Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito Cloud Trail not logging username on succesfull login

1

I have a CloudFront distributed app which uses a Cognito hosted UI for logging in. I see CognitoAuthentication events in Cloudtrail event history, but all with:

"username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]

These where succesfull logins... How do I get those usernames? They come from a Cognito userpool. Full (curated) event:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "accountId": "<MY_ACCOUNT>"
    },
    "eventTime": "2023-06-05T10:36:38Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "CognitoAuthentication",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "<MY-IP>",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": null,
    "responseElements": null,
    "additionalEventData": {
        "responseParameters": {
            "status": 302
        },
        "requestParameters": {
            "signInSubmitButton": [
                "Sign in"
            ],
            "password": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "scope": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "response_type": [
                "token"
            ],
            "_csrf": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "cognitoAsfData": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "redirect_uri": [
                "<MY-APP-URI>"
            ],
            "client_id": [
                "<MY-CLIENT-ID>"
            ],
            "username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]
        },
        "userPoolDomain": "<MY-NAME>.auth.eu-west-1.amazoncognito.com",
        "userPoolId": "<MY-POOL-ID>"
    },
    "requestID": "<UUID>",
    "eventID": "<UUID>,
    "readOnly": false,
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "<MY-ACCOUNT>",
    "serviceEventDetails": {
        "serviceAccountId": "<MY-ACCOUNT>"
    },
    "eventCategory": "Management"
}
Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
asked 3 years ago1.6K views
2 Answers
0

Hi.I hope this link will help you.(written in Japanese so please translate it.)

https://dev.classmethod.jp/articles/how-to-check-the-cognito-authentication-log/

it says you can not get username but usersub(user id) from InitiateAuth event.

EXPERT
answered 3 years ago
  • JointEffort
    3 years ago

    I followed the instructions by enabling 'advanced security' in the Cognito user pool (which comes at an additional cost of $0.05 per Monthly Active User for the first 50.000). However, this results in usernames being add to the logs ONLY when using the management console to login to your account. Using the hosted UI of the Cognito userpool this has the "HIDDEN_DUE_TO_SECURITY_REASONS" value.

0

I think you have the wrong event. Here is what a successful login looks like (an unsuccessful login includes an "errorCode": "NotAuthorizedException"attribute):

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "Anonymous"
    },
    "eventTime": "2023-08-23T20:44:04Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "RespondToAuthChallenge",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<snip --X-- snip>",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": {
        "clientId": "<snip --X-- snip>",
        "challengeName": "PASSWORD_VERIFIER",
        "challengeResponses": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "clientMetadata": {}
    },
    "responseElements": {
        "challengeParameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "authenticationResult": {
            "accessToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "expiresIn": 3600,
            "tokenType": "Bearer",
            "refreshToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "idToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "newDeviceMetadata": {
                "deviceKey": "us-east-1_ad4<snip --X-- snip>",
                "deviceGroupKey": "<snip --X-- snip>"
            }
        }
    },
    "additionalEventData": {
        "sub": "<***THIS IS THE COGNITO ID THAT YOU ARE LOOKING FOR IN HERE***>"
    },
    "requestID": "7a17ea29-1b2b-47f3-be72-d10de8a06aea",
    "eventID": "<snip --X-- snip>",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<snip --X-- snip>",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "cognito-idp.us-east-1.amazonaws.com"
    }
}
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content