# Logging and monitoring in Amazon Cognito
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon Cognito and your other AWS solutions. Amazon Cognito currently supports the following AWS services so that you can monitor your organization and the activity that happens within it.
+ **AWS CloudTrail –** With CloudTrail you can capture API calls from the Amazon Cognito console and from code calls to the Amazon Cognito API operations. For example, when a user authenticates, CloudTrail can record details such as the IP address in the request, who made the request, and when it was made.
+ **Amazon CloudWatch Logs** – With CloudWatch Logs, you can send fine-grained logs of user activity to a log group. For example, you can review detailed user activity logs to troubleshoot the delivery of email and SMS messages to your users.
+ **Amazon CloudWatch Metrics –** With CloudWatch metrics you can monitor, report, and take automatic actions in case of an event in near real time. For example, you can create CloudWatch dashboards on the provided metrics to monitor your Amazon Cognito user pools, or you can create CloudWatch alarms on the provided metrics to notify you on breach of a set threshold.
+ **Amazon CloudWatch Logs Insights** – With CloudWatch Logs Insights, you can configure CloudTrail to send events to CloudWatch for monitoring Amazon Cognito CloudTrail log files.
**Topics**
+ [
# Monitoring and managing costs
](tracking-cost.md)
+ [
# Exporting logs from Amazon Cognito user pools
](exporting-quotas-and-usage.md)
+ [
# Tracking quotas and usage in CloudWatch and Service Quotas
](tracking-quotas-and-usage-in-cloud-watch-and-service-quotas.md)
+ [
# Amazon Cognito logging in AWS CloudTrail
](logging-using-cloudtrail.md)
# Monitoring and managing costs
Like with any other AWS service, it's important to understand the effect of your Amazon Cognito configuration and usage on your AWS bill. As part of your preparations for the deployment of user pools to production, set up monitoring and safeguards for activity and resource consumption. When you know where to look and what actions produce additional cost, you can set up precautions against surprises in your bill.
Amazon Cognito charges for the following dimensions of your usage.
+ User pool monthly active users (MAUs)—rate varies by [feature plan](cognito-sign-in-feature-plans.md)
+ User pool MAUs signed in with OIDC or SAML federation
+ Request volume for machine to machine (M2M) authorization with client credentials grants
+ Purchased usage above default quotas for some categories of user pool APIs
Additionally, features of your user pool like email messages, SMS messages, and Lambda triggers can incur costs in dependent services. For a complete overview, see [Amazon Cognito Pricing](https://aws.amazon.com/cognito/pricing).
## Viewing and anticipating costs
High-volume events like product launches and opening up to new userbases can increase your MAU count and have a cost impact. Estimate the new user count in advance and watch activity as it happens. You might find that you want to accommodate the volume with a purchase of additional quota capacity, or control the volume with additional security measures.
You can view and report on your AWS costs in the [AWS Billing and Cost Management console](https://console.aws.amazon.com/billing/home). You can find your most recent charges for Amazon Cognito in the **Billing and payments** section. Under **Bills**, **Charges by service**, filter on `Cognito` to view your usage. For more information, see [Viewing your bill](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/getting-viewing-bill.html) in the *AWS Billing User Guide*.
To monitor API request rates, review the **Utilization** metric in the Service Quotas console. For example, client credentials requests display as **Rate of ClientAuthentication requests**. In your bill, these requests are associated with the app client that produced them. With this information, you can equitable allocate costs to the tenants in a [multi-tenant architecture](multi-tenant-application-best-practices.md).
To get a count of M2M requests for a period of time, you can also send [AWS CloudTrail events to CloudWatch Logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html) for analysis. Query your CloudTrail events for `Token_POST` events with a client credentials grant. The following CloudWatch Insights query returns this count.
```
filter eventName = "Token_POST" and @message like '"grant_type":["client_credentials"]' | stats count(*)
```
## Managing costs
Amazon Cognito bills based on user count, feature usage, and request volume. The following are some tips to manage cost in Amazon Cognito,
**Don't activate inactive users**
Typical operations that make a user active are sign-in, sign-up, and password reset. For a more thorough list, see [Monthly active users](quotas.md#monthly-active-users). Amazon Cognito doesn't count inactive users toward your bill. Avoid any operations that set a user active. Instead of the [AdminGetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetUser.html) API operation, query users with the [ListUsers](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html) operation. Don't perform high-volume administrative testing of user pool operations with inactive users.
**Link federated users**
Users who sign in with a SAML 2.0 or OpenID Connect (OIDC) identity provider have a higher cost than [local users](cognito-terms.md#terms-localuser). You can [link these users to a local user profile](cognito-user-pools-identity-federation-consolidate-users.md). A linked user can sign in as a local user with the attributes and access that come with their federated user. Users from SAML or OIDC IdPs who, in the course of a month, only sign in with a linked local account are billed as local users.
**Manage request rates**
If your user pool is approaching the upper limit of your quota, you might consider purchasing additional capacity to handle the volume. You might be able to reduce the volume of requests in your application. For more information, see [Optimize request rates for quota limits](quotas.md#optimize-quotas).
**Request a new token only when you need one**
Machine to machine (M2M) authorization with client credentials grants can reach a high volume of token requests. Each new token request has an effect on your request-rate quota and the size of your bill. To optimize cost, include token expiration settings and token handling in the design of your applications.
+ [Cache access tokens](amazon-cognito-user-pools-using-tokens-caching-tokens.md) so that when your application requests a new token, it receives a cached version of a previously-issued token. When you implement this method, your caching proxy acts as a guard against applications that request access tokens without awareness of the expiration of previously-acquired tokens. Caching tokens is ideal for short-lived microservices like Lambda functions and Docker containers.
+ Implement token-handling mechanisms in your applications that account for token expiration. Don’t request a new token until previous tokens are about to expire. As a best practice, refresh tokens at about 75% of the token lifetime. This practice maximizes token duration while ensuring user continuity in your application.
Evaluate the confidentiality and availability needs of each application and configure the user pool app client to issue access tokens with an appropriate validity period. Custom token duration works best with longer-lived APIs and servers that can persistently manage the frequency of requests for credentials.
**ListUsers, not AdminGetUser**
To query the attributes of users in your user pool, use the [ListUsers](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html) API operation and associated [SDK](https://aws.amazon.com/developer/tools/) methods when possible. [AdminGetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetUser.html) marks a user as active for the month and contributes to the monthly active users (MAUs) that are used to calculate your bill for user pools.
**Manage feature plans**
When you choose a [feature plan](cognito-sign-in-feature-plans.md) in a user pool, the billing rate applies to all MAUs in the user pool. If you have users that don't need features that come with a higher-level feature plan, separate them into another user pool.
# Exporting logs from Amazon Cognito user pools
You can configure your user pool to send detailed logs of some additional activity to another AWS service, like a CloudWatch log group. These logs are of a finer granularity than those in AWS CloudTrail, and can be useful to troubleshoot your user pool and analyze user sign-in activity with [threat protection](cognito-user-pool-settings-threat-protection.md). When you want to stream logs of SMS and email notification errors, your user pool sends `ERROR`-level logs to a CloudWatch log group. When you want to stream logs of user sign-in activity, your user pool sends `INFO`-level logs to a log group, a Amazon Data Firehose stream, or an Amazon S3 bucket. You can combine both options in a user pool.
