Identifying the Federated User | AWS SCS-C01 Exam Question
Question
A company has used SAML 2.0 to configure the identity federation with AWS.
Users can enable the federated single sign-on (SSO) to login to the AWS Management Console or call the AWS API operations. A SAML federated user terminated an EC2 instance in production yesterday.
You need to find out who did this. Which of the following options can help you quickly identify the federated user?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because CloudWatch Event rules may not be configured or enabled.
Hence they would not show any log or record for the AssumeRoleWithSAML event.
Option B is CORRECT because you can use CloudTrail event logs to find the assumed IAM role in the TerminateInstances event and then check the AssumeRoleWithSAML event that assumed the IAM role.
Option C is incorrect because the event to be searched should be AssumeRoleWithSAML instead of AssumeRole.
Option D is incorrect because you may get the federated role name with the last activity time.
However, you still need to find out which federated user assumed the role and performed the action.
Reference:
https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/.The correct answer is B: Search the CloudTrail event logs for the TerminateInstances event and Identify the assumed IAM role name. Search the AssumeRoleWithSAML event that includes the IAM role.
Here's why:
SAML 2.0 is a standard for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider (SP). In the AWS context, SAML is used for federated access to AWS services.
When a user logs in to the AWS Management Console or calls AWS API operations, AWS creates a temporary set of credentials based on the SAML assertion provided by the IdP. These temporary credentials include an IAM role that the user is assumed to have.
In this scenario, a SAML federated user terminated an EC2 instance in production. To find out who did this, you need to trace the event back to the user's IAM role.
Option A suggests checking the CloudWatch Events for the EC2 instance, searching for the EC2 instance state change events, and checking the userIdentity field. This is not the best approach because the userIdentity field only contains the AWS account ID, not the identity of the user who made the change.
Option C suggests checking the CloudTrail logs in S3 for the TerminateInstances event and identifying the role session name. This is not the best approach because the role session name is not necessarily unique to a particular user, and it may be reused by different users over time.
Option D suggests checking the last activity time for each SAML 2.0 federation role in AWS IAM roles. This is not the best approach because it assumes that the user who terminated the EC2 instance used the same role for all their actions, which may not be the case.
Option B is the best approach because it involves searching the CloudTrail event logs for the TerminateInstances event and identifying the assumed IAM role name. This can be done by searching for the AssumeRoleWithSAML event that includes the IAM role. Once you have identified the IAM role, you can look up the user who is assumed to have that role and investigate further.
In summary, to quickly identify the federated user who terminated an EC2 instance in production, you should search the CloudTrail event logs for the TerminateInstances event and identify the assumed IAM role name by searching for the AssumeRoleWithSAML event that includes the IAM role.
