Add a new audit event for AWS console request #45715
Conversation
greedy52
force-pushed
the
STeved/45603_fix_aws_audit
branch
from
f0eefa7
to
72ffc70
Compare
|
@smallinsky this PR is a follow-up on the discussion on #45202. Let me know what you think about this approach. Thanks! |
github-actions
bot
added
application-access
audit-log
| if externalID != "" { | ||
| sum := sha1.Sum([]byte(externalID)) | ||
| e.ExternalIdSha1 = hex.EncodeToString(sum[:]) |
There was a problem hiding this comment.
Why externalID needs to be truncated/ converted to sha1 ?
There was a problem hiding this comment.
Here is my take. AWS does not treat external ID as a secret but in general, it's only known to the assumer and whoever has permission to the target role. It should not be public knowledge to like an auditor.
For auditing purpose, I mainly want to capture the fact that an external ID is used. I could also use a bool.
What do you think? If security is not a concern, we could record the original string too.
| return nil, trace.Wrap(err) | ||
| } | ||
|
|
||
| c.emitAudit(ctx, req, nil) |
There was a problem hiding this comment.
nit: Emitting audit event GetAWSSigninURL is not totally verbose flow.
Why not put the audit emit audit event from handler
?
There was a problem hiding this comment.
The handler does not have all the details like the hashed username, nor it (the handler) should concern a very specific AWS event, IMO.
fixes #45603
changelog: added a new audit event for AWS console request
role_session_nameNew audit event (in addition to
app.session.start):Now it captures the error when AWS console request fails:
Role session name is captured in the event:
Also updated some existing events:
