CloudTrail log event for Identity Center user sign-out?
Hi all
I want to compute Identity Center user inactive time (time after lastest sign-out), is there CloudTrail log event for Identity Center user sign-out? I can see the events for sign-in - https://docs.aws.amazon.com/singlesignon/latest/userguide/sign-in-events-examples.html - but not for sign-out.
Thanks.
- Language
- English
- Newest
- Most votes
- Most comments
There is the CloudTrail events of AWS access portal API operations which include the Logout API call:
cloudtrail-events-access-portal-operations: https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html#cloudtrail-events-access-portal-operations
Logout (From AWS IAM Identity Center Portal API Reference): https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_Logout.html
There isn't a specific CloudTrail log event for IAM Identity Center user sign-out. The sign-out process in IAM Identity Center doesn't generate a dedicated CloudTrail event like sign-in does.
However, you can track user activity and session information in other ways:
-
IAM Identity Center maintains two types of sessions: sign-in sessions and application sessions. Sign-in sessions can last up to 90 days, while application sessions have a 1-hour lifetime and are automatically refreshed.
-
When a user signs out or their session is revoked, all application sessions terminate. This termination happens within 30 minutes in most cases, though it can take up to an hour in some situations, such as during service disruptions.
-
For AWS account access through IAM Identity Center, sessions can persist for up to 12 hours based on the configured IAM role session duration in the permission set.
-
To track user activity within the same session, IAM Identity Center emits a 'credentialId' field in CloudTrail events for user actions in the AWS access portal or when using the AWS CLI. This field contains the AWS access portal session ID for a user, which can help you track user actions during their session.
-
You can monitor the 'UserAuthentication' event in CloudTrail, which is logged when all authentication requirements have been completed and the user has been signed in. This event includes a 'LoginTo' field that specifies the redirect location following a successful sign-in sequence.
While these methods don't provide a direct sign-out event, they can help you infer user activity and session status. To compute user inactive time, you might need to combine this information with other logs or implement additional tracking mechanisms within your applications.
Sources
Authentication in IAM Identity Center - AWS IAM Identity Center
Important changes to CloudTrail events for AWS IAM Identity Center | AWS Security Blog
Understanding IAM Identity Center sign-in events - AWS IAM Identity Center
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
