Your company has developed a suite of business analytics services as a SaaS application used by hundreds of customers worldwide.
Recently there has been an acquisition of a product, and the management has decided to integrate the product with the main service.
The product also runs onto the AWS platform.
The initial phase required the product software to use some private resources of the main SaaS service.
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answers: A and D.
Option A is CORRECT because the request is made from the product's AWS account and the resource was part of the main AWS account.
The user will have to check the log trail of both the accounts and match the user token being used.
Option B is INCORRECT because the SaaS application's CloudTrail logs will not reveal the user identity.
The cross-account role issues a token, and all the further interaction is logged with that token.
To know which user the token belongs to, the auditor will have to look into the product account's log trail as well.
Option C is INCORRECT because the DeleteBucket will not have the user identity information.
The log will have the user token information only, as the API was invoked with a cross-account role.
Option D is CORRECT because, at the time of assuming the role into the main AWS account, the product team's AWS account must have created an entry with the sharedEventId and the userIdentity information.
SharedEventId helps to identify the real user, and userIdentity provides the IAM ARN that performs the action.
These two can help to find who has executed the DeleteBucket API.
Please check the references in https://docs.aws.amazon.com/awscloudtrail/latest/userguide/shared-event-ID.html and https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html.
Option E is INCORRECT because the userIdentity information will only be available inside the product team's AWS account in response to the AssumeRole operation.
The sharedEventId will be available in both the account's log trail though.
Based on the information provided, it seems that there was an attempt to access private resources of the main SaaS service from the product software running on AWS. To investigate this issue, the auditing team can use AWS CloudTrail, which is a service that provides a record of actions taken by a user, role, or an AWS service in your AWS account.
Option A suggests that the auditing team will need the CloudTrail logs detail of both the SaaS and the product AWS accounts as the call was made from the product application's AWS account. While this might provide some information about the call made, it does not specifically address the need to find the details about the private resources accessed.
Option B suggests that the auditing team can find the details only from the SaaS application's AWS account as the bucket was part of that account. However, this option assumes that the private resources accessed were stored in a bucket, which may not necessarily be the case.
Option C suggests that the auditing team should look for the DeleteBucket API record in the SaaS application's AWS account CloudTrail logs. While this option may provide some information about the bucket that was deleted, it does not address the fact that the private resources were accessed.
Option D suggests that the auditing team should look for the sharedEventId and the userIdentity for the DeleteBucket API event in both AWS accounts. This option seems to be more relevant as it addresses the need to find the details about the private resources accessed. By looking at the sharedEventId and userIdentity, the auditing team can determine the user or role that was responsible for the action and identify the specific private resources accessed.
Option E suggests that the auditing team should look for the sharedEventId and the userIdentity for the AssumeRole API event in both AWS accounts. This option may not be relevant as it assumes that the action was performed using an assumed role, which may not necessarily be the case.
In conclusion, Option D seems to be the most appropriate answer, as it addresses the need to find the details about the private resources accessed by looking for the sharedEventId and userIdentity for the DeleteBucket API event in both AWS accounts.