed-role/developer-role/*", but the true ARN of the user is more like "arn:aws:sts::555555555555:assumed-role/developer-role/first.last@company.com", where the role session name carries identifying information.
In order to make the audit logs more useful, since multiple entities can assume a role, the audit logs should contain the full role ARN with the session name or the UserID of the assumed role.
At some point in the past, the logs contained the access key ID used to access the cluster, which could be correlated back to an individual user using Cloudtrail.
Calvin
shared this idea
The full ARN including the user information is now captured in audit logs when AWS IAM authentication is used with assumed roles. This is a delayed update; the change was made in 2021. Thank you for your feedback to make MongoDB better.
-
Geoffrey
commented
Also add information about cluster name (not just the IP Address). It's very difficule to identity the source with the local IP specialy when we have linked organisations, multiple projets et a lot of cluster.
-
AdminSalman
(Admin, MongoDB)
commented
Thanks, Calvin. We are looking into this.