Posted On: Apr 21, 2020

Amazon Identity and Access Management (IAM) now makes it easier to identify who is responsible for an Amazon Web Services action performed by an IAM role when viewing Amazon  CloudTrail logs. Adding the new service-specific condition, sts:RoleSessionName, in an IAM policy, enables you to define the role session name that must be set when an IAM principal (user or role) or application assumes the IAM role. Amazon Web Services adds the role session name to the Amazon CloudTrail log when the IAM role performs an action, making it easy to determine who performed the action.  

For example, you store product-pricing data in an Amazon DynamoDB database in your Amazon Web Services account and want to grant your marketing partners from a different Amazon Web Services account within the company, access to the product-pricing data. To achieve this, you can dedicate an IAM role in your Amazon Web Services account that your marketing partners will assume to access the pricing data. You can then use the sts:RoleSessionName condition in the role trust policy of the IAM role to ensure that your marketing partners set their Amazon Web Services username as their role session name when they assume the IAM role. The Amazon CloudTrail log will capture the activities of the marketing partner using the IAM role and record the marketing partner’s username as the role session name. The Amazon Web Services username will show up in the ARN of the IAM role when you view your Amazon CloudTrail logs. With this, you can now easily identify what actions a specific marketing partner has performed in your Amazon Web Services account.

To learn more about the new condition, sts:RoleSessionName, visit the IAM Documentation.