# Logging IAM Identity Center API calls with AWS CloudTrail
AWS IAM Identity Center is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in IAM Identity Center. CloudTrail captures API calls for IAM Identity Center as events. The calls captured include calls from the IAM Identity Center console and code calls to the IAM Identity Center API operations. If you create a [trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-trails), you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for IAM Identity Center. If you do not configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to IAM Identity Center, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).
The following table summarizes the CloudTrail events of IAM Identity Center, their CloudTrail event sources, and matching APIs. Refer to the [IAM Identity Center API references](https://docs.aws.amazon.com/singlesignon/) to learn more about the APIs.
**Note**
There is an additional group of CloudTrail events, referred to as Sign-in, which AWS emits for signing in to AWS as an IAM Identity Center user. These events have no matching public APIs, and therefore aren't listed in the API references.
****
| CloudTrail events | Public APIs | Description | CloudTrail event sources |
| --- | --- | --- | --- |
| [IAM Identity Center](sso-info-in-cloudtrail.md#cloudtrail-events-iam-identity-center-operations) | [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html) | The IAM Identity Center APIs enable the management of permission sets, applications, trusted token issuers, account and application assignments, IAM Identity Center instances, and tags. | sso.amazonaws.com |
| [Identity Store](sso-info-in-cloudtrail.md#cloudtrail-events-identity-store-operations) | [Identity Store](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html) | The Identity Store APIs enable the management of the life cycle of your workforce's users and groups, and the users' group memberships. Also, they support the management of users' MFA devices. | sso-directory.amazonaws.com, identitystore.amazonaws.com |
| [OIDC](sso-info-in-cloudtrail.md#cloudtrail-events-oidc-operations) | [OIDC](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html) | The OIDC APIs support trusted identity propagation, and sign-in to AWS CLI and IDE toolkits as an already authenticated IAM Identity Center user. | sso.amazonaws.com, sso-oauth.amazonaws.com |
| [AWS access portal](sso-info-in-cloudtrail.md#cloudtrail-events-access-portal-operations) | [AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/Welcome.html) | The AWS access portal APIs support the operations of the AWS access portal and users getting account credentials through the AWS CLI. | sso.amazonaws.com |
| [SCIM](#logging-using-cloudtrail) | [SCIM](https://docs.aws.amazon.com/singlesignon/latest/developerguide/what-is-scim.html) | The SCIM APIs support the provisioning of users, groups, and group memberships through the SCIM protocol. See [Logging IAM Identity Center SCIM API calls with AWS CloudTrail](scim-logging-using-cloudtrail.md) for more information. | identitystore-scim.amazonaws.com |
| [AWS Sign-In](understanding-sign-in-events.md) | No public API | AWS emits Sign-in CloudTrail events for user authentication and federation flows into IAM Identity Center. | signin.amazon.com |
**Topics**
+ [CloudTrail use cases for IAM Identity Center](sso-cloudtrail-use-cases.md)
+ [IAM Identity Center information in CloudTrail](sso-info-in-cloudtrail.md)
# CloudTrail use cases for IAM Identity Center
The CloudTrail events that IAM Identity Center emits can be valuable for a variety of use cases. Organizations can use these event logs to monitor and audit the user access and activity within their AWS environment. This can help compliance use cases, as the logs capture details on who is accessing what resources and when. You can also use the CloudTrail data for incident investigations, allowing teams to analyze user actions and track suspicious behavior. Additionally, the event history can support troubleshooting efforts, providing visibility into changes made to user permissions and configurations over time.
The following sections describe the foundational use cases that inform your workflows such as audit, incident investigation, and troubleshooting.
## Identifying the user in IAM Identity Center user-initiated CloudTrail events
IAM Identity Center emits two CloudTrail fields that enable you to identify the IAM Identity Center user behind the CloudTrail events, such as signing into IAM Identity Center or AWS CLI, and using the AWS access portal, including managing MFA devices:
+ `userId` – The unique and immutable user identifier from the Identity Store of an IAM Identity Center instance.
+ `identityStoreArn` – The Amazon Resource Name (ARN) of the Identity Store that contains the user.
The `userID` and `identityStoreArn` fields display in the `onBehalfOf` element nested inside the [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) element as shown in the following example CloudTrail event log. This event log shows these two fields on an event where the `userIdentity` type is "`IdentityCenterUser`". You can also find these fields on events for authenticated IAM Identity Center users where the `userIdentity` type is "`Unknown`". Your workflows should accept both type values.
```
"userIdentity":{
"type":"IdentityCenterUser",
"accountId":"111122223333",
"onBehalfOf": {
"userId": "544894e8-80c1-707f-60e3-3ba6510dfac1",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "90e292de-5eb8-446e-9602-90f7c45044f7"
}
```
**Tip**
We recommend you use `userId` and `identityStoreArn` for identifying the user behind IAM Identity Center CloudTrail events. The `userName` and `principalId` fields under the `userIdentity` element are no longer available. If your workflows, such as audit or incident response, depend on having access to the `username`, you have two options:
Retrieve the username from the IAM Identity Center directory as explained in [Username in sign-in CloudTrail events](username-sign-in-cloudtrail-events.md).
Get the `UserName` that IAM Identity Center emits under the `additionalEventData` element in Sign-in. This option doesn't require access to the IAM Identity Center directory. For more information, see [Username in sign-in CloudTrail events](username-sign-in-cloudtrail-events.md).
To retrieve the details of a user, including the `username` field, you query the Identity Store with user ID and Identity Store ID as parameters. You can perform this action through the [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html) API request or through the CLI. The following is an example CLI command. You can omit the `region` parameter if your IAM Identity Center instance is in the CLI default Region.
```
aws identitystore describe-user \
--identity-store-id d-1234567890 \
--user-id 544894e8-80c1-707f-60e3-3ba6510dfac1 \
--region your-region-id
```
To determine the Identity Store ID value for the CLI command in the previous example, you can extract the Identity Store ID from the `identityStoreArn` value. In the example ARN `arn:aws:identitystore::111122223333:identitystore/d-1234567890`, the Identity Store ID is `d-1234567890`. Alternatively, you can locate the Identity Store ID by navigating to **Identity Store** tab in the **Settings** section of the IAM Identity Center console.
If you are automating the lookup of users in the IAM Identity Center directory, we recommend that you estimate the frequency of user lookups, and consider the [IAM Identity Center throttle limit on the Identity Store API](limits.md#ssodirectorylimits). Caching retrieved user attributes can help you stay within the throttle limit.
## Correlating user events within the same user session
The [`AuthWorkflowID`](understanding-sign-in-events.md) field emitted in sign-in events enables tracking all CloudTrail events associated with a sign-in sequence before the commencement of an IAM Identity Center user session.
For user actions inside the AWS access portal, the `credentialId` value is set to the ID of the IAM Identity Center user’s session used to request the action. You can use this value to identify CloudTrail events initiated within the same authenticated IAM Identity Center user session in the AWS access portal.
**Note**
You can't use `credentialId` to correlate sign-in events to the subsequent events, such as the use of the AWS access portal. The value of the `credentialId` field emitted in sign-in events has internal use, and we recommend that you not rely on it. The value of the `credentialId` field emitted for [AWS access portal events](sso-info-in-cloudtrail.md#cloudtrail-events-access-portal-operations) invoked with OIDC equals the ID of the access token.
## Identifying user background session details in IAM Identity Center user-initiated CloudTrail events
The following CloudTrail event captures the process of OAuth 2.0 token exchange, in which an existing access token (the `subjectToken`) that represents the user's interactive session is exchanged for a refresh token (the `requestedTokenType`). The refresh token allows any user initiated long-running jobs to continue running with the user's permissions, even after the user signs out.
For IAM Identity Center [user background sessions](user-background-sessions.md), the CloudTrail event includes an additional element called `resource` in the `requestParameters` element. The `resource` parameter contains the Amazon Resource Name (ARN) of the job that runs in the background. This element is present only in CloudTrail event records and is not included in the IAM Identity Center [CreateTokenWithIAM](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html) API or SDK responses.
