使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Cognito Cloud Trail not logging username on succesfull login

1

I have a CloudFront distributed app which uses a Cognito hosted UI for logging in. I see CognitoAuthentication events in Cloudtrail event history, but all with:

"username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]

These where succesfull logins... How do I get those usernames? They come from a Cognito userpool. Full (curated) event:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "accountId": "<MY_ACCOUNT>"
    },
    "eventTime": "2023-06-05T10:36:38Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "CognitoAuthentication",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "<MY-IP>",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": null,
    "responseElements": null,
    "additionalEventData": {
        "responseParameters": {
            "status": 302
        },
        "requestParameters": {
            "signInSubmitButton": [
                "Sign in"
            ],
            "password": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "scope": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "response_type": [
                "token"
            ],
            "_csrf": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "cognitoAsfData": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ],
            "redirect_uri": [
                "<MY-APP-URI>"
            ],
            "client_id": [
                "<MY-CLIENT-ID>"
            ],
            "username": [
                "HIDDEN_DUE_TO_SECURITY_REASONS"
            ]
        },
        "userPoolDomain": "<MY-NAME>.auth.eu-west-1.amazoncognito.com",
        "userPoolId": "<MY-POOL-ID>"
    },
    "requestID": "<UUID>",
    "eventID": "<UUID>,
    "readOnly": false,
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "<MY-ACCOUNT>",
    "serviceEventDetails": {
        "serviceAccountId": "<MY-ACCOUNT>"
    },
    "eventCategory": "Management"
}
主題
安全性、身分識別與合規
標籤
Amazon Cognito
語言
English
JointEffort
已提問 1 年前檢視次數 662 次
2 個答案
0

Hi.I hope this link will help you.(written in Japanese so please translate it.)

https://dev.classmethod.jp/articles/how-to-check-the-cognito-authentication-log/

it says you can not get username but usersub(user id) from InitiateAuth event.

profile picture
專家
Hiroki Takahashi
已回答 1 年前
  • JointEffort
    1 年前

    I followed the instructions by enabling 'advanced security' in the Cognito user pool (which comes at an additional cost of $0.05 per Monthly Active User for the first 50.000). However, this results in usernames being add to the logs ONLY when using the management console to login to your account. Using the hosted UI of the Cognito userpool this has the "HIDDEN_DUE_TO_SECURITY_REASONS" value.

0

I think you have the wrong event. Here is what a successful login looks like (an unsuccessful login includes an "errorCode": "NotAuthorizedException"attribute):

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "Anonymous"
    },
    "eventTime": "2023-08-23T20:44:04Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "RespondToAuthChallenge",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<snip --X-- snip>",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
    "requestParameters": {
        "clientId": "<snip --X-- snip>",
        "challengeName": "PASSWORD_VERIFIER",
        "challengeResponses": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "clientMetadata": {}
    },
    "responseElements": {
        "challengeParameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "authenticationResult": {
            "accessToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "expiresIn": 3600,
            "tokenType": "Bearer",
            "refreshToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "idToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "newDeviceMetadata": {
                "deviceKey": "us-east-1_ad4<snip --X-- snip>",
                "deviceGroupKey": "<snip --X-- snip>"
            }
        }
    },
    "additionalEventData": {
        "sub": "<***THIS IS THE COGNITO ID THAT YOU ARE LOOKING FOR IN HERE***>"
    },
    "requestID": "7a17ea29-1b2b-47f3-be72-d10de8a06aea",
    "eventID": "<snip --X-- snip>",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<snip --X-- snip>",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "cognito-idp.us-east-1.amazonaws.com"
    }
}
Ryan_Shillington
已回答 9 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容