Amazon Cognito information in CloudTrail
CloudTrail is turned on when you create your Amazon Web Services account. When supported event activity occurs in Amazon Cognito, that activity is recorded in a CloudTrail event along with other Amazon service events in Event history. You can view, search, and download recent events in your Amazon account. For more information, see Viewing events with CloudTrail event history.
For an ongoing record of events in your Amazon account, including events for Amazon Cognito, create a trail. A CloudTrail trail delivers log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see:
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
-
Whether the request was made with root or IAM user credentials.
-
Whether the request was made with temporary security credentials for a role or federated user.
-
Whether the request was made by another Amazon service.
For more information, see the CloudTrail userIdentity element.
Confidential data in Amazon CloudTrail
Because user pools and identity pools process user data, Amazon Cognito obscures some private
fields in your CloudTrail events with the value HIDDEN_FOR_SECURITY_REASONS. For
examples of fields that Amazon Cognito doesn't populate to events, see Understanding Amazon Cognito sign-in
events. Amazon Cognito only obscures some fields that
commonly contain user information, like passwords and tokens. Amazon Cognito doesn't perform any
automatic detection or masking of personally-identifying information that you populate to
non-private fields in your API requests.
Amazon Cognito User Pools
Amazon Cognito supports logging for all of the actions listed on the User pool actions page as events in CloudTrail log files. Amazon Cognito logs user pool events to CloudTrail as management events.
The eventType field in a Amazon Cognito user pools CloudTrail entry tells you whether your app
made the request to the Amazon Cognito user pools API
or to an endpoint that serves resources for OpenID Connect, SAML 2.0, or the hosted UI.
API requests have an eventType of AwsApiCall and endpoint
requests have an eventType of AwsServiceEvent.
Amazon Cognito logs the following hosted UI requests to your hosted UI as events in CloudTrail.
Hosted UI operations in CloudTrail | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Operation | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Login_GET, CognitoAuthentication |
A user views or submits credentials to your Login endpoint. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OAuth2_Authorize_GET, Beta_Authorize_GET |
A user views your Authorize endpoint. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OAuth2Response_GET, OAuth2Response_POST |
A user submits an IdP token to your /oauth2/idpresponse
endpoint. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SAML2Response_POST, Beta_SAML2Response_POST |
A user submits an IdP SAML assertion to your /saml2/idpresponse
endpoint. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Login_OIDC_SAML_POST |
A user enters a username at your Login endpoint and matches with an IdP identifier. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Token_POST, Beta_Token_POST |
A user submits an authorization code to your Token endpoint. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Signup_GET, Signup_POST |
A user submits sign-up information to your /signup
endpoint. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Confirm_GET, Confirm_POST |
A user submits a confirmation code in the hosted UI. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ResendCode_POST |
A user submits a request to resend a confirmation code in the hosted UI. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ForgotPassword_GET, ForgotPassword_POST |
A user submits a request to reset their password to your
/forgotPassword endpoint. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ConfirmForgotPassword_GET,
ConfirmForgotPassword_POST |
A user submits a code to your /confirmForgotPassword endpoint
that confirms their ForgotPassword request. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ResetPassword_GET, ResetPassword_POST |
A user submits a new password in the hosted UI. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Mfa_GET, Mfa_POST |
A user submits a multi-factor authentication (MFA) code in the hosted UI. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
MfaOption_GET, MfaOption_POST |
A user chooses their preferred method for MFA in the hosted UI. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
MfaRegister_GET, MfaRegister_POST |
A user submits a multi-factor authentication (MFA) code in the hosted UI when registering the MFA. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Logout |
A user signs out at your /logout endpoint. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SAML2Logout_POST |
A user signs out at your /saml2/logout endpoint. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Error_GET |
A user views an error page in the hosted UI. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
UserInfo_GET, UserInfo_POST |
A user or IdP exchanges information with your UserInfo endpoint. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Confirm_With_Link_GET |
A user submits a confirmation based on a link that Amazon Cognito sent in an email message. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Event_Feedback_GET |
A user submits feedback to Amazon Cognito about an advanced security features event. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Note
Amazon Cognito records UserSub but not UserName in CloudTrail logs
for requests that are specific to a user. You can find a user for a given
UserSub by calling the ListUsers API, and using a filter for
sub.
Amazon Cognito identity pools
Data events
Amazon Cognito logs the following Amazon Cognito Identity events to CloudTrail as data events. Data events are high-volume data-plane API operations that CloudTrail doesn’t log by default. Additional charges apply for data events.
To generate CloudTrail logs for these API operations, you must activate data events in your trail and choose event selectors for Cognito identity pools. For more information, see Logging data events for trails in the Amazon CloudTrail User Guide.
You can also add identity pools event selectors to your trail with the following CLI command.
aws cloudtrail put-event-selectors --trail-name<trail name>--advanced-event-selectors \ "{\ \"Name\": \"Cognito Selector\",\ \"FieldSelectors\": [\ {\ \"Field\": \"eventCategory\",\ \"Equals\": [\ \"Data\"\ ]\ },\ {\ \"Field\": \"resources.type\",\ \"Equals\": [\ \"AWS::Cognito::IdentityPool\"\ ]\ }\ ]\ }"
Management events
Amazon Cognito logs the remainder of Amazon Cognito identity pools API operations as management events. CloudTrail logs management event API operations by default.
For a list of the Amazon Cognito identity pools API operations that Amazon Cognito logs to CloudTrail, see the Amazon Cognito identity pools API Reference.
Amazon Cognito Sync
Amazon Cognito logs all Amazon Cognito Sync API operations as management events. For a list of the Amazon Cognito Sync API operations that Amazon Cognito logs to CloudTrail, see the Amazon Cognito Sync API Reference.