Open vnkr-teleport opened 1 year ago
For context, AWS STS assume-role
requests currently look like this in the application chunk recording:
{
"app_name": "awsconsole",
"app_public_addr": "awsconsole.example.teleportdemo.com",
"app_uri": "https://console.aws.amazon.com/ec2/v2/home",
"aws_host": "sts.us-east-2.amazonaws.com",
"aws_region": "us-east-2",
"aws_service": "sts",
"cluster_name": "example",
"code": "T2009I",
"ei": 9,
"event": "app.session.request",
"method": "POST",
"path": "/",
"raw_query": "",
"status_code": 200,
"time": "2023-03-23T20:21:08.884Z",
"uid": "5708e2a4-ff38-4510-b4b6-587f35cd2efc"
},
I think this request essentially comes down to tracking the payload that goes along with the POST
request. We could special-case this for aws_service: sts
, but I actually think it would be beneficial to allow users to track POST
payloads for other AWS API requests as well.
Loath as I am to suggest that we add an option to app_service
configuration to handle this, I think it would be great to specify which AWS services a user would like full POST
payload tracking for, something like:
app_service:
enabled: true
apps:
- name: "awsconsole"
description: "AWS Console UI"
uri: "https://console.aws.amazon.com/ec2/v2/home"
labels:
aws_account_id: "<id>"
log_request_payloads:
# allow optional use of "all" to log everything
- all
# otherwise allow services to be specified by name
- sts
- ssm
- cloudformation
There is a similar issue for tracking Kubernetes POST/PUT payloads too: https://github.com/gravitational/teleport/issues/6774
What would you like Teleport to do?
When getting AWS credentials through App Access with
tsh aws sts assume-role --role-arn <role-arn> --role-session-name <role-session-name>
the<role-session-name>
can be any value, and audit log does not contain the "user requesting credentials" to "role-session-name" mapping.When using the given credentials for direct AWS access it's hard if not impossible to trace which Teleport user performed the actions when analysing Cloudtrail.
The suggestion is to improve the audit log to show which Teleport user has been given AWS credentials for which
<role-session-name>
.What problem does this solve?
Makes Cloudtrail audit easier for direct AWS requests with credentials obtained through Teleport. Makes it harder to perform a perceived user impersonation.
If a workaround exists, please include it.
N/A