Your company has developed a suite of business analytics services as a SaaS application used by hundreds of customers worldwide. Recently there has been an acquisition of a product, and the management has decided to integrate the product with the main service. The product also runs onto the AWS platform. The initial phase required the product software to use some private resources of the main SaaS service.

Answer options:

A.The auditing team will need the CloudTrail logs detail of both the SaaS and the product AWS accounts as the call was made from the product application’s AWS account.
B.The auditing team can find the detail only from the SaaS application’s AWS account, as the bucket was part of that account.
C.Look for the DeleteBucket API record into the SaaS application’s AWS account CloudTrail logs. It should have a user Id and the bucket detail as part of the log detail.
D.Look for the sharedEventId and the userIdentity for the DeleteBucket API event in both AWS accounts.
E.Look for the sharedEventId and the userIdentity for the AssumeRole API event in both AWS accounts.

Correct Answers: A and D
Option A is CORRECT because the request is made from the product’s AWS account and the resource was part of the main AWS account. The user will have to check the log trail of both the accounts and match the user token being used.
Option B is INCORRECT because the SaaS application’s CloudTrail logs will not reveal the user identity. The cross-account role issues a token, and all the further interaction is logged with that token. To know which user the token belongs to, the auditor will have to look into the product account’s log trail as well.
Option C is INCORRECT because the DeleteBucket will not have the user identity information. The log will have the user token information only, as the API was invoked with a cross-account role.
Option D is CORRECT because, at the time of assuming the role into the main AWS account, the product team’s AWS account must have created an entry with the sharedEventId and the userIdentity information. SharedEventId helps to identify the real user, and userIdentity provides the IAM ARN that performs the action. These two can help to find who has executed the DeleteBucket API. Please check the references in https://docs.aws.amazon.com/awscloudtrail/latest/userguide/shared-event-ID.html and https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html.
Option E is INCORRECT because the userIdentity information will only be available inside the product team’s AWS account in response to the AssumeRole operation. The sharedEventId will be available in both the account’s log trail though.