En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Cognito Cloud Trail not logging username on succesfull login

1

I have a CloudFront distributed app which uses a Cognito hosted UI for logging in. I see CognitoAuthentication events in Cloudtrail event history, but all with:

"username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]

These where succesfull logins... How do I get those usernames? They come from a Cognito userpool. Full (curated) event:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "accountId": "<MY_ACCOUNT>"
    },
    "eventTime": "2023-06-05T10:36:38Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "CognitoAuthentication",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "<MY-IP>",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": null,
    "responseElements": null,
    "additionalEventData": {
        "responseParameters": {
            "status": 302
        },
        "requestParameters": {
            "signInSubmitButton": [
                "Sign in"
            ],
            "password": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "scope": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "response_type": [
                "token"
            ],
            "_csrf": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "cognitoAsfData": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "redirect_uri": [
                "<MY-APP-URI>"
            ],
            "client_id": [
                "<MY-CLIENT-ID>"
            ],
            "username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]
        },
        "userPoolDomain": "<MY-NAME>.auth.eu-west-1.amazoncognito.com",
        "userPoolId": "<MY-POOL-ID>"
    },
    "requestID": "<UUID>",
    "eventID": "<UUID>,
    "readOnly": false,
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "<MY-ACCOUNT>",
    "serviceEventDetails": {
        "serviceAccountId": "<MY-ACCOUNT>"
    },
    "eventCategory": "Management"
}
Sujets
Sécurité, identité et conformité
Balises
Amazon Cognito
Langue
English
JointEffort
demandé il y a un an660 vues
2 réponses
0

Hi.I hope this link will help you.(written in Japanese so please translate it.)

https://dev.classmethod.jp/articles/how-to-check-the-cognito-authentication-log/

it says you can not get username but usersub(user id) from InitiateAuth event.

profile picture
EXPERT
Hiroki Takahashi
répondu il y a un an
  • JointEffort
    il y a un an

    I followed the instructions by enabling 'advanced security' in the Cognito user pool (which comes at an additional cost of $0.05 per Monthly Active User for the first 50.000). However, this results in usernames being add to the logs ONLY when using the management console to login to your account. Using the hosted UI of the Cognito userpool this has the "HIDDEN_DUE_TO_SECURITY_REASONS" value.

0

I think you have the wrong event. Here is what a successful login looks like (an unsuccessful login includes an "errorCode": "NotAuthorizedException"attribute):

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "Anonymous"
    },
    "eventTime": "2023-08-23T20:44:04Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "RespondToAuthChallenge",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<snip --X-- snip>",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": {
        "clientId": "<snip --X-- snip>",
        "challengeName": "PASSWORD_VERIFIER",
        "challengeResponses": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "clientMetadata": {}
    },
    "responseElements": {
        "challengeParameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "authenticationResult": {
            "accessToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "expiresIn": 3600,
            "tokenType": "Bearer",
            "refreshToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "idToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "newDeviceMetadata": {
                "deviceKey": "us-east-1_ad4<snip --X-- snip>",
                "deviceGroupKey": "<snip --X-- snip>"
            }
        }
    },
    "additionalEventData": {
        "sub": "<***THIS IS THE COGNITO ID THAT YOU ARE LOOKING FOR IN HERE***>"
    },
    "requestID": "7a17ea29-1b2b-47f3-be72-d10de8a06aea",
    "eventID": "<snip --X-- snip>",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<snip --X-- snip>",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "cognito-idp.us-east-1.amazonaws.com"
    }
}
Ryan_Shillington
répondu il y a 9 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents