AWS Security Blog

AWS CloudTrail Now Logs AWS Management Console Sign-In Events

We’ve heard from many of you that you want greater visibility into when users sign in to the AWS Management Console. We are excited to announce that AWS CloudTrail now captures console sign-in events whenever an account owner, a federated user, or an IAM user signs into the console.

For those of you who aren’t familiar with CloudTrail, it’s a service that enables you to record AWS API calls made from within your account and store the results in an Amazon S3 bucket. We recommend that you enable CloudTrail as part of a general security best practice.

In this blog post I give an overview of the benefits of logging console sign-in events and describe how to read log files. 

Why log sign-in events?

Logging successful and unsuccessful console sign-in events for AWS IAM and federated users can help you with your compliance and security efforts. With this new feature, you get the following for both IAM and federated users:

  • Every successful sign-in.
  • Every unsuccessful sign-in attempt.
  • Verification of when multi-factor authentication (MFA) was enforced.
  • The IP address of every sign-in event.

Additionally, you can see a record of every time a root account successfully signs in. Finally, you can see when an IAM user has not signed in for a period of time, suggesting that you might be able to remove that IAM user.

Reading a CloudTrail entry for sign-in

Let’s take a look at an example of a log entry for a console sign-in. It contains information such as the user identity, source IP address, and whether MFA was used. See the sample log entry below. After the example, I’ll call out the sections that are helpful for finding the information I discussed.

{
    "eventVersion": "1.01",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAJDPLRKLG7UEXAMPLE",
        "arn": "arn:aws:iam::123456789012:Alice",
        "accountId": "123456789012"
    },
    "eventTime": "2014-07-08T17:36:04Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "10.0.0.1",
    "userAgent": "AWS Console Access",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Success"
    },
    "additionalEventData": {
        "MobileVersion": "No",
        "LoginTo": "https://console.aws.amazon.com/sns",
        "MFAUsed": "Yes"
    },
    "eventID": "example-even-tide-xamp-123456789012"
}

In the first block of text from rows 4 through 7, you will find information about the user who signed into the console:

      "type": "IAMUser",
      "principalId": "AIDAJDPLRKLG7UEXAMPLE",
      "arn": "arn:aws:iam::123456789012:Alice",
      "accountId": "123456789012",

Line 4 shows that an IAM user (not the root user) signed in to the console. Line 5 shows the unique ID for that IAM user, and line 6 shows us that it was IAM user Alice who signed in. Line 7 shows the account that user Alice is associated with. This information lets you know that one of your IAM users signed in, giving you the information to conclude that this user is still active and was working at a particular time.

Next, line 11 shows that the event type was a sign-in event:

      "eventName": "ConsoleLogin",

This is where the new event is classified. (In other CloudTrail log records, this might be an API action.)

On line 17 we can see that Alice’s sign-in was successful:

      "Consolelogin": "success"

If this user had failed to sign in correctly, ConsoleLogin would show “failure”.

Finally, let’s look at line 22. We can see that MFA was enforced for this console sign-in:

      "MFAUsed": "Yes"

This is helpful for your internal records to show that you had MFA enforced at a particular time for user Alice.

This record will appear along with the other information recorded by CloudTrail. In my household, reading through the week’s log files over coffee is part of our Sunday ritual, but I might be in the minority. Therefore, AWS has a number of partners to provide tools to help you analyze CloudTrail log files. You can find a full list of supported partners on the AWS CloudTrail Partners page.

For those of you who haven’t enabled CloudTrail, you can enable it in the AWS Management Console. We recommend CloudTrail as one of many features you can enable in AWS to increase the security of your accounts. There is no cost to activate CloudTrail—you pay only the Amazon S3 costs for storing your logs. You can find out more by visiting the CloudTrail documentation and Frequently Asked Questions.

We look forward to hearing how you are using this functionality and ways we can improve it. You can post comments below or feel free to post to either the CloudTrail or IAM forums.

– Bradford