**Topics**
+ [
## Things to know about log export
](#exporting-quotas-and-usage-things-to-know)
+ [
## Exporting email and SMS message delivery errors
](#exporting-quotas-and-usage-messages)
+ [
## Exporting threat protection user activity logs
](#exporting-quotas-and-usage-user-activity)
## Things to know about log export
**Cost impact**
Amazon Data Firehose, Amazon S3, and CloudWatch Logs incur costs for data ingestion and retrieval. Your logging configuration might affect your AWS bill. For more information, see the following:
+ [Vended Logs](https://aws.amazon.com/cloudwatch/pricing/#Vended_Logs) in *Amazon CloudWatch Pricing*.
+ [Amazon Data Firehose pricing](https://aws.amazon.com/firehose/pricing/)
+ [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/)
User-activity log exports contain security assessments and are a function of user pool [threat protection](cognito-user-pool-settings-threat-protection.md). Amazon Cognito only generates these logs when threat protection is in **Audit-only** or **Full-function** mode and your user pool is on the Plus [feature plan](cognito-sign-in-feature-plans.md).
**User activity logs are `INFO` level**
Exported user-activity logs are at the `INFO` error level only and provide information for statistical and security analysis of authentication activity. Messages at the `WARNING` and `ERROR` error levels, for example throttling errors, aren't included in the exported logs.
**Best-effort delivery**
Delivery of logs from Amazon Cognito is best effort. The volume of logs that your user pool delivers, and your service quotas for CloudWatch Logs, Amazon S3, and Firehose can affect the delivery of logs.
**Existing external logs are unaffected**
These logging options don't replace or change the following log functions of user pools.
1. CloudTrail logs of routine user activity like sign-up and sign-in.
1. Analysis of user activity at scale with CloudWatch metrics.
Separately, you can also find logs from [Viewing the user pool import results in the CloudWatch console](cognito-user-pools-using-import-tool.md#cognito-user-pools-using-import-tool-cloudwatch) and [Customizing user pool workflows with Lambda triggers](cognito-user-pools-working-with-lambda-triggers.md) in CloudWatch Logs. Amazon Cognito and Lambda store these logs in different log groups from the ones that you specify for user activity logs.
**Applies only to user pools**
No log export capabilities exist for identity pools.
**Requires user permissions and service-linked role**
The AWS principal that sets up log export must have permissions to modify the target resources, as described in the topics that follow. Amazon Cognito creates a [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) on your behalf and assumes the role to deliver logs to the target resource.
For more information about the authorization model for sending logs from Amazon Cognito, see [Enable logging from AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-vended-logs-permissions) in the *Amazon CloudWatch Logs User Guide*.
**Log level is exclusive to log type**
Message-delivery logs are of the `userNotification` type and of the `ERROR` errorlevel. Advanced security user activity logs are of the `userAuthEvents` type and of the `INFO` errorlevel. You can combine two members of `LogConfigurations`, one for `userNotification` to CloudWatch Logs, and one for `userAuthEvents` to Firehose, Amazon S3, or CloudWatch Logs.
You can't send user-activity logs to multiple destinations. You can't send user-notification logs to any destination other than CloudWatch Logs.
**Different configuration options**
You can only configure user-notification logs with the Amazon Cognito user pools API or an AWS SDK. You can configure advanced security user-activity logs with the API or in the Amazon Cognito console. To set both, use the API as demonstrated in the example request at [SetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html).
**Additional configuration required with large resource-based policies**
To send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with `/aws/vendedlogs`. For more information, see [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html).
**Automatic creation of a folder in Amazon S3**
When you configure threat protection log export to an Amazon S3 bucket, Amazon Cognito might create an `AWSLogs` folder in your bucket. That folder is not created in all cases, and the configuration can succeed without creating it.
## Exporting email and SMS message delivery errors
For email and SMS message delivery errors, you can deliver **Error**-level user notification logs from your user pool. When you activate this feature, you can choose the log group where you want Amazon Cognito to send logs. User notification logging is useful when you want to find out the status of email and SMS messages that your user pool delivered with Amazon SNS and Amazon SES. This log export option, unlike [user-activity export](#exporting-quotas-and-usage-user-activity.title), doesn't require the Plus feature plan.
You can configure detailed notification logs with the Amazon Cognito user pools API in a [SetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html) API request. You can view the logging configuration of a user pool in a [GetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html) API request. The following is an example request body.
```
{
"LogConfigurations": [
{
"CloudWatchLogsConfiguration": {
"LogGroupArn": "arn:aws:logs:us-west-2:123456789012:log-group:example-user-pool-exported"
},
"EventSource": "userNotification",
"LogLevel": "ERROR"
}
],
"UserPoolId": "us-west-2_EXAMPLE"
}
```
You must authorize these requests with AWS credentials that have the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ManageUserPoolLogs",
"Action": [
"cognito-idp:SetLogDeliveryConfiguration",
"cognito-idp:GetLogDeliveryConfiguration"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "CognitoLog",
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "CognitoLoggingCWL",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
The following is an example event from a user pool. This log schema is subject to change. Some fields might be logged with null values.
```
{
"eventTimestamp": "1687297330677",
"eventSource": "USER_NOTIFICATION",
"logLevel": "ERROR",
"message": {
"details": "String"
},
"logSourceId": {
"userPoolId": "String"
}
}
```
## Exporting threat protection user activity logs
User pools with the Plus feature plan and threat protection log user activity events: the details and security assessment of user sign-in, sign-out, and other authentication operations with your user pool. You might want to review user activity logs in your own log-management system, or create an archive. You can export this data to a Amazon CloudWatch Logs log group, an Amazon Data Firehose stream, or an Amazon Simple Storage Service (Amazon S3) bucket. From there, you can ingest this data into other systems that analyze, normalize or otherwise process data in ways that fit it in to your operational processes. To export data of this type, your user pool must be on the Plus feature plan and [threat protection](cognito-user-pool-settings-threat-protection.md) must be active in your user pool.
With the information in these user activity logs, you can view a profile of user sign-in and account-management activity. By default, Amazon Cognito captures these events to storage that's based in your user pool. The following example is an example event for a user who signed in and was evaluated to have no risk factors. You can retrieve this information with the `AdminListUserAuthEvents` API operation. The following is an example output:
```
{
"AuthEvents": [
{
"EventId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"EventType": "SignIn",
"CreationDate": "2024-06-27T10:49:59.139000-07:00",
"EventResponse": "Pass",
"EventRisk": {
"RiskDecision": "NoRisk",
"CompromisedCredentialsDetected": false
},
"ChallengeResponses": [
{
"ChallengeName": "Password",
"ChallengeResponse": "Success"
}
],
"EventContextData": {
"IpAddress": "192.0.2.1",
"DeviceName": "Chrome 126, Windows 10",
"Timezone": "-07:00",
"City": "null",
"Country": "United States"
}
}
],
"NextToken": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222#2024-06-27T17:49:59.139Z"
}
```
You can activate log export for user activity in the Amazon Cognito console or with the [SetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html) API operation.
------
#### [ AWS Management Console ]
1. If you don't already have one that you want to use, create an [S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html), [Firehose stream](https://docs.aws.amazon.com/firehose/latest/dev/basic-create.html), or [CloudWatch log group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html).
1. Sign in to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home).
1. Choose **User Pools**.
1. Choose an existing user pool from the list, or [create a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html).
1. Choose the **Advanced security** tab. Locate **Export user activity logs** and choose **Edit**
1. Under **Logging status**, select the checkbox next to **Activate user activity log export**.
1. Under **Logging destination**, choose the AWS service that you want to handle your logs: **CloudWatch log group**, **Amazon Data Firehose stream**, or **S3 bucket**.
