AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Cognito Cloud Trail not logging username on succesfull login

1

I have a CloudFront distributed app which uses a Cognito hosted UI for logging in. I see CognitoAuthentication events in Cloudtrail event history, but all with:

"username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]

These where succesfull logins... How do I get those usernames? They come from a Cognito userpool. Full (curated) event:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "accountId": "<MY_ACCOUNT>"
    },
    "eventTime": "2023-06-05T10:36:38Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "CognitoAuthentication",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "<MY-IP>",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": null,
    "responseElements": null,
    "additionalEventData": {
        "responseParameters": {
            "status": 302
        },
        "requestParameters": {
            "signInSubmitButton": [
                "Sign in"
            ],
            "password": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "scope": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "response_type": [
                "token"
            ],
            "_csrf": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "cognitoAsfData": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "redirect_uri": [
                "<MY-APP-URI>"
            ],
            "client_id": [
                "<MY-CLIENT-ID>"
            ],
            "username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]
        },
        "userPoolDomain": "<MY-NAME>.auth.eu-west-1.amazoncognito.com",
        "userPoolId": "<MY-POOL-ID>"
    },
    "requestID": "<UUID>",
    "eventID": "<UUID>,
    "readOnly": false,
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "<MY-ACCOUNT>",
    "serviceEventDetails": {
        "serviceAccountId": "<MY-ACCOUNT>"
    },
    "eventCategory": "Management"
}
トピック
セキュリティ、アイデンティティ、コンプライアンス
タグ
Amazon Cognito
言語
English
JointEffort
質問済み 1年前662ビュー
2回答
0

Hi.I hope this link will help you.(written in Japanese so please translate it.)

https://dev.classmethod.jp/articles/how-to-check-the-cognito-authentication-log/

it says you can not get username but usersub(user id) from InitiateAuth event.

profile picture
エキスパート
Hiroki Takahashi
回答済み 1年前
  • JointEffort
    1年前

    I followed the instructions by enabling 'advanced security' in the Cognito user pool (which comes at an additional cost of $0.05 per Monthly Active User for the first 50.000). However, this results in usernames being add to the logs ONLY when using the management console to login to your account. Using the hosted UI of the Cognito userpool this has the "HIDDEN_DUE_TO_SECURITY_REASONS" value.

0

I think you have the wrong event. Here is what a successful login looks like (an unsuccessful login includes an "errorCode": "NotAuthorizedException"attribute):

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "Anonymous"
    },
    "eventTime": "2023-08-23T20:44:04Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "RespondToAuthChallenge",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<snip --X-- snip>",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": {
        "clientId": "<snip --X-- snip>",
        "challengeName": "PASSWORD_VERIFIER",
        "challengeResponses": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "clientMetadata": {}
    },
    "responseElements": {
        "challengeParameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "authenticationResult": {
            "accessToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "expiresIn": 3600,
            "tokenType": "Bearer",
            "refreshToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "idToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "newDeviceMetadata": {
                "deviceKey": "us-east-1_ad4<snip --X-- snip>",
                "deviceGroupKey": "<snip --X-- snip>"
            }
        }
    },
    "additionalEventData": {
        "sub": "<***THIS IS THE COGNITO ID THAT YOU ARE LOOKING FOR IN HERE***>"
    },
    "requestID": "7a17ea29-1b2b-47f3-be72-d10de8a06aea",
    "eventID": "<snip --X-- snip>",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<snip --X-- snip>",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "cognito-idp.us-east-1.amazonaws.com"
    }
}
Ryan_Shillington
回答済み 9ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