search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.33k stars 1.74k forks source link

Enhance audit log for "tsh aws sts assume-role" #23523

Open vnkr-teleport opened 1 year ago

vnkr-teleport commented 1 year ago

What would you like Teleport to do?

When getting AWS credentials through App Access with tsh aws sts assume-role --role-arn <role-arn> --role-session-name <role-session-name> the <role-session-name> can be any value, and audit log does not contain the "user requesting credentials" to "role-session-name" mapping.

When using the given credentials for direct AWS access it's hard if not impossible to trace which Teleport user performed the actions when analysing Cloudtrail.

The suggestion is to improve the audit log to show which Teleport user has been given AWS credentials for which <role-session-name>.

What problem does this solve?

Makes Cloudtrail audit easier for direct AWS requests with credentials obtained through Teleport. Makes it harder to perform a perceived user impersonation.

If a workaround exists, please include it.

N/A

webvictim commented 1 year ago

For context, AWS STS assume-role requests currently look like this in the application chunk recording:

  {
    "app_name": "awsconsole",
    "app_public_addr": "awsconsole.example.teleportdemo.com",
    "app_uri": "https://console.aws.amazon.com/ec2/v2/home",
    "aws_host": "sts.us-east-2.amazonaws.com",
    "aws_region": "us-east-2",
    "aws_service": "sts",
    "cluster_name": "example",
    "code": "T2009I",
    "ei": 9,
    "event": "app.session.request",
    "method": "POST",
    "path": "/",
    "raw_query": "",
    "status_code": 200,
    "time": "2023-03-23T20:21:08.884Z",
    "uid": "5708e2a4-ff38-4510-b4b6-587f35cd2efc"
  },

I think this request essentially comes down to tracking the payload that goes along with the POST request. We could special-case this for aws_service: sts, but I actually think it would be beneficial to allow users to track POST payloads for other AWS API requests as well.

Loath as I am to suggest that we add an option to app_service configuration to handle this, I think it would be great to specify which AWS services a user would like full POST payload tracking for, something like:

app_service:
  enabled: true
  apps:
  - name: "awsconsole"
    description: "AWS Console UI"
    uri: "https://console.aws.amazon.com/ec2/v2/home"
    labels:
      aws_account_id: "<id>"
    log_request_payloads:
    # allow optional use of "all" to log everything
    - all
    # otherwise allow services to be specified by name
    - sts
    - ssm
    - cloudformation

There is a similar issue for tracking Kubernetes POST/PUT payloads too: https://github.com/gravitational/teleport/issues/6774