1. Your selection will populate the resource selector with the corresponding resource type. Select a log group, stream, or bucket from the list. You can also select the **Create** button to navigate to the AWS Management Console for the selected service and create a new resource.
1. Select **Save changes**.
------
#### [ API ]
Choose one type of destination for your user activity logs.
The following is an example `SetLogDeliveryConfiguration` request body that sets a Firehose stream as the log destination.
```
{
"LogConfigurations": [
{
"EventSource": "userAuthEvents",
"FirehoseConfiguration": {
"StreamArn": "arn:aws:firehose:us-west-2:123456789012:deliverystream/example-user-pool-activity-exported"
},
"LogLevel": "INFO"
}
],
"UserPoolId": "us-west-2_EXAMPLE"
}
```
The following is an example `SetLogDeliveryConfiguration` request body that sets a Amazon S3 bucket as the log destination.
```
{
"LogConfigurations": [
{
"EventSource": "userAuthEvents",
"S3Configuration": {
"BucketArn": "arn:aws:s3:::amzn-s3-demo-logging-bucket"
},
"LogLevel": "INFO"
}
],
"UserPoolId": "us-west-2_EXAMPLE"
}
```
The following is an example `SetLogDeliveryConfiguration` request body that sets a CloudWatch log group as the log destination.
```
{
"LogConfigurations": [
{
"EventSource": "userAuthEvents",
"CloudWatchLogsConfiguration": {
"LogGroupArn": "arn:aws:logs:us-west-2:123456789012:log-group:DOC-EXAMPLE-LOG-GROUP"
},
"LogLevel": "INFO"
}
],
"UserPoolId": "us-west-2_EXAMPLE"
}
```
------
The user that configures log delivery must be a user pool administrator and have the following additional permissions:
------
#### [ Amazon S3 ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ManageUserPoolLogs",
"Action": [
"cognito-idp:SetLogDeliveryConfiguration",
"cognito-idp:GetLogDeliveryConfiguration"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "ManageLogsS3",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"s3:PutBucketPolicy",
"s3:GetBucketPolicy"
],
"Resource": "*"
}
]
}
```
------
------
#### [ CloudWatch Logs ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ManageUserPoolLogs",
"Action": [
"cognito-idp:SetLogDeliveryConfiguration",
"cognito-idp:GetLogDeliveryConfiguration"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "ManageLogsCWL",
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
------
#### [ Amazon Data Firehose ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ManageUserPoolLogs",
"Action": [
"cognito-idp:SetLogDeliveryConfiguration",
"cognito-idp:GetLogDeliveryConfiguration"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "ManageUserPoolLogsFirehose",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"iam:CreateServiceLinkedRole",
"firehose:TagDeliveryStream"
],
"Resource": "*"
}
]
}
```
------
------
The following is an example event from a user pool. This log schema is subject to change. Some fields might be logged with null values.
```
{
"eventTimestamp": "1687297330677",
"eventSource": "USER_ACTIVITY",
"logLevel": "INFO",
"message": {
"version": "1",
"eventId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"eventType": "SignUp",
"userSub": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"userName": "test-user",
"userPoolId": "us-west-2_EXAMPLE",
"clientId": "1example23456789",
"creationDate": "Wed Jul 17 17:25:55 UTC 2024",
"eventResponse": "InProgress",
"riskLevel": "",
"riskDecision": "PASS",
"challenges": [],
"deviceName": "Other, Other",
"ipAddress": "192.0.2.1",
"requestId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"idpName": "",
"compromisedCredentialDetected": "false",
"city": "Seattle",
"country": "United States",
"eventFeedbackValue": "",
"eventFeedbackDate": "",
"eventFeedbackProvider": "",
"hasContextData": "true"
},
"logSourceId": {
"userPoolId": "us-west-2_EXAMPLE"
}
}
```
# Tracking quotas and usage in CloudWatch and Service Quotas
You can monitor Amazon Cognito user pools using Amazon CloudWatch or using Service Quotas. You can also monitor identity pools usage in Service Quotas. CloudWatch collects raw data and processes it into readable, near real-time metrics. In CloudWatch, you can set alarms that watch for certain thresholds and send notifications or take actions when those thresholds are met. To create a CloudWatch alarm for a service quota, see [Create a CloudWatch alarm](https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html#create-a-cloud-watch-alarm). Amazon Cognito metrics are available at five minute intervals. For more information about retention periods in CloudWatch, visit the [Amazon CloudWatch FAQ page.](https://aws.amazon.com/cloudwatch/faqs)
You can use Service Quotas to view and manage your Amazon Cognito user pools and identity pools quota usage. The Service Quotas console has three features: view service quotas, request a service quota increase, and view current utilization. You can use the first feature to view quotas and see whether the quota is adjustable. You can use the second feature to request a Service Quotas increase. You can use the last feature to view quota utilization. This feature is only available after your account has been active for a while. For more information on viewing quotas in the Service Quotas console, see [Viewing Service Quotas](https://docs.aws.amazon.com/servicequotas/latest/userguide/gs-request-quota.html).
**Note**
Amazon Cognito metrics are available at 5 minute intervals. For more information about retention periods in CloudWatch, visit the [Amazon CloudWatch FAQ page](https://aws.amazon.com/cloudwatch/faqs/).
If you are signed in to an AWS account that is set up as a monitoring account in CloudWatch cross-account observability, you can use that monitoring account to visualize service quotas and set alarms for metrics in the source accounts that are linked to that monitoring account. For more information, see [CloudWatch cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html).
**Topics**
+ [
# User pool metrics in CloudWatch
](metrics-for-cognito-user-pools.md)
+ [
# Metrics in Service Quotas
](use-the-service-quota-console-to-track-metrics.md)
# User pool metrics in CloudWatch
User pools report user-activity statistics to CloudWatch as metrics. From CloudWatch, you can analyze the volume of authentication activity and quota usage in your user pools. With the information in these metrics, you can set alarms for noteworthy events and adjust your user pool configuration as needed. Where user-activity logging has detailed records of user activity in your user pools, CloudWatch metrics have aggregated statistics and performance indicators.
The following table lists the metrics available for Amazon Cognito user pools. Amazon Cognito publishes metrics to the namespaces `AWS/Cognito` and `AWS/Usage`. For more information, see [Namespaces](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Namespace) in *Amazon CloudWatch User Guide*.
For more information about tracking quotas and usage, see [Track quota usage](quotas.md#track-quota-usage) and [Track monthly active users (MAUs)](quotas.md#track-mau-usage).
**Note**
Metrics that haven't had any new data points in the past two weeks don't appear in the console. They also don't appear when you enter their metric name or dimension names in the search box in the **All metrics** tab in the console. In addition, they are not returned in the results of a list-metrics command. The best way to retrieve these metrics is with the `get-metric-data` or `get-metric-statistics` commands in the AWS CLI.
| Metric | Description | Namespace |
| --- | --- | --- |
| SignUpSuccesses | Provides the total number of successful user registration requests made to the Amazon Cognito user pool. A successful user registration request produces a value of 1, whereas an unsuccessful request produces a value of 0. A throttled request is also considered as an unsuccessful request, and hence a throttled request will also produce a count of 0. To find the percentage of successful user registration requests, use the `Average` statistic on this metric. To count the total number of user registration requests, use the `Sample Count` statistic on this metric. To count the total number of successful user registration requests, use the `Sum` statistic on this metric. To count the total number of failed user registration requests, use the CloudWatch `Math` expression and subtract the `Sum` statistic from the `Sample Count` statistic. This metric is published for each user pool for each user pool client. In case when the user registration is performed by an admin, the metric is published with the user pool client as `Admin`. Note that this metric is not emitted for [User import](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html) and [User migration](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-using-lambda.html) cases. Metric dimension: `UserPool`, `UserPoolClient` Units: Count | AWS/Cognito |
| SignUpThrottles | Provides the total number of throttled user registration requests made to the Amazon Cognito user pool. A count of 1 is published whenever a user registration request is throttled. To count the total number of throttled user registration requests, use the `Sum` statistic for this metric. This metric is published for each user pool for each client. In case when the request that was throttled was made by an administrator, the metric is published with user pool client as `Admin`. Metric dimension: `UserPool`, `UserPoolClient` Units: Count | AWS/Cognito |
| SignInSuccesses | Provides the total number of successful user authentication requests made to the Amazon Cognito user pool. A user authentication is considered successful when authentication token is issued to the user. A successful authentication produces a value of 1, whereas an unsuccessful request produces a value of 0. A throttled request is also considered as an unsuccessful request, and hence a throttled request will also produce a count of 0. To find the percentage of successful user authentication requests, use the `Average` statistic on this metric. To count the total number of user authentication requests, use the `Sample Count` statistic on this metric. To count the total number of successful user authentication requests, use the `Sum` statistic on this metric. To count the total number of failed user authentication requests, use the CloudWatch `Math` expression and subtract the `Sum` statistic from the `Sample Count` statistic. This metric is published for each user pool for each client. In case an invalid user pool client is provided with a request, the corresponding user pool client value in the metric contains a fixed value `Invalid` instead of the actual invalid value sent in the request. Note that requests to refresh the Amazon Cognito token is not included in this metric. There is a separate metric for providing `Refresh` token statistics. Metric dimension: `UserPool`, `UserPoolClient` Units: Count | AWS/Cognito |
| SignInThrottles | Provides the total number of throttled user authentication requests made to the Amazon Cognito user pool. A count of 1 is published whenever an authentication request is throttled. To count the total number of throttled user authentication requests, use the `Sum` statistic for this metric. This metric is published for each user pool for each client. In case an invalid user pool client is provided with a request, the corresponding user pool client value in the metric contains a fixed value `Invalid` instead of the actual invalid value sent in the request. Requests to refresh Amazon Cognito token is not included in this metric. There is a separate metric for providing `Refresh` token statistics. Metric dimension: `UserPool`, `UserPoolClient` Units: Count | AWS/Cognito |
| TokenRefreshSuccesses | Provides the total number of successful requests to refresh an Amazon Cognito token that were made to the Amazon Cognito user pool. A successful refresh Amazon Cognito token request produces a value of 1, whereas an unsuccessful request produces a value of 0. A throttled request is also considered as an unsuccessful request, and hence a throttled request will also produce a count of 0. To find the percentage of successful requests to refresh an Amazon Cognito token, use the `Average` statistic on this metric. To count the total number of requests to refresh an Amazon Cognito token, use the `Sample Count` statistic on this metric. To count the total number of successful requests to refresh an Amazon Cognito token, use the `Sum` statistic on this metric. To count the total number of failed requests to refresh an Amazon Cognito token, use the CloudWatch `Math` expression and subtract the `Sum` statistic from the `Sample Count` statistic. This metric is published per each user pool client. If an invalid user pool client is in a request, the user pool client value contains a fixed value of `Invalid`. Metric dimension: `UserPool`, `UserPoolClient` Units: Count | AWS/Cognito |
| TokenRefreshThrottles | Provides the total number of throttled requests to refresh an Amazon Cognito token that were made to the Amazon Cognito user pool. A count of 1 is published whenever a refresh Amazon Cognito token request is throttled. To count the total number of throttled requests to refresh an Amazon Cognito token, use the `Sum` statistic for this metric. This metric is published for each user pool for each client. In case an invalid user pool client is provided with a request, corresponding user pool client value in the metric contains a fixed value `Invalid` instead of the actual invalid value sent in the request. Metric dimension: `UserPool`, `UserPoolClient` Units: Count | AWS/Cognito |
| FederationSuccesses | Provides the total number of successful identity federation requests to the Amazon Cognito user pool. An identity federation is considered successful when Amazon Cognito issues authentication tokens to the user. A successful identity federation request produces a value of 1, whereas an unsuccessful request produces a value of 0. Throttled requests and requests that generate an authorization code but no tokens produce a value of 0. To find the percentage of successful identity federation requests, use the `Average` statistic on this metric. To count the total number of identity federation requests, use the `Sample Count` statistic on this metric. To count the total number of successful identity federation requests, use the `Sum` statistic on this metric. To count the total number of failed identity federation requests, use the CloudWatch `Math` expression and subtract the `Sum` statistic from the `Sample Count` statistic. Metric dimension: `UserPool`, `UserPoolClient`, `IdentityProvider` Units: Count | AWS/Cognito |
| FederationThrottles | Provides the total number of throttled identity federation requests to the Amazon Cognito user pool. A count of 1 is published whenever an identity federation request is throttled. To count the total number of throttled identity federation requests, use the `Sum` statistic for this metric. Metric dimension: `UserPool`, `UserPoolClient`, `IdentityProvider` Units: Count | AWS/Cognito |
| CallCount | Provides the total number of calls customers made related to a category. This metric includes all the calls, such as throttled calls, failed calls, and successful calls. The category quota is enforced for each AWS account across all user pools in an account and Region. You can count the total number of calls in a category using the `Sum` statistic for this metric. Metric dimension: Service, Type, Resource, Class Units: Count | AWS/Usage |
| ThrottleCount | Provides the total number of throttled calls related to a category. This metric is published at the account level. You can count the total number of calls in a category, using the `Sum` statistic for this metric. Metric dimension: Service, Type, Resource, Class Units: Count | AWS/Usage |
## Viewing threat protection metrics
The metrics that your user pool publishes have statistical information about the effect that your threat protection settings have on user authentication activity. You might want to know how many users are attempting to sign in with compromised credentials. You can also find out what percentage of sign-in activity was evaluated to have some level of risk. Amazon Cognito publishes metrics for threat protection features to your account in Amazon CloudWatch. Amazon Cognito groups the threat protection metrics together by risk level and also by request level.
To add context to your risk analysis, you can [view information about individual user sign-in attempts](cognito-user-pool-settings-adaptive-authentication.md#user-pool-settings-adaptive-authentication-event-user-history), either in your user pool or in an exported data source.
**To view metrics in the CloudWatch console**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. Choose Amazon Cognito.
1. Choose a group of aggregated metrics, such as **By Risk Classification**.
1. The **All metrics** tab displays all metrics for that choice. You can do the following:
+ To sort the table, use the column heading.
+ To graph a metric, select the check box next to the metric. To select all metrics, select the check box in the heading row of the table.
+ To filter by resource, choose the resource ID, and then choose **Add to search**.
+ To filter by metric, choose the metric name, and then choose **Add to search**.
| Metric | Description | Metric Dimensions | Namespace |
| --- | --- | --- | --- |
| CompromisedCredentialRisk | Requests where Amazon Cognito detected compromised credentials. | Operation: The type of operation. `PasswordChange`, `SignIn`, or `SignUp` are the only dimensions. UserPoolId: The identifier of the user pool. RiskLevel: high (default), medium, or low. | AWS/Cognito |
| AccountTakeoverRisk | Requests where Amazon Cognito detected account take-over risk. | Operation: The type of operation. `PasswordChange`, `SignIn`, or `SignUp` are the only dimensions. UserPoolId: The identifier of the user pool. RiskLevel: high, medium, or low. | AWS/Cognito |
| OverrideBlock | Requests that Amazon Cognito blocked because of the configuration provided by the developer. | Operation: The type of operation. `PasswordChange`, `SignIn`, or `SignUp` are the only dimensions. UserPoolId: The identifier of the user pool. RiskLevel: high, medium, or low. | AWS/Cognito |
| Risk | Requests that Amazon Cognito marked as risky. | Operation: The type of operation, such as `PasswordChange`, `SignIn`, or `SignUp`. UserPoolId: The identifier of the user pool. | AWS/Cognito |
| NoRisk | Requests where Amazon Cognito did not identify any risk. | Operation: The type of operation, such as `PasswordChange`, `SignIn`, or `SignUp`. UserPoolId: The identifier of the user pool. | AWS/Cognito |
Amazon Cognito offers you two predefined groups of metrics for ready analysis in CloudWatch. **By Risk Classification** identifies the granularity of the risk level for requests that Amazon Cognito identifies as risky. **By Request Classification** reflects metrics aggregated by request level.
| Aggregated Metrics Group | Description |
| --- | --- |
| By Risk Classification | Requests that Amazon Cognito identifies as risky. |
| By Request Classification | Metrics aggregated by request. |
## Dimensions for Amazon Cognito user pools
The following dimensions are used to refine the usage metrics that are published by Amazon Cognito. The dimensions only apply to `CallCount` and `ThrottleCount ` metrics.
| Dimension | Description |
| --- | --- |
| Service | The name of the AWS service containing the resource. For Amazon Cognito usage metrics, the value for this dimension is `Cognito user pool`. |
| Type | The type of entity that is being reported. The only valid value for Amazon Cognito usage metrics is API. |
| Resource | The type of resource that is running. The only valid value is category name. |
| Class | The class of resource being tracked. Amazon Cognito doesn't use the class dimension. |
## Use the CloudWatch console to track metrics
You can track and collect Amazon Cognito user pools metrics using CloudWatch. The CloudWatch dashboard will display metrics about every AWS service you use. You can use CloudWatch to create metric alarms. The alarms can be set up to send you notifications or make a change to a specific resource that you are monitoring. To view service quota metrics in CloudWatch, complete the following steps.
1. Open the [CloudWatch console](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. In **All metrics** select a metric and a dimension.
1. Select the check box next to a metric. The metrics will appear in the graph.
**Note**
Metrics that haven't had any new data points in the past two weeks don't appear in the console. They also don't appear when you enter their metric name or dimension names in the search box in the All metrics tab in the console, and they are not returned in the results of a list-metrics command. The best way to retrieve these metrics is with the `get-metric-data` or `get-metric-statistics` commands in the AWS CLI.
## Create a CloudWatch alarm for a quota
Amazon Cognito provides CloudWatch usage metrics that correspond to the AWS service quotas for `CallCount` and `ThrottleCount` APIs. For more information about tracking usage in CloudWatch, see [Track quota usage](quotas.md#track-quota-usage).
In the Service Quotas console, you can create alarms that alert you when your usage approaches a service quota. To learn how to set up a CloudWatch alarm using the Service Quotas console, see [Service Quotas and CloudWatch alarms](https://docs.aws.amazon.com/servicequotas/latest/userguide/configure-cloudwatch.html).
# Metrics in Service Quotas
You can view and manage your Amazon Cognito user pools and identity pools quotas from a central location with Service Quotas. You can use the Service Quotas console to view details about a specific quota, monitor quota utilization, and request a quota increase. For some quota types, you can create a CloudWatch alarm to track your quota utilization. To learn more about what Amazon Cognito metrics you can track, see [Track quota usage](quotas.md#track-quota-usage).
**To view Amazon Cognito user pools and identity pools service quotas utilization, complete the following steps.**
1. Open the [Service Quotas console](https://console.aws.amazon.com/servicequotas/).
1. In the navigation pane, choose **AWS services**.
1. From the **AWS services** list, search and choose **Amazon Cognito user pools** or **Amazon Cognito Federated Identities**. The service quota page appears.
1. Select a quota that supports CloudWatch monitoring. For example, choose `Rate of UserAuthentication requests` in Amazon Cognito user pools.
1. Scroll down to **Monitoring**. This section appears only for quotas that support CloudWatch monitoring.
1. In **Monitoring** you can view current service quota utilization in the graph.
1. In **Monitoring** select either one hour, three hours, twelve hours, one day, three days, or one week.
1. Select any area inside of the graph to view the service quota utilization percentage. From here, you can add the graph to your dashboard or use the action menu to select **View in metrics**, which will take you to the related metrics in the CloudWatch console.
# Amazon Cognito logging in AWS CloudTrail
Amazon Cognito is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon Cognito. CloudTrail captures a subset of API calls for Amazon Cognito as events, including calls from the Amazon Cognito console and from code calls to the Amazon Cognito API operations. If you create a trail, you can choose to deliver CloudTrail events to an Amazon S3 bucket, including events for Amazon Cognito. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to Amazon Cognito, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, including how to configure and activate it, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
You can also create Amazon CloudWatch alarms for specific CloudTrail events. For example, you can set up CloudWatch to trigger an alarm if an identity pool configuration is changed. For more information, see [Creating CloudWatch alarms for CloudTrail events: Examples](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html).
**Topics**
+ [
## Information that Amazon Cognito sends to CloudTrail
](#amazon-cognito-info-in-cloudtrail)
+ [
## Analyzing Amazon Cognito CloudTrail events with Amazon CloudWatch Logs Insights
](#analyzingcteventscwinsight)
+ [
# Example Amazon Cognito events
](understanding-amazon-cognito-entries.md)
## Information that Amazon Cognito sends to CloudTrail
CloudTrail is turned on when you create your AWS account. When supported event activity occurs in Amazon Cognito, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for Amazon Cognito, create a trail. A CloudTrail trail delivers log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see:
+ [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-list)
+ [Configuring amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail log files from multiple regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or IAM user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
**Confidential data in AWS CloudTrail**
Because user pools and identity pools process user data, Amazon Cognito obscures some private fields in your CloudTrail events with the value `HIDDEN_DUE_TO_SECURITY_REASONS`. For examples of fields that Amazon Cognito doesn't populate to events, see [Example Amazon Cognito events](understanding-amazon-cognito-entries.md). Amazon Cognito only obscures some fields that commonly contain user information, like passwords and tokens. Amazon Cognito doesn't perform any automatic detection or masking of personally-identifying information that you populate to non-private fields in your API requests.
### User pool events
Amazon Cognito supports logging for all of the actions listed on the [User pool actions](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html) page as events in CloudTrail log files. Amazon Cognito logs user pool events to CloudTrail as *management events*.
The `eventType` field in a Amazon Cognito user pools CloudTrail entry tells you whether your app made the request to the [Amazon Cognito user pools API](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html) or to an [endpoint that serves resources for OpenID Connect, SAML 2.0, or managed login pages](cognito-userpools-server-contract-reference.md). API requests have an `eventType` of `AwsApiCall` and endpoint requests have an `eventType` of `AwsServiceEvent`.
Amazon Cognito logs the following requests to your managed login services as events in CloudTrail.
