-
Hello ch34,
Thanks for the feedback.
The use of the IAM Identity Center, combined with an identity-based policy, allows for fine-grained access control. Specifically, the policy restricts access to only the files a user (scientist) is authorized to access by using tags. For example, the tag ${aws:PrincipalTag/userNameID}/* ensures that each user only has access to files they own (because each file is tagged with the user’s ID as part of the filename or metadata).
The IAM Identity Center and identity-based policy don’t directly generate audit reports, but they work in conjunction with other AWS services, like CloudTrail, to provide detailed logs. CloudTrail will log events for every access attempt, and these logs can then be queried with Athena to generate the required monthly audit reports. So, while the IAM Identity Center itself doesn’t generate the reports, it ensures that the correct user is granted access to the appropriate data in the first place, and the audit logs from CloudTrail will give you the detailed information required.
Here’s the distinction:
(IAM Identity Center) can be integrated with CloudTrail for access tracking. It ensures that each scientist has access to their own files, and the CloudTrail logs can then be queried to generate monthly reports.
(S3 Access Point + QuickSight) only addresses access control but lacks the direct capability to generate or track detailed access logs for auditing purposes. QuickSight is a data visualization tool, not an auditing tool.
QuickSight can take CloudTrail logs and turn them into reports or dashboards. However, QuickSight itself doesn’t generate or track the logs; it only visualizes data that’s already been collected. So, you’d need to query the CloudTrail logs (e.g., via Athena) and store them in a location that QuickSight can access (e.g., an S3 bucket or database). For more information, please refer to this.
I hope this helps! Let us know if you need further assistance.
Regards,
JR @ Tutorials Dojo
