Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-53604

Include original aws iam arn in authenticate audit logs

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.9.0, 4.4.6
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Sprint:
      Security 2021-02-22, Security 2021-03-08
    • Case:
    • Linked BF Score:
      46

      Description

      In order to support assume-role, the the last part of the ARN is trimmed. The original ARN should be logged as an additional field of the audit message so users can identify which user logged in.

      Reported in https://feedback.mongodb.com/forums/924145-atlas/suggestions/42360172-more-information-in-aws-iam-audit-logs:

      We are using MongoDB-AWS for authentication, and have set up the audit log to log events taken by AWS roles. However, there is insufficient information in the logs to identify who is doing those actions, as roles can be assumed by multiple people.
       
      An example log line in the current audit log:
      { "atype" : "authenticate", "ts" : { "$date" : "2021-01-05T00:21:52.628+00:00" }, "local" : { "ip" : "192.168.248.203", "port" : 27017 }, "remote" : { "ip" : "172.31.0.5", "port" : 54195 }, "users" : [ { "user" : "arn:aws:sts::555555555555:assumed-role/developer-role/", "db" : "$external" } ], "roles" : [ { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "clusterMonitor", "db" : "admin" }, { "role" : "backup", "db" : "admin" }, { "role" : "atlasAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "enableSharding", "db" : "admin" } ], "param" : { "user" : "arn:aws:sts::555555555555:assumed-role/developer-role/", "db" : "$external", "mechanism" : "MONGODB-AWS" }, "result" : 0 }
       
      The user is identified as "arn:aws:sts::555555555555:assumed-role/developer-role/*", but the true ARN of the user is more like "arn:aws:sts::555555555555:assumed-role/developer-role/first.last@company.com", where the role session name carries identifying information.
       
      In order to make the audit logs more useful, since multiple entities can assume a role, the audit logs should contain the full role ARN with the session name or the UserID of the assumed role.
       
      At some point in the past, the logs contained the access key ID used to access the cluster, which could be correlated back to an individual user using Cloudtrail.
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ben.caimano Benjamin Caimano (Inactive)
              Reporter:
              mark.benvenuto Mark Benvenuto
              Participants:
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: