Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why does ConsoleLogin event routing via EventBridge require a custom CloudTrail trail?

0

Hi everyone,

I have two questions related to ConsoleLogin events and EventBridge that I haven't been able to fully understand.

1. Custom CloudTrail trail requirement for ConsoleLogin events

I've checked that in order for ConsoleLogin events to be sent to an EventBridge bus and then processed by a rule, it is necessary to have a custom CloudTrail trail configured to log both read and write management events.

However, basic EC2 operations such as stopping, starting, or rebooting instances work fine without any custom trail — CloudTrail seems to forward those events to the bus automatically.

Why is a custom trail specifically required for ConsoleLogin events? Is this a known limitation or am I missing something in my setup?

2. ConsoleLogin events are region-scoped in EventBridge

I have an EventBridge rule configured on the us-east-1 default event bus. When I log in to the AWS Console and my session is associated with us-east-1, the rule triggers correctly.

However, when I log in from a different region, the event does not reach the us-east-1 bus and the rule does not trigger.

Is this the expected behavior? Should I configure a separate rule and bus in each region, or is there a way to centralize all ConsoleLogin events into a single bus regardless of the region the user logs in from?

Any clarification would be greatly appreciated.

Thanks in advance!

Topics
Application IntegrationServerlessManagement & Governance
Tags
AWS CloudTrailAmazon EventBridge
Language
English
asked 2 months ago70 views
1 Answer
0

Hello, for console login events, you can check the documentation - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html . The login region depends on whether you use a global or regional endpoint to sign in. Based on the documentation, you don't need a custom CloudTrail.

EXPERT
answered 2 months ago
  • Usuario
    2 months ago

    Hi, thank you for the clarification and the documentation link!

    Regarding the region behavior, after checking my login URL I can confirm that AWS always redirects me to a regional endpoint automatically (in my case eu-north-1.signin.aws.amazon.com), so the login is never truly global — it always goes through a specific region. That explains why my EventBridge rule in us-east-1 was never triggering.

    However, I'm still experiencing an issue with the custom CloudTrail trail requirement. According to the documentation you shared, a custom trail should not be necessary for ConsoleLogin events to be forwarded to the EventBridge bus. But in my setup, without a custom CloudTrail trail logging management events, the ConsoleLogin events do not seem to reach the bus at all and my rule never triggers.

    Interestingly, basic EC2 operations such as stopping, starting, or rebooting instances work perfectly fine without any custom trail — those events are forwarded to the bus automatically by CloudTrail.

    Is this a known inconsistency or is there something specific about ConsoleLogin events that requires additional configuration to be forwarded to EventBridge? Has anyone else experienced this behavior?

    Thanks again!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content