AWS IAM Identity Center is introducing significant changes to its CloudTrail events to enhance efficiency and streamline user identification processes based on customer feedback. These updates, effective from January 13, 2025, will impact various workflows, such as audits and incident responses, by simplifying the correlation of IAM Identity Center users with external directory services like Okta Universal Directory and Microsoft Active Directory. By focusing on vital fields, AWS IAM Identity Center aims to improve the efficiency and accuracy of user-related data within CloudTrail events.
Key Changes and Implementation Date
On January 13, 2025, AWS IAM Identity Center will cease the emission of userName and principalId fields within the user identity element in CloudTrail events. The change will affect users when they sign in to IAM Identity Center, use the AWS access portal, or access AWS accounts via AWS CLI. In place of these fields, IAM Identity Center will introduce userId and identityStoreArn fields to simplify user identification. Additionally, the user’s identity type within IAM Identity Center CloudTrail events will be depicted as IdentityCenterUser, providing a clearer identifier for users.
Furthermore, the group displayName value will no longer be included in CloudTrail events during group creation or updates. However, group attributes like displayName will still be accessible through the Identity Store DescribeGroup API operation, provided the workflows are authorized. By making these changes, AWS IAM Identity Center aims to ensure that user identification within CloudTrail events is more streamlined, accurate, and secure.
Preparation for Workflow Updates
Users are encouraged to update their workflows to accommodate the changes before the January 13, 2025 deadline. Workflows that currently process fields like userName, principalId, userIdentity type, or group displayName in CloudTrail events should be revised. The replacement of userName and principalId with userId and identityStoreArn fields will ensure continuance in user identification. The userId is an immutable and unique identifier every user gets assigned within the Identity Store, greatly enhancing user identification and tracking actions within CloudTrail events.
For authenticated users, the userIdentity type in CloudTrail events will change from an Unknown type to IdentityCenterUser. Unauthenticated users will continue to be marked as Unknown. Workflows must be adjusted to accommodate these new values. Moreover, in instances of failed sign-ins due to incorrect usernames, IAM Identity Center will emit a fixed-text value HIDDEN_DUE_TO_SECURITY_REASONS in the UserName field, ensuring the protection of sensitive information. Additionally, IAM Identity Center will emit a credentialId field consisting of the session ID for user actions performed via AWS access portal or AWS CLI, aiding in tracking user activities throughout their sessions.
Changes to Group Management Events
Starting January 13, 2025, IAM Identity Center will replace the displayName value in administrative CloudTrail events, such as CreateGroup and UpdateGroup, with a fixed-text value of HIDDEN_DUE_TO_SECURITY_REASONS. This modification restricts access to the group displayName to authorized workflows accessing the Identity Store. By limiting the visibility of group names, IAM Identity Center increases the security of group management operations within CloudTrail.
Furthermore, the credentialId field will be included in CloudTrail events to facilitate easier tracking of user activities. The session ID encapsulated within the credentialId will provide a clearer picture of user actions performed through the AWS access portal and AWS CLI, thus enhancing the capability to monitor and manage user sessions comprehensively.
CloudTrail Event Groups Affected
The major CloudTrail event groups impacted by these changes include the AWS access portal, OIDC, Sign-in, and Identity Store events. AWS access portal events encompass various activities, such as sign-in and sign-out from the portal, retrieval of account and application assignments needed for portal display, and configurations for AWS CLI or IDE tools as an IAM Identity Center user. The pertinent OIDC event impacted is CreateToken, which is crucial for initiating an authenticated user session.
Sign-in events cover password-based and federated authentication, including multi-factor authentication (MFA). These sign-in events will be critical under the new changes, as workflows must be adjusted to recognize and process the new user identity fields. Lastly, relevant Identity Store events primarily pertain to MFA device management within the AWS access portal and administrative actions concerning group creation and updates. By affecting these event groups, the changes aim to streamline user identification and tracking across various IAM Identity Center operations.
API and CLI Command Correlation
Several API operations behind these CloudTrail events are also accessible as AWS CLI commands, categorized under Portal, OIDC, and Identity Store commands. To ensure a seamless transition and maintain workflow integrity, these operational commands should be adjusted in anticipation of the impending changes. The adjustments will entail modifying the commands to handle the new userId and identityStoreArn fields, facilitating continuity in user identification and tracking.
Detailed records of the changes and their association with CloudTrail events are meticulously documented, emphasizing fields such as userId, identityStoreArn, credentialId, and UserName (within the additionalEventData element). Examples clarify the fields subjected to changes effective January 13, 2025, explaining the transitions from existing to altered states. By illustrating these changes, AWS IAM Identity Center provides users with a thorough understanding to prepare adequately.
Strategic Recommendations
Proactively updating workflows and commands reliant on userName, principalId, or other dependent fields is highly recommended before the stipulated date. Integrating the new fields like userId and identityStoreArn within existing workflows will maintain functionality and support effective user tracking within CloudTrail event identification. Furthermore, enabling authorized access through Identity Store APIs to retrieve essential group attributes like displayName will ensure that group management operations remain seamless.
With these recommended strategic updates, users can ensure that their IAM Identity Center CloudTrail workflows are optimized for efficiency, security, and accurate user identification come January 13, 2025.
Summary of Impacted Events
AWS IAM Identity Center is implementing crucial changes to its CloudTrail event logs, aimed at boosting efficiency and simplifying user identification processes based on customer suggestions. These changes will take effect on January 13, 2025. As a result, several workflows, including audits and incident response procedures, will undergo improvements by making it easier to match IAM Identity Center users with external directory services such as Okta Universal Directory and Microsoft Active Directory.
This initiative focuses on refining key fields within the CloudTrail events, which will play a pivotal role in enhancing the accuracy and efficiency of user-related data. By targeting these essential fields, AWS IAM Identity Center aims to provide a more streamlined experience for users.
The updates are expected to significantly impact organizations relying on AWS services by facilitating a more precise and efficient way to handle data linking and troubleshooting. These enhancements will ensure smoother correlation of user identities, making processes like audit trails more effective and less time-consuming.
With these advancements, AWS is responding to the needs of its user base, ensuring that the IAM Identity Center is better aligned with contemporary requirements and external integration standards. This update underscores AWS’s commitment to continually improving their services for better performance, reliability, and user satisfaction.
