Console logins not appearing in CloudTrail logs

Question

I'm trying to create an alert for AWS console logins. I've set up a CloudTrail trail that is multi-region, enabled for all accounts, and is logging all API activity. It's creating log files in my S3 bucket, but those files never include events for console access. I'm logging in and out over and over again and then pulling the files but do not find login events in them. Also, when I go to the CloudTrail event history and search for "Event name = ConsoleLogin" it does show me some login events but the most recent one is from 13 days ago and I've logged in many times since then. When I'm looking at the event history I have my region set to us-east-1. Any ideas what I could be doing wrong here would be amazing, thanks!

larryjkl
a year ago
I dont know a lot; but are you seeing other more recent types of management events ( "managementEvent" : true ) in the bucket?

Answer

Hello,

ConsoleLogin events are not necessarily logged in the us-east-1 region. When logging into your AWS management console, a region is picked randomly based on multiple factors and the ConsoleLogin event is logged in the corresponding region. So, if you are only checking in us-east-1 region, it is possible that the event is logged in other regions. Easiest way to identify this would be to configure your trail to forward the events to a Cloudwatch log group. You can then filter for ConsoleLogin in this Cloudwatch log group. Alternatively, you can use region based URL to login to AWS management console, such as below:

https://signin.aws.amazon.com/console?region=us-east-1

Using a region-specific URL to login to the console will ensure the event is logged in a specific region. The region in the above URL can be set to any region of your choice.

Console logins not appearing in CloudTrail logs

Relevant content