------
#### [ Hosted UI (classic) events ]
**Hosted UI (classic) events in CloudTrail**
| Operation | Description |
| --- | --- |
| Login\$1GET, CognitoAuthentication | A user views or submits credentials to your [Login endpoint](login-endpoint.md). |
| OAuth2\$1Authorize\$1GET, Beta\$1Authorize\$1GET | A user views your [Authorize endpoint](authorization-endpoint.md). |
| OAuth2Response\$1GET, OAuth2Response\$1POST | A user submits an IdP token to your /oauth2/idpresponse endpoint. |
| SAML2Response\$1POST, Beta\$1SAML2Response\$1POST | A user submits an IdP SAML assertion to your /saml2/idpresponse endpoint. |
| Login\$1OIDC\$1SAML\$1POST | A user enters a username at your [Login endpoint](login-endpoint.md) and matches with an [IdP identifier](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-integrating-3rd-party-saml-providers.html). |
| Token\$1POST, Beta\$1Token\$1POST | A user submits an authorization code to your [Token endpoint](token-endpoint.md). |
| Signup\$1GET, Signup\$1POST | A user submits sign-up information to your /signup endpoint. |
| Confirm\$1GET, Confirm\$1POST | A user submits a confirmation code in the hosted UI. |
| ResendCode\$1POST | A user submits a request to resend a confirmation code in the hosted UI. |
| ForgotPassword\$1GET, ForgotPassword\$1POST | A user submits a request to reset their password to your /forgotPassword endpoint. |
| ConfirmForgotPassword\$1GET, ConfirmForgotPassword\$1POST | A user submits a code to your /confirmForgotPassword endpoint that confirms their ForgotPassword request. |
| ResetPassword\$1GET, ResetPassword\$1POST | A user submits a new password in the hosted UI. |
| Mfa\$1GET, Mfa\$1POST | A user submits a multi-factor authentication (MFA) code in the hosted UI. |
| MfaOption\$1GET, MfaOption\$1POST | A user chooses their preferred method for MFA in the hosted UI. |
| MfaRegister\$1GET, MfaRegister\$1POST | A user submits a multi-factor authentication (MFA) code in the hosted UI when registering the MFA. |
| Logout | A user signs out at your /logout endpoint. |
| SAML2Logout\$1POST | A user signs out at your /saml2/logout endpoint. |
| Error\$1GET | A user views an error page in the hosted UI. |
| UserInfo\$1GET, UserInfo\$1POST | A user or IdP exchanges information with your [userInfo endpoint](userinfo-endpoint.md). |
| Confirm\$1With\$1Link\$1GET | A user submits a confirmation based on a link that Amazon Cognito sent in an email message. |
| Event\$1Feedback\$1GET | A user submits feedback to Amazon Cognito about a [threat protection](cognito-user-pool-settings-threat-protection.md) event. |
------
#### [ Managed login events ]
**Managed login events in CloudTrail**
| Operation | Description |
| --- | --- |
| login\$1POST | A user submits credentials to your [Login endpoint](login-endpoint.md). |
| login\$1continue\$1POST | A user who has already signed in one time chooses to sign in again. |
| forgotPassword\$1POST | A user resets their password. |
| selectChallenge\$1POST | A user responds to an authentication challenge after they submit their username or credentials. |
| confirmUser\$1GET | A user opens the link in a [confirmation or verification email message](signing-up-users-in-your-app.md). |
| mfa\$1back\$1POST | A user chooses the Back button after an MFA prompt. |
| mfa\$1options\$1POST | A user selects an MFA option. |
| mfa\$1phone\$1register\$1POST | A user submits a phone number to register as a MFA factor. This operation causes Amazon Cognito to send an MFA code to their phone number. |
| mfa\$1phone\$1verify\$1POST | A user submits an MFA code sent to their phone number. |
| mfa\$1phone\$1resendCode\$1POST | A user submits a request to resend a MFA code to their phone number. |
| mfa\$1totp\$1POST | A user submits a TOTP MFA code. |
| signup\$1POST | A user submits information to your /signup managed login page. |
| signup\$1confirm\$1POST | A user submits a confirmation code from an email or SMS message. |
| verifyCode\$1POST | A user submits a one-time password (OTP) for passwordless authentication. |
| passkeys\$1add\$1POST | A user submits a request to register a new passkey credential. |
| passkeys\$1add\$1GET | A user navigates to the page where they can register a passkey. |
| login\$1passkey\$1POST | A user signs in with a passkey. |
------
**Note**
Amazon Cognito records `UserSub` but not `UserName` in CloudTrail logs for requests that are specific to a user. You can find a user for a given `UserSub` by calling the `ListUsers` API, and using a filter for sub.
### Identity pools events
**Data events**
Amazon Cognito logs the following Amazon Cognito Identity events to CloudTrail as *data events*. [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) are high-volume data-plane API operations that CloudTrail doesn’t log by default. Additional charges apply for data events.
+ [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html)
+ [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html)
+ [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html)
+ [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html)
+ [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_UnlinkIdentity.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_UnlinkIdentity.html)
To generate CloudTrail logs for these API operations, you must activate data events in your trail and choose event selectors for **Cognito identity pools**. For more information, see [Logging data events for trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide*.
You can also add identity pools event selectors to your trail with the following CLI command.
```
aws cloudtrail put-event-selectors --trail-name --advanced-event-selectors \
"{\
\"Name\": \"Cognito Selector\",\
\"FieldSelectors\": [\
{\
\"Field\": \"eventCategory\",\
\"Equals\": [\
\"Data\"\
]\
},\
{\
\"Field\": \"resources.type\",\
\"Equals\": [\
\"AWS::Cognito::IdentityPool\"\
]\
}\
]\
}"
```
**Management events**
Amazon Cognito logs the remainder of Amazon Cognito identity pools API operations as *management events*. CloudTrail logs management event API operations by default.
For a list of the Amazon Cognito identity pools API operations that Amazon Cognito logs to CloudTrail, see the [Amazon Cognito identity pools API Reference](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_Operations.html).
**Amazon Cognito Sync**
Amazon Cognito logs all Amazon Cognito Sync API operations as management events. For a list of the Amazon Cognito Sync API operations that Amazon Cognito logs to CloudTrail, see the [Amazon Cognito Sync API Reference](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_Operations.html).
## Analyzing Amazon Cognito CloudTrail events with Amazon CloudWatch Logs Insights
You can search and analyze your Amazon Cognito CloudTrail events with Amazon CloudWatch Logs Insights. When you configure your trail to send events to CloudWatch Logs, CloudTrail sends only the events that match your trail settings.
To query or research your Amazon Cognito CloudTrail events, in the CloudTrail console, make sure that you select the **Management events** option in your trail settings so that you can monitor the management operations performed on your AWS resources. You can optionally select the **Insights events** option in your trail settings when you want to identify errors, unusual activity, or unusual user behavior in your account.
### Sample Amazon Cognito queries
You can use the following queries in the Amazon CloudWatch console.
**General queries**
Find the 25 most recently added log events.
```
fields @timestamp, @message | sort @timestamp desc | limit 25
| filter eventSource = "cognito-idp.amazonaws.com"
```
Get a list of the 25 most recently added log events that include exceptions.
```
fields @timestamp, @message | sort @timestamp desc | limit 25
| filter eventSource = "cognito-idp.amazonaws.com" and @message like /Exception/
```
**Exception and Error Queries**
Find the 25 most recently added log events with error code `NotAuthorizedException` along with Amazon Cognito user pool `sub`.
