Logging IAM Identity Center API calls with AWS CloudTrail
AWS IAM Identity Center is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in IAM Identity Center. CloudTrail captures API calls for IAM Identity Center as events. The calls captured include calls from the IAM Identity Center console and code calls to the IAM Identity Center API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for IAM Identity Center. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to IAM Identity Center, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, see the AWS CloudTrail User Guide.
The following table summarizes the CloudTrail events of IAM Identity Center, their CloudTrail event sources, and matching APIs. Refer to the IAM Identity Center API references to learn more about the APIs.
Note
There's an additional group of CloudTrail events, referred to as Sign-in, which AWS emits for signing in to AWS as an IAM Identity Center user. These events have no matching public APIs, and therefore aren't listed in the API references.
| CloudTrail events | APIs | Description | CloudTrail event sources |
|---|---|---|---|
| IAM Identity Center | IAM Identity Center | The IAM Identity Center APIs enable the management of permission sets, applications, trusted token issuers, account and application assignments, IAM Identity Center instances, and tags. | sso.amazonaws.com |
| Identity Store | Identity Store | The Identity Store APIs enable the management of the life cycle of your workforce's users and groups, and the users' group memberships. Also, they support the management of users' MFA devices. |
sso-directory.amazonaws.com, identitystore.amazonaws.com
|
| OIDC | OIDC | The OIDC APIs support trusted identity propagation, and sign-in to AWS CLI and IDE toolkits as an already authenticated IAM Identity Center user. |
sso.amazonaws.com, sso-oauth.amazonaws.com
|
| AWS access portal | AWS access portal | The AWS access portal APIs support the operations of the AWS access portal and users getting account credentials through the AWS CLI. | sso.amazonaws.com |
| Identity Store | SCIM | The Identity Store APIs support the provisioning of users, groups, and group memberships through the SCIM protocol. SCIM APIs emit the same CloudTrail events that the Identity Store APIs emit. | sso-directory.amazonaws.com |
| AWS Sign-In | No public API | AWS emits Sign-in CloudTrail events for user authentication and federation flows into IAM Identity Center. | signin.amazon.com |
Topics