```
{
"clientId": "EXAMPLE-CLIENT-ID",
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
"code": "HIDDEN_DUE_TO_SECURITY_REASONS",
"redirectUri": "https://example.com/callback",
"assertion": "HIDDEN_DUE_TO_SECURITY_REASONS",
"subjectToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
"subjectTokenType": "urn:ietf:params:oauth:token-type:access_token",
"requestedTokenType": "urn:ietf:params:oauth:token-type:refresh_token",
"resource": "arn:aws:sagemaker:us-west-2:123456789012:training-job/my-job"
}
```
## Correlating users between IAM Identity Center and external directories
IAM Identity Center provides two user attributes that you can use to correlate a user in its directory to the same user in an external directory (for example, Microsoft Active Directory and Okta Universal Directory).
+ `externalId` – The external identifier of an IAM Identity Center user. We recommend you map this identifier to an immutable user identifier in the external directory. Note that IAM Identity Center doesn't emit this value in CloudTrail.
+ `username` – A customer-provided value that users usually sign in with. The value can change (for example, with a SCIM update). Note that when the identity source is Directory Service, the username that IAM Identity Center emits in CloudTrail matches the username that you enter to authenticate. The username doesn't need to be an exact match to the username in the IAM Identity Center directory.
If you have access to the CloudTrail events but not the IAM Identity Center directory, you can use the username emitted under the `additionalEventData` element at sign-in. For more details about username in `additionalEventData`, refer to [Username in sign-in CloudTrail events](username-sign-in-cloudtrail-events.md).
The mapping of these two user attributes to corresponding user attributes in an external directory is defined in IAM Identity Center when the identity source is the Directory Service. For infomration, see [Attribute mappings between IAM Identity Center and External Identity Providers directory](attributemappingsconcept.md). External IdPs that provision users with SCIM have their own mapping. Even if you use the IAM Identity Center directory as the identity source, you can use the `externalId` attribute to cross-reference security principals to your external directory.
The following section explains how you can look up an IAM Identity Center user given the user’s `username` and `externalId`.
## Viewing an IAM Identity Center user by username and externalId
You can retrieve user attributes from the IAM Identity Center directory for a known username by first requesting a corresponding `userId` using the [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html) API request, then issue a [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html) API request, as shown in the previous example. The following example demonstrates how you can retrieve a `userId` from the Identity Store for a specific username. You can omit the `region` parameter if your IAM Identity Center instance is in the default Region with the CLI.
```
aws identitystore get-user-id \
--identity-store d-9876543210 \
--alternate-identifier '{
"UniqueAttribute": {
"AttributePath": "username",
"AttributeValue": "anyuser@example.com"
}
}' \
--region your-region-id
```
Similarly, you can use the same mechanism when you know the `externalId`. Update the attribute path in the previous example with the `externalId` value, and the attribute value with the specific `externalId` for which you are searching.
## Viewing a user’s Secure Identifier (SID) in Microsoft Active Directory (AD) and externalId
In certain cases, IAM Identity Center emits a user’s SID in the `principalId` field of CloudTrail events, such as those that the AWS access portal and OIDC APIs emit. **These cases are being phased out.** We recommend your workflows use the AD attribute `objectguid` when you need a unique user identifier from AD. You can find this value in the `externalId` attribute in the IAM Identity Center directory. However, if your workflows require the use of SID, retrieve the value from AD as it’s not available through IAM Identity Center APIs.
[Correlating user events within the same user sessionCorrelating users between IAM Identity Center and external directories](#correlating-users) describes how you can use the `externalId` and `username` fields to correlate an IAM Identity Center user to a matching user in an external directory. By default, IAM Identity Center maps `externalId` to the `objectguid` attribute in AD, and this mapping is fixed. IAM Identity Center allows administrators the flexibility to map `username` differently than its default mapping to `userprincipalname` in AD.
You can view these mappings in the IAM Identity Center console. Navigate to the **Identity Source** tab of **Settings**, and choose **Manage sync** in the **Actions** menu. In the **Manage Sync** section, choose the **View attribute mappings** button.
While you can use any unique AD user identifier available in IAM Identity Center to look up a user in AD, we recommend using the `objectguid` in your queries because it is an immutable identifier. The following example shows how to query Microsoft AD with Powershell to retrieve a user using the user’s `objectguid` value of `16809ecc-7225-4c20-ad98-30094aefdbca`. A successful response to this query includes the user’s SID.
