Posted On: Apr 21, 2020

AWS Identity and Access Management (IAM) now makes it easier to identify who is responsible for an AWS action performed by an IAM role when viewing AWS CloudTrail logs. Adding the new service-specific condition, sts:RoleSessionName, in an IAM policy, enables you to define the role session name that must be set when an IAM principal (user or role) or application assumes the IAM role. AWS adds the role session name to the AWS CloudTrail log when the IAM role performs an action, making it easy to determine who performed the action.

For example, you store product-pricing data in an Amazon DynamoDB database in your AWS account and want to grant your marketing partners from a different AWS account within the company, access to the product-pricing data. To achieve this, you can dedicate an IAM role in your AWS account that your marketing partners will assume to access the pricing data. You can then use the sts:RoleSessionName condition in the role trust policy of the IAM role to ensure that your marketing partners set their AWS username as their role session name when they assume the IAM role. The AWS CloudTrail log will capture the activities of the marketing partner using the IAM role and record the marketing partner’s AWS username as the role session name. The AWS username will show up in the ARN of the IAM role when you view your AWS CloudTrail logs. With this, you can now easily identify what actions a specific marketing partner has performed in your AWS account.

To learn more about the new condition, sts:RoleSessionName, visit the IAM Documentation.