Sara
Follow

is it even possible to see who in your org created an ec2 instance

· tootstream · 3 · 0 · 3

@sara I think there's some kind of audit log in IAM but I haven't looked for a long time

@sara If you have cloud trail monitoring enabled, you can trace it back to the STS assumtion role or credential id that created the instance which should narrow if not identify the source.

@chuck What am I looking at here? I've got the sts.amazonaws.com events pulled up but there's not really any human-readable info

@sara You'll need to trace it back to the instance id, there will be a creation event and the credential used to initiate that creation event.

@chuck @sara yeah the fun part is when it's a Jenkins service account and the perp list widens back to everyone who can run builds

@VyrCossont @sara yup - true statement. build accounts running the build though *should* have logs based on what process/user kicked that off. its just a breadcrumb trail but all the same.

Sign in to participate in the conversation
hackoon.com

Everything is connected.