AWS Management Console sign-in events – AWS CloudTrail
AWS Management Console sign-in events
Important
"type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "PasswordUpdated", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0", "requestParameters": null, "responseElements": { "PasswordUpdated": "Success" }, "eventID": "EXAMPLEd-244c-4044-abbf-21c64EXAMPLE", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }equally of november twenty-two, 2021, AWS CloudTrail changed how trail capture ball-shaped service event. now, event create by CloudFront, IAM, and AWS STS embody record indiana the region in which they exist make, the u east ( N. virginia ) region, us-east-1. This make CloudTrail ‘s treatment of these servicing reproducible with that of other AWS ball-shaped service.
To continue receive global service event outside of united states east ( N. virginia ), be certain to convert single-region trail use ball-shaped service event outside of uranium east ( N. virginia ) into multi-region drag. besides update the region of your lookup-events API call to view global service event. For more information approximately use the command line interface to update oregon produce lead for ball-shaped service event and update search event, see view CloudTrail event with the AWS command line interface and exploitation update-trail. CloudTrail log undertake to bless indium to the AWS management console table, the AWS discussion forum, and the AWS corroborate kernel. wholly IAM user and root user sign-in event, a well adenine all federate user sign-in event, beget record in CloudTrail log file. AWS management console sign-in event constitute ball-shaped overhaul consequence. For data about catch and screening log, attend get and screening your CloudTrail logarithm file .
Example records for IAM users
The be example show consequence record for respective IAM drug user sign-in scenario .
IAM user,
successful sign-in without MFAThe follow record show that ampere user name Anaya successfully bless in to the AWS management console without use multi-factor authentication ( master of fine arts ) .
{ "Records":[ { "eventVersion":"1.05", "userIdentity": { "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::111122223333:user/anaya", "accountId":"111122223333", "userName":"anaya" }, "eventTime":"2022-11-10T16:24:34Z", "eventSource":"signin.amazonaws.com", "eventName":"ConsoleLogin", "awsRegion":"us-east-2", "sourceIPAddress":"192.0.2.0", "userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0", "requestParameters":null, "responseElements": { "ConsoleLogin":"Success" }, "additionalEventData": { "MobileVersion":"No", "LoginTo":"https://console.aws.amazon.com/sns", "MFAUsed":"No" }, "eventID":"3fcfb182-98f8-4744-bd45-10a395ab61cb", "eventType": "AwsConsoleSignIn" } ] }
IAM user, successful sign-in with MFA
The play along criminal record show that associate in nursing IAM user list Anaya successfully sign in to the AWS management console use multi-factor authentication ( master of fine arts ) .
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:user/anaya", "accountId": "111122223333", "userName": "anaya" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD", "MFAUsed": "Yes" }, "eventID": "fed06f42-cb12-4764-8c69-121063dc79b9", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
IAM user, unsuccessful sign-in
The adopt record show associate in nursing unsuccessful sign-in undertake from associate in nursing IAM exploiter .
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "accountId": "111122223333", "accessKeyId": "", "userName": "anaya" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "errorMessage": "Failed authentication", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAUsed": "Yes" }, "eventID": "d38ce1b3-4575-4cb8-a632-611b8243bfc3", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
IAM user, sign-in process checks for MFA (single MFA device type)
The succeed show that the sign-process check whether multi-factor authentication ( master of fine arts ) be compulsory for associate in nursing IAM exploiter during sign-in. in this exercise, the
mfaType
measure constituteU2F MFA
, which indicate that the IAM user enable either vitamin a single master of fine arts device operating room multiple master of fine arts devices of the lapp type (U2F MFA
) .{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "accountId": "111122223333", "accessKeyId": "", "userName": "anaya" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "CheckMfa", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "requestParameters": null, "responseElements": { "CheckMfa": "Success" }, "additionalEventData": { "MfaType": "U2F MFA" }, "eventID": "f8ef8fc5-e3e8-4ee1-9d52-2f412ddf17e3", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
IAM user, sign-in process checks for MFA (multiple MFA device types)
The comply show that the sign-process check whether multi-factor authentication ( master of fine arts ) exist want for associate in nursing IAM drug user during sign-in. in this example, the
mfaType
prize beMultiple MFA Devices
, which indicate that the IAM drug user enable multiple master of fine arts device type .{ "eventVersion": "1.05", "userIdentity": {
"type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "accountId": "111122223333", "accessKeyId": "", "userName": "anaya" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "CheckMfa", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "requestParameters": null, "responseElements": { "CheckMfa": "Success" }, "additionalEventData": { "MfaType": "Multiple MFA Devices" }, "eventID": "f8ef8fc5-e3e8-4ee1-9d52-2f412ddf17e3", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }Read more : What it Costs to Sell on Amazon in 2023
Example event records for root users
The trace exemplar read event record for respective
root
exploiter sign-in scenario .Root user, successful sign-in without MFA
The follow picture angstrom successful sign-in event for a root drug user not use multi-factor authentication ( master of fine arts ) .
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "deb1e1f9-c99b-4612-8e9f-21f93b5d79c0", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
Root user, successful sign-in with MFA
The following show deoxyadenosine monophosphate successful sign-in event for a root exploiter use multi-factor authentication ( master of fine arts ) .
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::111122223333:mfa/root-account-mfa-device", "MFAUsed": "YES" }, "eventID": "deb1e1f9-c99b-4612-8e9f-21f93b5d79c0", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
Root user, unsuccessful sign-in
The following display associate in nursing unsuccessful sign-in event for adenine root user not use master of fine arts .
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36", "errorMessage": "Failed authentication", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "a4fbbe77-91a0-4238-804a-64314184edb6", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
Root user, MFA changed
The follow read associate in nursing model consequence for ampere root exploiter deepen multi-factor authentication ( master of fine arts ) setting .
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "EXAMPLE", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-10-13T21:05:40Z" } } }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "iam.amazonaws.com", "eventName": "EnableMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Coral/Netty4", "requestParameters": { "userName": "AWS ROOT USER", "serialNumber": "arn:aws:iam::111122223333:mfa/root-account-mfa-device" }, "responseElements": null, "requestID": "EXAMPLE4-2cf7-4a44-af00-f61f0EXAMPLE", "eventID": "EXAMPLEb-7dae-48cb-895f-20e86EXAMPLE", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
Root user, password changed
The be show associate in nursing model event for vitamin a root user change their password .
{ "eventVersion": "1.05", "userIdentity": {