```
Install-WindowsFeature -Name RSAT-AD-PowerShell
Get-ADUser `
-Filter {objectGUID -eq [GUID]::Parse("16809ecc-7225-4c20-ad98-30094aefdbca")} `
-Properties *
```
# IAM Identity Center information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in IAM Identity Center, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
**Note**
For more information about how user identification and tracking of user actions in CloudTrail events is evolving, refer to [Important changes to CloudTrail events for IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/) in the *AWS Security Blog*.
For an ongoing record of events in your AWS account, including events for IAM Identity Center, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following topics in the *AWS CloudTrail User Guide*:
+ [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail log files from multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
When CloudTrail logging is enabled in your AWS account, API calls made to IAM Identity Center actions are tracked in log files. IAM Identity Center records are written together with other AWS service records in a log file. CloudTrail determines when to create and write to a new file based on a time period and file size.
**CloudTrail events for supported IAM Identity Center APIs**
The following sections provide information about the CloudTrail events associated with the following APIs that IAM Identity Center supports:
+ [IAM Identity Center API](#cloudtrail-events-iam-identity-center-operations)
+ [Identity Store API](#cloudtrail-events-identity-store-operations)
+ [OIDC API](#cloudtrail-events-oidc-operations)
+ [AWS access portal API](#cloudtrail-events-access-portal-operations)
+ [SCIM API](#cloudtrail-events-scim-api-operations)
## CloudTrail events of IAM Identity Center API operations
The following list contains the CloudTrail events that the public IAM Identity Center operations emit with the `sso.amazonaws.com` event source. For more information about the public IAM Identity Center API operations, see the [IAM Identity Center API Reference](https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html).
You might find additional events in CloudTrail for IAM Identity Center console API operations that the console relies on. For more information about these console APIs, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycenter.html).
+ [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachCustomerManagedPolicyReferenceToPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachCustomerManagedPolicyReferenceToPermissionSet.html)
+ [
AttachManagedPolicyToPermissionSet](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachManagedPolicyToPermissionSet.html)
+ [
CreateAccountAssignment](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateAccountAssignment.html)
+ [CreateApplication
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplication.html)
+ [
CreateApplicationAssignment](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplicationAssignment.html)
+ [
CreateInstance
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateInstance.html)
+ [
CreateInstanceAccessControlAttributeConfiguration
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateInstanceAccessControlAttributeConfiguration.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreatePermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreatePermissionSet.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateTrustedTokenIssuer.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateTrustedTokenIssuer.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteAccountAssignment.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteAccountAssignment.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplication.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplication.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAccessScope.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAccessScope.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAssignment.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAssignment.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAuthenticationMethod.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAuthenticationMethod.html)
+ [
DeleteApplicationGrant
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationGrant.html)
+ [
DeleteInlinePolicyFromPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInlinePolicyFromPermissionSet.html)
+ [
DeleteInstance
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInstance.html)
+ [
DeleteInstanceAccessControlAttributeConfiguration
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInstanceAccessControlAttributeConfiguration.html)
+ [
DeletePermissionsBoundaryFromPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeletePermissionsBoundaryFromPermissionSet.html)
+ [
DeletePermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeletePermissionSet.html)
+ [
DeleteTrustedTokenIssuer
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteTrustedTokenIssuer.html)
+ [
DescribeAccountAssignmentCreationStatus
s](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeAccountAssignmentCreationStatus.html)
+ [
DescribeAccountAssignmentDeletionStatus
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeAccountAssignmentDeletionStatus.html)
+ [
DescribeApplication
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplication.html)
+ [
DescribeApplicationAssignment
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplicationAssignment.html)
+ [
DescribeApplicationProvider
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplicationProvider.html)
+ [
DescribeInstance
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstance.html)
+ [
DescribeInstanceAccessControlAttributeConfiguration
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstanceAccessControlAttributeConfiguration.html)
+ [
DescribePermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribePermissionSet.html)
+ [
DescribePermissionSetProvisioningStatus
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribePermissionSetProvisioningStatus.html)
+ [
DescribeTrustedTokenIssuer
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeTrustedTokenIssuer.html)
+ [
DetachCustomerManagedPolicyReferenceFromPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DetachCustomerManagedPolicyReferenceFromPermissionSet.html)
+ [
DetachManagedPolicyFromPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DetachManagedPolicyFromPermissionSet.html)
+ [
GetApplicationAccessScope
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAccessScope.html)
+ [
GetApplicationAssignmentConfiguration
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAssignmentConfiguration.html)
+ [
GetApplicationAuthenticationMethod
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAuthenticationMethod.html)
+ [
GetApplicationGrant
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationGrant.html)
+ [
GetInlinePolicyForPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetInlinePolicyForPermissionSet.html)
+ [
GetPermissionsBoundaryForPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetPermissionsBoundaryForPermissionSet.html)
+ [
ListAccountAssignmentCreationStatus
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentCreationStatus.html)
+ [
ListAccountAssignmentDeletionStatus
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentDeletionStatus.html)
+ [
ListAccountAssignments
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignments.html)
+ [
ListAccountAssignmentsForPrincipal
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentsForPrincipal.html)
+ [
ListAccountsForProvisionedPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountsForProvisionedPermissionSet.html)
+ [
ListApplicationAccessScopes
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAccessScopes.html)
+ [
ListApplicationAssignments
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAssignments.html)
+ [
ListApplicationAssignmentsForPrincipal
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAssignmentsForPrincipal.html)
+ [
ListApplicationAuthenticationMethods
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAuthenticationMethods.html)
+ [
ListApplicationGrants
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationGrants.html)
+ [
ListApplicationProviders
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationProviders.html)
+ [
ListApplications
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplications.html)
+ [
ListCustomerManagedPolicyReferencesInPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListCustomerManagedPolicyReferencesInPermissionSet.html)
+ [
ListInstances
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html)
+ [
ListManagedPoliciesInPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListManagedPoliciesInPermissionSet.html)
+ [
ListPermissionSetProvisioningStatus
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSetProvisioningStatus.html)
+ [
ListPermissionSets
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSets.html)
+ [
ListPermissionSetsProvisionedToAccount
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSetsProvisionedToAccount.html)
+ [
ListTagsForResource
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListTagsForResource.html)
+ [
ListTrustedTokenIssuers
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListTrustedTokenIssuers.html)
+ [
ProvisionPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ProvisionPermissionSet.html)
+ [
PutApplicationAccessScope
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAccessScope.html)
+ [
PutApplicationAssignmentConfiguration
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAssignmentConfiguration.html)
+ [
PutApplicationAuthenticationMethod
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAuthenticationMethod.html)
+ [
PutApplicationGrant
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationGrant.html)
+ [
PutInlinePolicyToPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutInlinePolicyToPermissionSet.html)
+ [
PutPermissionsBoundaryToPermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutPermissionsBoundaryToPermissionSet.html)
+ [
TagResource
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TagResource.html)
+ [
UntagResource
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UntagResource.html)
+ [
UpdateApplication
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateApplication.html)
+ [
UpdateInstance
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateInstance.html)
+ [
UpdateInstanceAccessControlAttributeConfiguration
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateInstanceAccessControlAttributeConfiguration.html)
+ [
UpdatePermissionSet
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdatePermissionSet.html)
+ [
UpdateTrustedTokenIssuer
](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateTrustedTokenIssuer.html)
## CloudTrail events of Identity Store API operations
The following list contains the CloudTrail events that the public Identity Store operations emit with the `identitystore.amazonaws.com` event source. For more information about the public Identity Store API operations, see the [Identity Store API Reference](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html).
You might find additional events in CloudTrail for the Identity Store console API operations with the `sso-directory.amazonaws.com` event source. These APIs support the console and AWS access portal. If you need to detect the occurrence of a particular operation, such as adding member to a group, we recommend you consider both public and console API operations. For more information about these console APIs, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html).
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroup.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroupMembership.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroup.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroupMembership.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteUser.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroup.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroupMembership.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupId.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupId.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupMembershipId.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupMembershipId.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_IsMemberInGroups.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_IsMemberInGroups.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMemberships.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMemberships.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMembershipsForMember.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMembershipsForMember.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateGroup.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateUser.html)
## CloudTrail events of OIDC API operations
The following list contains the CloudTrail events that the public OIDC operations emit. For more information about the public OIDC API operations, see the [OIDC API Reference](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
+ [https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) (event source `sso.amazonaws.com`)
+ [https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html) (event source `sso-oauth.amazonaws.com`)
## CloudTrail events of AWS access portal API operations
The following list contains the CloudTrail events that the AWS access portal API operations emit with the `sso.amazonaws.com` event source. The API operations noted as being unavailable in the public API support the operations of the AWS access portal. Using the AWS CLI can lead to the emission of CloudTrail events of both the public AWS access portal API operations and those that are unavailable in the public API. For more information about public AWS access portal API operations, see the [AWS access portal API Reference](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/Welcome.html).
+ Authenticate (Not available in the public API. Provides login to the AWS access portal.)
+ Federate (Not available in the public API. Provides federation into applications.)
+ [https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_ListAccountRoles.html](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_ListAccountRoles.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_ListAccounts.html](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_ListAccounts.html)
+ ListApplications (Not available in the public API. Provides users’ assigned resources for display in the AWS access portal.)
+ ListProfilesForApplication (Not available in the public API. Provides application metadata for display in the AWS access portal.)
+ [https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
+ [https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_Logout.html](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_Logout.html)
## CloudTrail events of SCIM API operations
For information about public SCIM API operations, see [AWS access portal API Reference](scim-logging-using-cloudtrail.md).
## Identity information in IAM Identity Center CloudTrail events
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root user or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
+ Whether the request was made by an IAM Identity Center user. If so, the `userId` and `identityStoreArn` fields are available in the CloudTrail events to identify the IAM Identity Center user who initiated the request. For more information, see [Identifying the user in IAM Identity Center user-initiated CloudTrail events](sso-cloudtrail-use-cases.md#user-session-iam-identity-center).
For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
**Note**
Currently, IAM Identity Center doesn't emit CloudTrail events for user sign-in to AWS managed web applications (for example, Amazon SageMaker AI Studio) with the [OIDC API](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). These web applications are a subset of the broader set of [AWS managed applications](awsapps.md), which also include non-web applications such as Amazon Athena SQL and Amazon S3 Access Grants.
# Understanding CloudTrail events for IAM Identity Center
A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail events aren't an ordered stack trace of the public API calls, so they do not appear in any specific order. Learn about the [contents of a CloudTrail record](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html) in the *CloudTrail User Guide*.
This example demonstrates a CloudTrail log entry capturing a `DescribePermissionsPolicies` action performed by an IAM user (samadams) interacting with IAM Identity Center:
```
{
"Records":[
{
"eventVersion":"1.05",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDAJAIENLMexample",
"arn":"arn:aws:iam::08966example:user/samadams",
"accountId":"111122223333",
"accessKeyId":"AKIAIIJM2K4example",
"userName":"samadams"
},
"eventTime":"2017-11-29T22:39:43Z",
"eventSource":"sso.amazonaws.com",
"eventName":"DescribePermissionsPolicies",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
"requestParameters":{
"permissionSetId":"ps-79a0dde74b95ed05"
},
"responseElements":null,
"requestID":"319ac6a1-d556-11e7-a34f-69a333106015",
"eventID":"a93a952b-13dd-4ae5-a156-d3ad6220b071",
"readOnly":true,
"resources":[
],
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}
