How can I view and track account activity history for specific IAM users and roles?

Last updated: 2019-09-23

I want to view and monitor account activity for AWS Identity and Access Management (IAM) identities.

Resolution

Use AWS CloudTrail event history, Amazon CloudWatch queries, or Amazon Athena queries to access account activity history for IAM users and roles.

CloudTrail event history

You can use CloudTrail to search event history for the last 90 days.

1.    Open the CloudTrail console, and choose Event history.

2.    In Filter, select the drop-down menu, and choose User name.
Note: You can also filter by AWS access key.

3.    In the Enter user or role name text box, enter the user name.

4.    In Time range, enter the desired time range, and then choose Apply.

5.    In Event time, expand the event, and then choose View event.

The userIdentity element contains details about the type of IAM identity that made the request, and which credentials were used.

The following is an example userIdentity element with IAM user credentials used to make an API call:

Note: Replace Alice with the user name that you're searching for.

"userIdentity": {
  "type": "IAMUser",
  "principalId": "AIDAJ45Q7YFFAREXAMPLE",
  "arn": "arn:aws:iam::123456789012:user/Alice",
  "accountId": "123456789012",
  "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
  "userName": "Alice"
}

The following is an example userIdentity element with temporary security credentials:

"userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
    "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
    "accountId": "123456789012",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "20131102T010628Z"
      },
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAIDPPEZS35WEXAMPLE",
        "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
        "accountId": "123456789012",
        "userName": "RoleToBeAssumed"
      }
   }
}

The API call uses temporary security credentials obtained by assuming an IAM role. The element contains additional details about the role assumed to get credentials.

Note: If you don't see user activity, verify that the AWS service is supported and recorded by CloudTrail. For more information, see AWS Service Topics for CloudTrail.

CloudWatch query

You can use CloudWatch queries to search API history beyond the last 90 days.

Note: You must have a trail enabled to log to an S3 bucket.

1.    Open the CloudWatch console, and then choose Logs.

2.    In Log Groups, choose your log group.

3.    Choose Search Log Group.

4.    In Filter events, enter a query similar to the following to search logs for a user's API calls, and then choose the refresh icon.

{ $.userIdentity.userName = “Alice” }

You can also query for specific API actions. This example query searches for the API action DescribeInstances.

{ ($.eventName = “DescribeInstances") && ($.requestParameters.userName = “Alice"  ) }

Athena query

You can use Athena to query CloudTrail logs over the last 90 days.

1.    Open the Athena console, and then choose Query Editor.

2.    Enter the following example query to return all CloudTrail events performed by IAM user Alice, and then choose Run query.

Note: Replace athena-table with your Athena table name.

The following example query returns all CloudTrail events performed by IAM user Alice:

SELECT *
FROM athena-table
WHERE useridentity.type = 'IAMUser'
AND useridentity.username LIKE 'Alice';

3.    Enter the following example query to filter all the API activity performed by an IAM role, and then choose Run query.

Note: Replace role-name with your IAM role name.

SELECT *
FROM athena-table
WHERE useridentity.sessionContext.sessionissuer.arn LIKE '%role-name%’
AND useridentity.sessionContext.sessionissuer.type = ‘Role’;

4.    Enter the following example query to match the role ARN, and then choose Run query.

SELECT *
FROM athena-table
WHERE useridentity.sessionContext.sessionissuer.arn = 'arn:aws:iam::account-id123456789:role/role-name'
AND useridentity.sessionContext.sessionissuer.type = ‘Role’;

5.    Enter the following example query to filter for all activity using the IAM access key ID, and then choose Run query.

SELECT eventTime, eventName, userIdentity.principalId,eventSource
FROM athena-table
WHERE useridentity.accesskeyid like 'AKIAIOSFODNN7EXAMPLE'