undefined | Better HN

0 pointsklohto6y ago0 comments

You can specify the behavior. There is no unique user for each login, by default you are dropped to generic ssm-user. It's possible to set up a log-in into specific user based on the IAM username.

> The later would make any logging outside of SSM difficult There is a way to tie IAM user to SSM. You have to request SSM permissions and AWS logs that. AWS logs pretty much every single API call so it's just matter of storing and auditing correctly.

0 comments

2 comments · 1 top-level

marcinzm6y ago· 1 in thread

>There is a way to tie IAM user to SSM. You have to request SSM permissions and AWS logs that. AWS logs pretty much every single API call so it's just matter of storing and auditing correctly.

If you're using a generic ssm-user (and going to ssh so there's no ssm logs of the commands) then wouldn't you not be able to distinguish the commands (say in auditd) of two people logging in at the same time?

I'm reminded of RDS which does not store enough logs anywhere to reconstruct which IAM user/role was running specific commands when using IAM Authentication unless you create individual users in the DB.

klohtoOP6y ago

> If you're using a generic ssm-user (and going to ssh so there's no ssm logs of the commands) then wouldn't you not be able to distinguish the commands (say in auditd) of two people logging in at the same time?

But that requires auditing directly on EC2, right? (You can indeed sync the logs somewhere, but that diminished the beauty of out of box logging)

> I'm reminded of RDS which does not store enough logs

AFAIK, it's not possible with their current implementation to accomplish this. We just swallowed that it won't work and for the sake of security created seperate users.

j / k navigate · click thread line to collapse