search

vikyol / aws-tags

Automatically inherit resource tags from IAM principals and AWS session tags.
MIT License
5 stars 1 forks source link

AssumeRoleWithSAML is not supported by CloudWatch Event Rules #1

Open vikyol opened 4 years ago

vikyol commented 4 years ago

I have a CloudWatch event rule for the sts:AssumeRole*, but AssumeRoleWithSAML is never triggered.

  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "sts.amazonaws.com"
    ],
    "eventName": [
      "AssumeRoleWithSAML",
      "AssumeRole"
    ]
  },
  "source": [
    "aws.sts"
  ]
vikyol commented 4 years ago

"AssumeRoleWithSAML" is not currently supported by CloudWatch Events, but there is an existing feature request to add this functionality

This work-around utilizes four services: • CloudWatch log stream • CloudTrail • Lambda function to invoke an SNS topic • SNS topic

To implement this, a CloudTrail needs to be created if there isn't an existing one that is capturing the event “AssumeRoleWithSAML”. Stream the trail to a CloudWatch log group.

Next, go to the CloudWatch console and in the logs section you’ll find the Log group that is created by the CloudTrail. Click into it to ensure that API calls are being received (note that this can take a few minutes). Ensure that the event “AssumeRoleWithSAML” is being captured by filtering ( {$.eventName = "AssumeRoleWithSAML"}. Create the following lambda function and register it as the event target:

import boto3
import json
import base64
import gzip

def lambda_handler(event, context):
  client = boto3.client('sns')
  message_encoded = event['awslogs']['data']
  compressed_payload = base64.b64decode(message_encoded)
  uncompressed_payload = gzip.decompress(compressed_payload)
  payload = json.loads(uncompressed_payload)

  response = client.publish(
    TopicArn = '',
    Message=json.dumps({'default':json.dumps(payload)}),
    Subject = 'Assume Role with SAML detected',
    MessageStructure = 'json'
    )
mfarrokhnia commented 4 years ago

Any update on this case using cloudwatch event rules?

vikyol commented 4 years ago

@Mina69

I've not worked on this lately, but as far as I know this event is still not supported by CloudWatch Events.

When you create a subscription filter as a workaround, your lambda function receives the event as a parameter. You should just extract the fields according to your needs, e.g UserName = event["userIdentity"]["userName"]. You don't need to fetch subscription filters yourself.

This is the event handler in my implementation. [https://github.com/erhanux/aws-tags/blob/master/lambda/saml_event_handler/saml_handler.py]()

AssumeRoleWithSaml test event - [https://github.com/erhanux/aws-tags/blob/master/test/events/AssumeRoleWithSaml.json]() Your event should be similar to this one.