What is the FASTEST way for the security engineer to identify the federated user?
Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name.
Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
Search the AWS CloudTrail logs for the TerminateInstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the TerminateInstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebIdentity event for the user name.
Explanations:
While reviewing CloudTrail logs in S3 can show the TerminateInstances event, it does not directly provide the federated user details unless the role session name can be correlated with user identity, which can be complex without further context.
Filtering CloudTrail for the TerminateInstances event allows for identifying the assumed IAM role used during the termination. By reviewing the corresponding AssumeRoleWithSAML event, the security engineer can trace back to the federated user’s identity linked to that role, making this the fastest method.
Searching the IAM Access Advisor may show last accessed times, but it does not directly indicate which federated user terminated the instance, as multiple users could have accessed the same role. This approach is indirect and less efficient.
Although using Amazon Athena can allow for querying CloudTrail logs for the TerminateInstances event, it requires multiple queries to correlate roles and user names, making it more complex and slower compared to option B.
I weigh that the answer is:
Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
In my opinion, the answer is:
Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.