CloudTrail
All actions performed by product providers using temporary delegated access are automatically logged in AWS CloudTrail. This provides complete visibility and auditability of product provider activity in your AWS account. You can identify which actions were taken by product providers, when they occurred, and which product provider account performed them.
To help you distinguish between actions taken by your own IAM principals and those taken by product providers with delegated access, CloudTrail events include a new field called invokedByDelegate under the userIdentity element. This field contains the AWS account ID of the product provider, making it easy to filter and audit all delegated actions.
CloudTrail Event Structure
The following example shows a CloudTrail event for an action performed by a product provider using temporary delegated access:
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AIDACKCEVSQ6C2EXAMPLE:Role-Session-Name", "arn": "arn:aws:sts::111122223333:assumed-role/Role-Name/Role-Session-Name", "accountId": "111122223333", "accessKeyId": "[REDACTED:AWS_ACCESS_KEY]", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "attributes": { "creationDate": "2024-09-09T17:50:16Z", "mfaAuthenticated": "false" } }, "invokedByDelegate": { "accountId": "444455556666" } }, "eventTime": "2024-09-09T17:51:44Z", "eventSource": "iam.amazonaws.com", "eventName": "GetUserPolicy", "awsRegion": "us-east-1", "requestParameters": { "userName": "ExampleIAMUserName", "policyName": "ExamplePolicyName" }, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
The invokedByDelegate field contains the AWS account ID of the product provider who performed the action using delegated access. In this example, account 444455556666 (the product provider) performed an action in account 111122223333 (the customer account).