```
fields @timestamp, additionalEventData.sub as user | sort @timestamp desc | limit 25
| filter eventSource = "cognito-idp.amazonaws.com" and errorCode= "NotAuthorizedException"
```
Find the number of records with `sourceIPAddress` and corresponding `eventName`.
```
filter eventSource = "cognito-idp.amazonaws.com"
| stats count(*) by sourceIPAddress, eventName
```
Find the top 25 IP addresses that triggered a `NotAuthorizedException` error.
```
filter eventSource = "cognito-idp.amazonaws.com" and errorCode= "NotAuthorizedException"
| stats count(*) as count by sourceIPAddress, eventName
| sort count desc | limit 25
```
Find the top 25 IP addresses that called the `ForgotPassword` API.
```
filter eventSource = "cognito-idp.amazonaws.com" and eventName = 'ForgotPassword'
| stats count(*) as count by sourceIPAddress
| sort count desc | limit 25
```
# Example Amazon Cognito events
Amazon Cognito logs information to AWS CloudTrail about user authentication activity and administrative management activity. This applies to both user pools and identity pools. For example, you can see `GetId` and `UpdateIdentityPool` events in the same trail, or `UpdateAuthEventFeedback` and `SetRiskConfiguration` events. You'll also see user pool logs for hosted UI activity that doesn't correspond to operations in the user pools API. This section has some examples of logs you might see. To understand the CloudTrail event schema for any operation, generate a request for that operation and review the events that it creates in your trail.
A trail can deliver events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files are not an ordered stack trace of the public API calls, so they do not appear in any specific order.
**Topics**
+ [
## Example CloudTrail events for a hosted UI sign-up
](#cognito-cloudtrail-events-federated-sign-up)
+ [
## Example CloudTrail event for a SAML request
](#cognito-cloudtrail-event-saml-post)
+ [
## Example CloudTrail events for requests to the token endpoint
](#cognito-cloudtrail-events-token-endpoint-requests)
+ [
## Example CloudTrail event for CreateIdentityPool
](#cognito-cloudtrail-events-createidentitypool)
+ [
## Example CloudTrail event for GetCredentialsForIdentity
](#cognito-cloudtrail-events-getcredentialsforidentity)
+ [
## Example CloudTrail event for GetId
](#cognito-cloudtrail-events-getid)
+ [
## Example CloudTrail event for GetOpenIdToken
](#cognito-cloudtrail-events-getopenidtoken)
+ [
## Example CloudTrail event for GetOpenIdTokenForDeveloperIdentity
](#cognito-cloudtrail-events-getopenidtokenfordeveloperidentity)
+ [
## Example CloudTrail event for UnlinkIdentity
](#cognito-cloudtrail-events-unlinkidentity)
## Example CloudTrail events for a hosted UI sign-up
The following example CloudTrail events demonstrate the information that Amazon Cognito logs when a user signs up through the hosted UI.
Amazon Cognito logs the following event when a new user navigates to the sign-in page for your app.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-04-06T05:38:12Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "Login_GET",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"errorCode": "",
"errorMessage": "",
"additionalEventData":
{
"responseParameters":
{
"status": 200.0
},
"requestParameters":
{
"redirect_uri":
[
"https://www.amazon.com"
],
"response_type":
[
"token"
],
"client_id":
[
"1example23456789"
]
}
},
"eventID": "382ae09a-151d-4116-8f2b-6ac0a804a38c",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
Amazon Cognito logs the following event when a new user chooses **Sign up** from the sign-in page for your app.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-05-05T23:21:43Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "Signup_GET",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": null,
"responseElements": null,
"additionalEventData":
{
"responseParameters":
{
"status": 200
},
"requestParameters":
{
"response_type":
[
"code"
],
"redirect_uri":
[
"https://www.amazon.com"
],
"client_id":
[
"1example23456789"
]
},
"userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com",
"userPoolId": "us-west-2_EXAMPLE"
},
"requestID": "7a63e7c2-b057-4f3d-a171-9d9113264fff",
"eventID": "5e7b27a0-6870-4226-adb4-f86cd51ac5d8",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
Amazon Cognito logs the following event when a new user chooses a username, enters an email address, and chooses a password from the sign-in page for your app. Amazon Cognito doesn't log identifying information about the user's identity to CloudTrail.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-05-05T23:22:05Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "Signup_POST",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": null,
"responseElements": null,
"additionalEventData":
{
"responseParameters":
{
"status": 302
},
"requestParameters":
{
"password":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"requiredAttributes[email]":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"response_type":
[
"code"
],
"_csrf":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"redirect_uri":
[
"https://www.amazon.com"
],
"client_id":
[
"1example23456789"
],
"username":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
]
},
"userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com",
"userPoolId": "us-west-2_EXAMPLE"
},
"requestID": "9ad58dd8-3517-4aa8-96a5-d17a01df9eb4",
"eventID": "c75eb7a5-eb8c-43d1-8331-f4412e756e69",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
Amazon Cognito logs the following event when a new user accesses the user confirmation page in the hosted UI after they sign up.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-05-05T23:22:06Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "Confirm_GET",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": null,
"responseElements": null,
"additionalEventData":
{
"responseParameters":
{
"status": 200
},
"requestParameters":
{
"response_type":
[
"code"
],
"redirect_uri":
[
"https://www.amazon.com"
],
"client_id":
[
"1example23456789"
]
},
"userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com",
"userPoolId": "us-west-2_EXAMPLE"
},
"requestID": "58a5b170-3127-45bb-88cc-3e652d779e0b",
"eventID": "7f87291a-6d50-409a-822f-e3a5ec7e60da",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
Amazon Cognito logs the following event when, in the user confirmation page in the hosted UI, a user enters a code that Amazon Cognito sent them in an email message.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-05-05T23:23:32Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "Confirm_POST",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": null,
"responseElements": null,
"additionalEventData":
{
"responseParameters":
{
"status": 302
},
"requestParameters":
{
"confirm":
[
""
],
"deliveryMedium":
[
"EMAIL"
],
"sub":
[
"704b1e47-34fe-40e9-8c41-504997494531"
],
"code":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"destination":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"response_type":
[
"code"
],
"_csrf":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"cognitoAsfData":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"redirect_uri":
[
"https://www.amazon.com"
],
"client_id":
[
"1example23456789"
],
"username":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
]
},
"userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com",
"userPoolId": "us-west-2_EXAMPLE"
},
"requestID": "9764300a-ed35-4f87-8a0f-b18b3fe2b11e",
"eventID": "e24ac6e5-2f70-4c6e-ad4e-2f08a547bb36",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
## Example CloudTrail event for a SAML request
Amazon Cognito logs the following event when a user who has authenticated with your SAML IdP submits the SAML assertion to your `/saml2/idpresponse` endpoint.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-05-06T00:50:57Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "SAML2Response_POST",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": null,
"responseElements": null,
"additionalEventData":
{
"responseParameters":
{
"status": 302
},
"requestParameters":
{
"RelayState":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"SAMLResponse":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
]
},
"userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com",
"userPoolId": "us-west-2_EXAMPLE"
},
"requestID": "4f6f15d1-c370-4a57-87f0-aac4817803f7",
"eventID": "9824b50f-d9d1-4fb8-a2c1-6aa78ca5902a",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "625647942648",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
## Example CloudTrail events for requests to the token endpoint
The following are example events from requests to the [Token endpoint](token-endpoint.md).
