Ensuring Role Assumption is Logged
Using CloudTrail to Log User Privileges
Role assumption needs to be properly configured as well as logged. Because AWS IAM is integrated with CloudTrail, you can easily track and log all user activities and assumed roles. By ensuring role assumption is logged, you can maintain and review the history of access and understand user privileges.
To learn more, visit the AWS documentation on logging IAM API calls with AWS CloudTrail.
When you enforce least privilege through the use of role assumption, one of the critical things that needs to be executed is logging of all activities and assumed roles. This can be executed using AWS CloudTrail. By enabling AWS CloudTrail, you can execute the logging of role assumption to ensure you are able to identify each user that has assumed a role. By doing this, you can understand which accesses are being granted and which privileges are being assumed.