Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-53604

Include original aws iam arn in authenticate audit logs

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.9.0, 4.4.6
    • Affects Version/s: None
    • Component/s: None
    • None
    • Fully Compatible
    • Security 2021-02-22, Security 2021-03-08
    • 46

      In order to support assume-role, the the last part of the ARN is trimmed. The original ARN should be logged as an additional field of the audit message so users can identify which user logged in.

      Reported in https://feedback.mongodb.com/forums/924145-atlas/suggestions/42360172-more-information-in-aws-iam-audit-logs:

      We are using MongoDB-AWS for authentication, and have set up the audit log to log events taken by AWS roles. However, there is insufficient information in the logs to identify who is doing those actions, as roles can be assumed by multiple people.
      
      An example log line in the current audit log:
      { "atype" : "authenticate", "ts" : { "$date" : "2021-01-05T00:21:52.628+00:00" }, "local" : { "ip" : "192.168.248.203", "port" : 27017 }, "remote" : { "ip" : "172.31.0.5", "port" : 54195 }, "users" : [ { "user" : "arn:aws:sts::555555555555:assumed-role/developer-role/", "db" : "$external" } ], "roles" : [ { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "clusterMonitor", "db" : "admin" }, { "role" : "backup", "db" : "admin" }, { "role" : "atlasAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "enableSharding", "db" : "admin" } ], "param" : { "user" : "arn:aws:sts::555555555555:assumed-role/developer-role/", "db" : "$external", "mechanism" : "MONGODB-AWS" }, "result" : 0 }
      
      The user is identified as "arn:aws:sts::555555555555:assumed-role/developer-role/*", but the true ARN of the user is more like "arn:aws:sts::555555555555:assumed-role/developer-role/first.last@company.com", where the role session name carries identifying information.
      
      In order to make the audit logs more useful, since multiple entities can assume a role, the audit logs should contain the full role ARN with the session name or the UserID of the assumed role.
      
      At some point in the past, the logs contained the access key ID used to access the cluster, which could be correlated back to an individual user using Cloudtrail.
      

            Assignee:
            ben.caimano@mongodb.com Benjamin Caimano (Inactive)
            Reporter:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: