Who removed my permissions?

Scenario

The network team requested the ability to create EC2 instances so they could do testing. The networkAdmin user is now complaining that he can no longer create EC2 instances. No one knows who did it so check the logs.

How do I investigate?

  • Navigate to Kibana using SSO screen or provided credentials
  • Select Discover in the side menu
  • Enter “AmazonEC2FullAccess” or “DetachUserPolicy” into the Search
  • Change the Time Range (e.g. Last 15 Minutes) to This Month
  • Expand few of the results to review the details

Team Discussion

  • Could a change management process fix future issues with unknown permission changes?
  • What solution would you recommend implementing to help prevent changes from being made without notifying the impacted user or team?

Resources