Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Cognito Cloud Trail not logging username on succesfull login

1

I have a CloudFront distributed app which uses a Cognito hosted UI for logging in. I see CognitoAuthentication events in Cloudtrail event history, but all with:

"username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]

These where succesfull logins... How do I get those usernames? They come from a Cognito userpool. Full (curated) event:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "accountId": "<MY_ACCOUNT>"
    },
    "eventTime": "2023-06-05T10:36:38Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "CognitoAuthentication",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "<MY-IP>",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": null,
    "responseElements": null,
    "additionalEventData": {
        "responseParameters": {
            "status": 302
        },
        "requestParameters": {
            "signInSubmitButton": [
                "Sign in"
            ],
            "password": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "scope": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "response_type": [
                "token"
            ],
            "_csrf": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "cognitoAsfData": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "redirect_uri": [
                "<MY-APP-URI>"
            ],
            "client_id": [
                "<MY-CLIENT-ID>"
            ],
            "username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]
        },
        "userPoolDomain": "<MY-NAME>.auth.eu-west-1.amazoncognito.com",
        "userPoolId": "<MY-POOL-ID>"
    },
    "requestID": "<UUID>",
    "eventID": "<UUID>,
    "readOnly": false,
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "<MY-ACCOUNT>",
    "serviceEventDetails": {
        "serviceAccountId": "<MY-ACCOUNT>"
    },
    "eventCategory": "Management"
}
Themen
Sicherheit, Identität & Konformität
Tags
Amazon Cognito
Sprache
English
JointEffort
gefragt vor einem Jahr658 Aufrufe
2 Antworten
0

Hi.I hope this link will help you.(written in Japanese so please translate it.)

https://dev.classmethod.jp/articles/how-to-check-the-cognito-authentication-log/

it says you can not get username but usersub(user id) from InitiateAuth event.

profile picture
EXPERTE
Hiroki Takahashi
beantwortet vor einem Jahr
  • JointEffort
    vor einem Jahr

    I followed the instructions by enabling 'advanced security' in the Cognito user pool (which comes at an additional cost of $0.05 per Monthly Active User for the first 50.000). However, this results in usernames being add to the logs ONLY when using the management console to login to your account. Using the hosted UI of the Cognito userpool this has the "HIDDEN_DUE_TO_SECURITY_REASONS" value.

0

I think you have the wrong event. Here is what a successful login looks like (an unsuccessful login includes an "errorCode": "NotAuthorizedException"attribute):

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "Anonymous"
    },
    "eventTime": "2023-08-23T20:44:04Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "RespondToAuthChallenge",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<snip --X-- snip>",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": {
        "clientId": "<snip --X-- snip>",
        "challengeName": "PASSWORD_VERIFIER",
        "challengeResponses": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "clientMetadata": {}
    },
    "responseElements": {
        "challengeParameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "authenticationResult": {
            "accessToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "expiresIn": 3600,
            "tokenType": "Bearer",
            "refreshToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "idToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "newDeviceMetadata": {
                "deviceKey": "us-east-1_ad4<snip --X-- snip>",
                "deviceGroupKey": "<snip --X-- snip>"
            }
        }
    },
    "additionalEventData": {
        "sub": "<***THIS IS THE COGNITO ID THAT YOU ARE LOOKING FOR IN HERE***>"
    },
    "requestID": "7a17ea29-1b2b-47f3-be72-d10de8a06aea",
    "eventID": "<snip --X-- snip>",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<snip --X-- snip>",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "cognito-idp.us-east-1.amazonaws.com"
    }
}
Ryan_Shillington
beantwortet vor 9 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt