Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AssumeRoleWithSAML is not supported by CloudWatch Event Rules #1

Open
vikyol opened this issue Jan 15, 2020 · 3 comments
Open

AssumeRoleWithSAML is not supported by CloudWatch Event Rules #1

vikyol opened this issue Jan 15, 2020 · 3 comments

Comments

@vikyol
Copy link
Owner

vikyol commented Jan 15, 2020

I have a CloudWatch event rule for the sts:AssumeRole*, but AssumeRoleWithSAML is never triggered.

  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "sts.amazonaws.com"
    ],
    "eventName": [
      "AssumeRoleWithSAML",
      "AssumeRole"
    ]
  },
  "source": [
    "aws.sts"
  ]
@vikyol
Copy link
Owner Author

vikyol commented Jan 15, 2020

"AssumeRoleWithSAML" is not currently supported by CloudWatch Events, but there is an existing feature request to add this functionality

This work-around utilizes four services:
• CloudWatch log stream
• CloudTrail
• Lambda function to invoke an SNS topic
• SNS topic

To implement this, a CloudTrail needs to be created if there isn't an existing one that is capturing the event “AssumeRoleWithSAML”. Stream the trail to a CloudWatch log group.

Next, go to the CloudWatch console and in the logs section you’ll find the Log group that is created by the CloudTrail. Click into it to ensure that API calls are being received (note that this can take a few minutes). Ensure that the event “AssumeRoleWithSAML” is being captured by filtering ( {$.eventName = "AssumeRoleWithSAML"}. Create the following lambda function and register it as the event target:

import boto3
import json
import base64
import gzip

def lambda_handler(event, context):
  client = boto3.client('sns')
  message_encoded = event['awslogs']['data']
  compressed_payload = base64.b64decode(message_encoded)
  uncompressed_payload = gzip.decompress(compressed_payload)
  payload = json.loads(uncompressed_payload)

  response = client.publish(
    TopicArn = '',
    Message=json.dumps({'default':json.dumps(payload)}),
    Subject = 'Assume Role with SAML detected',
    MessageStructure = 'json'
    )

@mfarrokhnia
Copy link

mfarrokhnia commented Nov 12, 2020
edited
Loading

Any update on this case using cloudwatch event rules?

@vikyol
Copy link
Owner Author

vikyol commented Nov 12, 2020

@mina69

I've not worked on this lately, but as far as I know this event is still not supported by CloudWatch Events.

When you create a subscription filter as a workaround, your lambda function receives the event as a parameter. You should just extract the fields according to your needs, e.g UserName = event["userIdentity"]["userName"]. You don't need to fetch subscription filters yourself.

This is the event handler in my implementation.
https://github.com/erhanux/aws-tags/blob/master/lambda/saml_event_handler/saml_handler.py

AssumeRoleWithSaml test event - https://github.com/erhanux/aws-tags/blob/master/test/events/AssumeRoleWithSaml.json
Your event should be similar to this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vikyol @mfarrokhnia