[SERVER-53604] Include original aws iam arn in authenticate audit logs Created: 06/Jan/21  Updated: 29/Oct/23  Resolved: 05/Mar/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.9.0, 4.4.6

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Benjamin Caimano (Inactive)
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Problem/Incident
Related
is related to SERVER-12765 Audit username for x.509 cluster auth... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2021-02-22, Security 2021-03-08
Participants:
Case:
Linked BF Score: 46

 Description   

In order to support assume-role, the the last part of the ARN is trimmed. The original ARN should be logged as an additional field of the audit message so users can identify which user logged in.

Reported in https://feedback.mongodb.com/forums/924145-atlas/suggestions/42360172-more-information-in-aws-iam-audit-logs:

We are using MongoDB-AWS for authentication, and have set up the audit log to log events taken by AWS roles. However, there is insufficient information in the logs to identify who is doing those actions, as roles can be assumed by multiple people.
 
An example log line in the current audit log:
{ "atype" : "authenticate", "ts" : { "$date" : "2021-01-05T00:21:52.628+00:00" }, "local" : { "ip" : "192.168.248.203", "port" : 27017 }, "remote" : { "ip" : "172.31.0.5", "port" : 54195 }, "users" : [ { "user" : "arn:aws:sts::555555555555:assumed-role/developer-role/", "db" : "$external" } ], "roles" : [ { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "clusterMonitor", "db" : "admin" }, { "role" : "backup", "db" : "admin" }, { "role" : "atlasAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "enableSharding", "db" : "admin" } ], "param" : { "user" : "arn:aws:sts::555555555555:assumed-role/developer-role/", "db" : "$external", "mechanism" : "MONGODB-AWS" }, "result" : 0 }
 
The user is identified as "arn:aws:sts::555555555555:assumed-role/developer-role/*", but the true ARN of the user is more like "arn:aws:sts::555555555555:assumed-role/developer-role/first.last@company.com", where the role session name carries identifying information.
 
In order to make the audit logs more useful, since multiple entities can assume a role, the audit logs should contain the full role ARN with the session name or the UserID of the assumed role.
 
At some point in the past, the logs contained the access key ID used to access the cluster, which could be correlated back to an individual user using Cloudtrail.



 Comments   
Comment by Githook User [ 07/Apr/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com', 'username': 'bcaimano'}

Message: SERVER-53604 Convey both id and full arn to authenticate audit events
Branch: v4.4
https://github.com/mongodb/mongo/commit/cb453c32c5f4b8346de391d248aed60d9c86bd0e

Comment by Githook User [ 07/Apr/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com', 'username': 'bcaimano'}

Message: SERVER-53604 Convey both id and full arn to authenticate audit events
Branch: v4.4
https://github.com/10gen/mongo-enterprise-modules/commit/bf4fb65cb29efede435a9c731a5491b9113b8c2d

Comment by Githook User [ 09/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-53604 Convert LDAP tests to use "error" field
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/f79814ef2bc10bd5b9c5b68a80ac157cf25fbbcd

Comment by Githook User [ 05/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-53604 Convey both id and full arn to authenticate audit events
Branch: master
https://github.com/mongodb/mongo/commit/36597e8ce4fcf00e777bca348929c1530a79c699

Comment by Githook User [ 05/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-53604 Convey both id and full arn to authenticate audit events
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/01768457b57d2d4191280f484016458c02b9a390

Comment by Githook User [ 05/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-53604 Add tests for authenticate audit events from IAM
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/65feeb85f68b8307b73c742670557e6b25c7f13e

Generated at Thu Feb 08 05:31:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.