AI Workflow Audit Trails via IAM User Activity

Question

Pulumi · Accepted Answer

To create an audit trail for IAM user activity that can be used to monitor and analyze the actions performed by users, we can orchestrate several AWS services. AWS CloudTrail is central to this, as it logs all API calls across an AWS account, including calls from the AWS Management Console, Command Line Interface (CLI), and other AWS services.

We'll use CloudTrail to record and log all IAM user activity. With CloudTrail, we can monitor and record account activity across your AWS infrastructure, including actions taken through the Management Console, Command Line Interface, and other AWS services. Then, we can use Amazon EventBridge (formerly known as CloudWatch Events) to monitor these logs and trigger automated responses to specific events. Additionally, we can store the logs in an Amazon S3 bucket for long-term retention and auditing purposes.

Here's a Pulumi program that sets up an AWS CloudTrail to monitor IAM user activity, stores the logs in an S3 bucket, and sets an EventBridge rule to respond to specific IAM activities. I'll explain each part of the program in detail.

```python
import pulumi
import pulumi_aws as aws

# Create an S3 bucket to store CloudTrail logs
cloudtrail_logs_bucket = aws.s3.Bucket("cloudtrail-logs-bucket")

# Configure an AWS CloudTrail to log all actions in the AWS Management Console, CLI, and other AWS services
cloudtrail = aws.cloudtrail.Trail("iam-user-activity-trail",
    s3_bucket_name=cloudtrail_logs_bucket.id,
    is_multi_region_trail=True,
    include_global_service_events=True,
    event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
        read_write_type="All",
        include_management_events=True,
        data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
            type="AWS::IAM::User",
            values=["arn:aws:iam:::user/"]
        )]
    )]
)

# Set up an Amazon EventBridge rule to watch for specific IAM User activity,
# like login attempts or changes to a user's credentials
iam_user_activity_rule = aws.cloudwatch.EventRule("iam-user-activity-rule",
    event_pattern={
        "source": ["aws.iam"],
        "detail-type": ["AWS API Call via CloudTrail"],
        "detail": {
            "eventSource": ["iam.amazonaws.com"],
        }
    }
)

# Create an EventBridge target using SNS to notify when specific IAM user activity is detected
iam_user_activity_sns_topic = aws.sns.Topic("iam-user-activity-topic")
iam_user_activity_rule_target = aws.cloudwatch.EventTarget("iam-user-activity-rule-target",
    rule=iam_user_activity_rule.name,
    arn=iam_user_activity_sns_topic.arn
)

# Output - S3 Bucket URL for CloudTrail logs
pulumi.export("cloudtrail_logs_bucket_url", cloudtrail_logs_bucket.bucket_regional_domain_name)
```

## Explanation

1. First, we create an S3 bucket (`cloudtrail_logs_bucket`) to store the logs that CloudTrail generates. This bucket will collect all the logs of API calls, making them available for review or use in other auditing and security tools.

2. Next, we configure CloudTrail (`cloudtrail`) to monitor and log all actions executed by IAM users. We've enabled the trail for multi-region and global service events to ensure wide-ranging coverage for our audit. With `event_selectors`, we specifically target actions involving IAM users, setting `read_write_type` to All to log every read and write event related to them.

3. We then set up a CloudWatch Event Rule (`iam_user_activity_rule`) to watch for specific IAM User activities such as login attempts or changes to credentials. The `event_pattern` specifies the source and type of events we're interested in.

4. After defining the rule, we prepare an Amazon Simple Notification Service (SNS) topic (`iam_user_activity_sns_topic`) which will be the target for our EventBridge rule. We wire the EventBridge rule to this topic by specifying the SNS topic's ARN in an Event Target (`iam_user_activity_rule_target`).

5. Finally, we output the S3 bucket URL, which is the endpoint where all CloudTrail logs for the account will be stored. You can access this URL to review the logs as needed.

With this setup in place, you can start to monitor IAM user activity for any security concerns and ensure proper audit trails are in place for compliance. This is a great starting point to build more robust security and auditing mechanisms depending on your organizational requirements.