Amazon Cognito logs the following event when a user who has authenticated and received an authorization code submits the code to your `/oauth2/token` endpoint.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-05-12T22:12:30Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "Token_POST",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": null,
"responseElements": null,
"additionalEventData":
{
"responseParameters":
{
"status": 200
},
"requestParameters":
{
"code":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"grant_type":
[
"authorization_code"
],
"redirect_uri":
[
"https://www.amazon.com"
],
"client_id":
[
"1example23456789"
]
},
"userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com",
"userPoolId": "us-west-2_EXAMPLE"
},
"requestID": "f257f752-cc14-4c52-ad5b-152a46915238",
"eventID": "0bd1586d-cd3e-4d7a-abaf-fd8bfc3912fd",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
Amazon Cognito logs the following event when your backend system submits a `client_credentials` request for an access token to your `/oauth2/token` endpoint.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-05-12T21:07:05Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "Token_POST",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": null,
"responseElements": null,
"additionalEventData":
{
"responseParameters":
{
"status": 200
},
"requestParameters":
{
"grant_type":
[
"client_credentials"
],
"client_id":
[
"1example23456789"
]
},
"userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com",
"userPoolId": "us-west-2_EXAMPLE"
},
"requestID": "4f871256-6825-488a-871b-c2d9f55caff2",
"eventID": "473e5cbc-a5b3-4578-9ad6-3dfdcb8a6d34",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
Amazon Cognito logs the following event when your app exchanges a refresh token for a new ID and access token with your `/oauth2/token` endpoint.
```
{
"eventVersion": "1.08",
"userIdentity":
{
"accountId": "123456789012"
},
"eventTime": "2022-05-12T22:16:40Z",
"eventSource": "cognito-idp.amazonaws.com",
"eventName": "Token_POST",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": null,
"responseElements": null,
"additionalEventData":
{
"responseParameters":
{
"status": 200
},
"requestParameters":
{
"refresh_token":
[
"HIDDEN_DUE_TO_SECURITY_REASONS"
],
"grant_type":
[
"refresh_token"
],
"client_id":
[
"1example23456789"
]
},
"userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com",
"userPoolId": "us-west-2_EXAMPLE"
},
"requestID": "2829f0c6-a3a9-4584-b046-11756dfe8a81",
"eventID": "12bd3464-59c7-44fa-b8ff-67e1cf092018",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails":
{
"serviceAccountId": "111122223333"
},
"eventCategory": "Management"
}
```
## Example CloudTrail event for CreateIdentityPool
The following example is a log entry for a request for the `CreateIdentityPool` action. The request was made by an IAM user named Alice.
```
{
"eventVersion": "1.03",
"userIdentity": {
"type": "IAMUser",
"principalId": "PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "['EXAMPLE_KEY_ID']",
"userName": "Alice"
},
"eventTime": "2016-01-07T02:04:30Z",
"eventSource": "cognito-identity.amazonaws.com",
"eventName": "CreateIdentityPool",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "USER_AGENT",
"requestParameters": {
"identityPoolName": "TestPool",
"allowUnauthenticatedIdentities": true,
"supportedLoginProviders": {
"graph.facebook.com": "000000000000000"
}
},
"responseElements": {
"identityPoolName": "TestPool",
"identityPoolId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE",
"allowUnauthenticatedIdentities": true,
"supportedLoginProviders": {
"graph.facebook.com": "000000000000000"
}
},
"requestID": "15cc73a1-0780-460c-91e8-e12ef034e116",
"eventID": "f1d47f93-c708-495b-bff1-cb935a6064b2",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
```
## Example CloudTrail event for GetCredentialsForIdentity
The following example is a log entry for a request for the `GetCredentialsForIdentity` action.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2023-01-19T16:55:08Z",
"eventSource": "cognito-identity.amazonaws.com",
"eventName": "GetCredentialsForIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.4",
"userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-credentials-for-identity",
"requestParameters": {
"logins": {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionToken": "aAaAaAaAaAaAab1111111111EXAMPLE",
"expiration": "Jan 19, 2023 5:55:08 PM"
},
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"requestID": "659dfc23-7c4e-4e7c-858a-1abce884d645",
"eventID": "6ad1c766-5a41-4b28-b5ca-e223ccb00f0d",
"readOnly": false,
"resources": [{
"accountId": "111122223333",
"type": "AWS::Cognito::IdentityPool",
"ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data"
}
```
## Example CloudTrail event for GetId
The following example is a log entry for a request for the `GetId` action.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2023-01-19T16:55:05Z",
"eventSource": "cognito-identity.amazonaws.com",
"eventName": "GetId",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.4",
"userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-id",
"requestParameters": {
"identityPoolId": "us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE",
"logins": {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS"
}
},
"responseElements": {
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"requestID": "dc28def9-07c8-460a-a8f3-3816229e6664",
"eventID": "c5c459d9-40ec-41fd-8f6b-57865d5a9975",
"readOnly": false,
"resources": [{
"accountId": "111122223333",
"type": "AWS::Cognito::IdentityPool",
"ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data"
}
```
## Example CloudTrail event for GetOpenIdToken
The following example is a log entry for a request for the `GetOpenIdToken` action.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2023-01-19T16:55:08Z",
"eventSource": "cognito-identity.amazonaws.com",
"eventName": "GetOpenIdToken",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.4",
"userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-open-id-token",
"requestParameters": {
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE",
"logins": {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS"
}
},
"responseElements": {
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"requestID": "a506ba18-10d7-4fdb-9548-a8187b2e38bb",
"eventID": "19ffc1a6-6ed8-4580-a4e1-3062c5ce6457",
"readOnly": false,
"resources": [{
"accountId": "111122223333",
"type": "AWS::Cognito::IdentityPool",
"ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data"
}
```
## Example CloudTrail event for GetOpenIdTokenForDeveloperIdentity
The following example is a log entry for a request for the `GetOpenIdTokenForDeveloperIdentity` action.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA1EXAMPLE:johns-AssumedRoleSession",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/johns-AssumedRoleSession",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA1EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2023-01-19T16:53:14Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-01-19T16:55:08Z",
"eventSource": "cognito-identity.amazonaws.com",
"eventName": "GetOpenIdTokenForDeveloperIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "27.0.3.154",
"userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-open-id-token-for-developer-identity",
"requestParameters": {
"tokenDuration": 900,
"identityPoolId": "us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE",
"logins": {
"JohnsDeveloperProvider": "HIDDEN_DUE_TO_SECURITY_REASONS"
}
},
"responseElements": {
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"requestID": "b807df87-57e7-4dd6-b90c-b06f46a61c21",
"eventID": "f26fed91-3340-4d70-91ae-cdf555547b76",
"readOnly": false,
"resources": [{
"accountId": "111122223333",
"type": "AWS::Cognito::IdentityPool",
"ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data"
}
```
## Example CloudTrail event for UnlinkIdentity
The following example is a log entry for a request for the `UnlinkIdentity` action.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2023-01-19T16:55:08Z",
"eventSource": "cognito-identity.amazonaws.com",
"eventName": "UnlinkIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.4",
"userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.unlink-identity",
"requestParameters": {
"logins": {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE",
"loginsToRemove": ["cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa"]
},
"responseElements": null,
"requestID": "99c2c8e2-9c29-416f-bb17-b650a5cbada9",
"eventID": "d8e26126-202a-43c2-b458-3f225efaedc7",
"readOnly": false,
"resources": [{
"accountId": "111122223333",
"type": "AWS::Cognito::IdentityPool",
"ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data"
}
```