本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
在 AWS CloudTrail中追蹤特權任務
IAM 的 AWS Organizations 管理帳戶或委派管理員帳戶可以使用短期根存取權限,對成員帳戶執行一些根使用者任務。短期特權工作階段會為您提供臨時憑證,以便您可以確定相關範圍,對組織中的成員帳戶採取特權動作。您可以使用下列步驟來識別管理帳戶或委派管理員在 sts:AssumeRoot 工作階段期間所採取的動作。
注意
sts:AssumeRoot 不支援全域端點。CloudTrail 會記錄為端點指定的區域中的 ConsoleLogin 事件。
若要在 CloudTrail 日誌中追蹤特權工作階段所執行的動作
-
在 CloudTrail 日誌中尋找
AssumeRoot事件。當您的管理帳戶或委派的 IAM 管理員從sts:AssumeRoot取得一組短期憑證時,就會產生此事件。在以下範例中,AssumeRoot 的 CloudTrail 事件會記錄在
eventName欄位中。{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AIDACKCEVSQ6C2EXAMPLE:JohnRole1", "arn": "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", "accountId": "111111111111", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111111111111:role/JohnDoe", "accountId": "111111111111", "userName": "Admin2" }, "webIdFederationData": {}, "attributes": { "creationDate": "2024-10-25T20:45:28Z", "mfaAuthenticated": "false" }, "assumedRoot": "true" } }, "eventTime": "2024-10-25T20:52:11Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoot", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "requestParameters": { "targetPrincipal": "222222222222", "taskPolicyArn": { "arn": "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy" } }, "responseElements": { "credentials": { "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionToken": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "expiration": "Oct 25, 2024, 9:07:11 PM" } } }如需存取 CloudTrail 日誌的步驟,請參閱 AWS CloudTrail User Guide 中的 Getting and viewing your CloudTrail log files。
-
在 CloudTrail 事件日誌中,找到指定所執行動作的目標成員帳戶的
targetPrincipal,以及AssumeRoot工作階段獨有的accessKeyId。在以下範例中,
targetPrincipal為 222222222222,accessKeyId為 ASIAIOSFODNN7EXAMPLE。"eventTime": "2024-10-25T20:52:11Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoot", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "requestParameters": { "targetPrincipal": "222222222222", "taskPolicyArn": { "arn": "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy" } }, "responseElements": { "credentials": { "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionToken": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "expiration": "Oct 25, 2024, 9:07:11 PM" } } -
在目標主體的 CloudTrail 日誌中,搜尋對應至
AssumeRoot事件的accessKeyId值的存取金鑰 ID。使用eventName欄位值來判斷在AssumeRoot工作階段期間執行的特權任務。在單一工作階段中可能會執行多個特權任務。AssumeRoot的工作階段持續時間上限為 900 秒 (15 分鐘)。在以下範例中,管理帳戶或委派管理員刪除了一個 Amazon S3 儲存貯體的資源型政策。
{ "eventVersion": "1.10", "userIdentity": { "type": "Root", "principalId": "222222222222", "arn": "arn:aws:iam::222222222222:root", "accountId": "222222222222", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "creationDate": "2024-10-25T20:52:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-10-25T20:53:47Z", "eventSource": "s3.amazonaws.com", "eventName": "DeleteBucketPolicy", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "requestParameters": { "bucketName": "resource-policy-JohnDoe", "Host": "resource-policy-JohnDoe.s3.amazonaws.com", "policy": "" }, "responseElements": null, "requestID": "1234567890abcdef0", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "readOnly": false, "resources": [ { "accountId": "222222222222", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::resource-policy-JohnDoe" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "222222222222", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "resource-policy-JohnDoe.s3.amazonaws.com" } }
