Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why Does CloudTrail Take 10-15 Minutes to Log IAM User ConsoleLogin Failures?

0

I enabled CloudTrail to track failed IAM user ConsoleLogin attempts, but I noticed a 10-15 minute delay before the events appear in Event History or CloudWatch Logs.

Management Events (Read/Write) enabled CloudWatch Logs integration enabled IAM login failures are getting logged, but with a delay

Is this expected behavior? Can the delay be reduced for faster detection of failed logins?

Topics
Management & GovernanceSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon CloudWatchAWS IAM Identity CenterAWS CloudTrail
Language
English
asked a year ago251 views
1 Answer
0
Accepted Answer

CloudTrail aggregates events and delivers them in batches. In most cases, logs are delivered every 5 minutes. This is stated in the CloudTrail service FAQ: https://aws.amazon.com/cloudtrail/faqs/#product-faqs#cloudtrail-faqs#event-message-timeliness-and-delivery-frequency and this documentation section: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-trails, in the "Note" box:

CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed.

The batching of events is quite vital for the service to be able to function reliably also under unusual circumstances, such as heavy cyberattacks or partial technical failures, so the delivery interval is fixed for all users and is not configurable.

EXPERT
answered a year ago
EXPERT
reviewed a year ago
  • rePost-User-8331042
    a year ago

    Thank you for the explanation! Is there any approach for real-time monitoring of user Consolelogin events?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content