Logging additional activity from Amazon Cognito user pools - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Logging additional activity from Amazon Cognito user pools

You can configure your user pool to send detailed logs of some additional activity to a CloudWatch log group. These logs are of a finer granularity than those in Amazon CloudTrail, and can be useful to troubleshoot your user pool. When you activate this feature, you can choose the log group where you want Amazon Cognito to send logs. User activity logging is useful when you want to find out the status of email and SMS messages that your user pool delivered with Amazon SNS and Amazon SES.

Currently, you can only deliver Error-level user notification logs from your user pool.

Detailed logging doesn’t replace or change the following log functions of user pools.

  1. CloudTrail logs of routine user activity like sign-up and sign-in.

  2. Analysis of user activity at scale with CloudWatch metrics.

Separately, you can also find logs from user import jobs and Lambda triggers in CloudWatch Logs. Amazon Cognito and Lambda store these logs in different log groups from the ones that you specify for detailed activity logs.

You can configure detailed activity logs with the Amazon Cognito user pools API in a SetLogDeliveryConfiguration API request. You can view the logging configuration of a user pool in a GetLogDeliveryConfiguration API request.

You must authorize these requests with Amazon credentials that have the following permissions.

{
    "Version": "2012-10-17",
    "Statement": [
            {
            "Sid": "ManageUserPoolLogs",
            "Action": [
                "cognito-idp:SetLogDeliveryConfiguration",
                "cognito-idp:GetLogDeliveryConfiguration",
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Sid": "CognitoLog",
            "Action": [
                "logs:CreateLogDelivery",
                "logs:GetLogDelivery",
                "logs:UpdateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:ListLogDeliveries"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Sid": "CognitoLoggingCWL",
            "Action": [
                "logs:PutResourcePolicy",
                "logs:DescribeResourcePolicies",
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

The following is an example event from a user pool. This log schema is subject to change. Some fields might be logged with null values.

{
    "eventTimestamp": "1687297330677",
    "eventSource": "USER_NOTIFICATION",
    "logLevel": "ERROR",
    "message": {
        "details": "String"
    },
    "logSourceId": {
        "userPoolId": "String"
    }
}

Delivery of logs from Amazon Cognito is best effort. The volume of logs that your user pool delivers, and your service quotas for CloudWatch Logs, can affect the delivery of logs.

CloudWatch Logs charges apply when log delivery is enabled. For more information, see Vended Logs in Amazon CloudWatch Pricing.

To send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with /aws/vendedlogs. For more information, see Enabling logging from certain Amazon services.