IAM with AWS CloudTrail and AWS STS integration, which is a service that provides a record of the user or role taken by the IAM operations. All API CloudTrail IAM and AWS STS will call as an event capture, including a call from the console and API calls. If you create a track, you can make CloudTrail event lasts transferred to Amazon S3 bucket. If you do not configure tracking, you can still CloudTrail console Event history (event history) view the latest events. You may be used to obtain information about a request for CloudTrail IAM or AWS STS emitted. For example, you can view the request source IP address, user, time and other details issued.
| Principal type | IAM/STS API | CloudTrail user who logs in call accounts | User identity CloudTrail role owner account log in | Log user identity CloudTrail subsequent API calls in the role of owner |
|---|---|---|---|---|
| AWS root user account credentials | GetSessionToken | Root identity | Role Owners account with the same account to call | Root identity |
| IAM users | GetSessionToken | IAM user identities | Role Owners account with the same account to call | IAM user identities |
| IAM users | GetFederationToken | IAM user identities | Role Owners account with the same account to call | IAM user identities |
| IAM users | AssumeRole | IAM user identities | Account and client ID (if the user) or AWS service clients | Only the role of identity (without user) |
| External user authentication | AssumeRoleWithSAML | no | SAML user identity | Only the role of identity (without user) |
| External user authentication | AssumeRoleWithWebIdentity | no | OIDC / Web user identity | Only the role of identity (without user) |
Scrip requested recording mode - When clients request temporary credentials, the principal type determines how CloudTrail record the event. The following table shows how different CloudTrail call record information for each API to generate temporary credentials.