Changes for AWS CloudTrail Events for IAM Identity Center

[terrancedejesus]

Summary

It was announced by AWS that CloudTrail events for IAM Identity Center would be adjusting slightly on January 13, 2025. This affects specific AWS fields for specific CloudTrail events. It may be ideal to review the changes expected from the notification and review the AWS CloudTrail ingestion, such as mapped fields, events, transforms, etc. to ensure we are prepared for these changes.

I am not entirely sure about what changes may or may not need to be made into the AWS integration, but if I understand correctly, if we manually map any fields or have custom ingestion or transforms, then they should be reviewed.

We recommend that you update your workflows that process the userName, principalId, userIdentity type, or group displayName fields in CloudTrail events for IAM Identity Center before these changes take effect on January 13, 2025. This blog post provides guidance for these updates.

cc @tinnytintin10 (CDR)

TRADE has prepared an issue for reviewing and adjusting our rules accordingly if necessary.

• https://github.com/elastic/ia-trade-team/issues/509

References

https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/