]
}
```
This example demonstrates a CloudTrail log entry capturing a `ListApplications` action performed by an IAM Identity Center user within the AWS access portal:
```
{
"Records":[
{
"eventVersion":"1.05",
"userIdentity":{
"type":"IdentityCenterUser",
"accountId":"111122223333",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84775435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "cdee2490-82ed-43b3-96ee-b75fbf0b97a5"
},
"eventTime":"2017-11-29T18:48:28Z",
"eventSource":"sso.amazonaws.com",
"eventName":"ListApplications",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"requestID":"de6c0435-ce4b-49c7-9bcc-bc5ed631ce04",
"eventID":"e6e1f3df-9528-4c6d-a877-6b2b895d1f91",
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}
]
}
```
This example demonstrates a CloudTrail log entry capturing a `CreateToken` action performed by an IAM Identity Center user authenticating with the IAM Identity Center OIDC service:
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IdentityCenterUser",
"accountId": "111122223333",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84775435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "cdee2490-82ed-43b3-96ee-b75fbf0b97a5"
},
"eventTime": "2020-06-16T01:31:15Z",
"eventSource": "sso.amazonaws.com",
"eventName": "CreateToken",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
"requestParameters": {
"clientId": "clientid1234example",
"clientSecret": "HIDDEN_DUE_TO_SECURITY_REASONS",
"grantType": "urn:ietf:params:oauth:grant-type:device_code",
"deviceCode": "devicecode1234example"
},
"responseElements": {
"accessToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
"tokenType": "Bearer",
"expiresIn": 28800,
"refreshToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
"idToken": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"eventID": "09a6e1a9-50e5-45c0-9f08-e6ef5089b262",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "IdentityStoreId",
"ARN": "d-1234567890"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# Understanding IAM Identity Center sign-in events
AWS CloudTrail records successful and unsuccessful sign-in events for all IAM Identity Center identity sources. IAM Identity Center and Active Directory (AD Connector and AWS Managed Microsoft AD) sourced identities include additional sign-in events that are captured each time a user is prompted to solve a specific credential challenge or factor, in addition to the status of that particular credential verification request. Only after a user has completed all required credential challenges will the user be signed in, which will result in a `UserAuthentication` event being logged.
The following table captures each of the IAM Identity Center sign-in CloudTrail event names, their purpose, and applicability to different identity sources.
| Event name | Event purpose | Identity source applicability |
| --- | --- | --- |
| CredentialChallenge | Used to notify that IAM Identity Center has requested the user to solve a specific credential challenge and specifies the CredentialType that was required (For example, PASSWORD or TOTP). | Native IAM Identity Center users, AD Connector, and AWS Managed Microsoft AD |
| CredentialVerification | Used to notify that the user has attempted to solve a specific CredentialChallenge request and specifies whether that credential succeeded or failed. | Native IAM Identity Center users, AD Connector, and AWS Managed Microsoft AD |
| UserAuthentication | Used to notify that all authentication requirements the user was challenged with have been successfully completed and that the user was successfully signed in. Users failing to successfully complete the required credential challenges will result in no UserAuthentication event being logged. | All identity sources |
The following table captures additional useful event data fields contained within specific sign-in CloudTrail events.
| Field | Event purpose | Sign-in event applicability | Example values |
| --- | --- | --- | --- |
| AuthWorkflowID | Used to correlate all events emitted across an entire sign-in sequence. For each user sign-in, multiple events may be emitted by IAM Identity Center. | CredentialChallenge, CredentialVerification, UserAuthentication | "AuthWorkflowID": "9de74b32-8362-4a01-a524-de21df59fd83" |
| CredentialType | Used to specify the credential or factor that was challenged. UserAuthentication events will include all of the CredentialType values that were successfully verified across the user's sign-in sequence. | CredentialChallenge, CredentialVerification, UserAuthentication | CredentialType": "PASSWORD" or "CredentialType": "PASSWORD,TOTP" (possible values include: PASSWORD, TOTP, WEBAUTHN, EXTERNAL\$1IDP, RESYNC\$1TOTP, EMAIL\$1OTP) |
| DeviceEnrollmentRequired | Used to specify that the user was required to register an MFA device during sign-in, and that the user successfully completed that request. | UserAuthentication | "DeviceEnrollmentRequired": "true" |
| LoginTo | Used to specify the redirect location following a successful sign-in sequence. | UserAuthentication | "LoginTo": "https://mydirectory.awsapps.com/start/....." |
**CloudTrail events in the IAM Identity Center sign-in flows**
The following diagram describes the sign-in flow and the CloudTrail events that Sign-in emits.
![\[The sign-in flow and the CloudTrail events that Sign-in emits.\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/cloudtrail-events-in-iam-identity-center-sign-in-flows.png)
The diagram shows a **password sign-in** flow and a **federated sign-in** flow.
The **password sign-in** flow, which consists of steps 1–8, demonstrates the steps during the username and password sign-in process. IAM Identity Center sets `userIdentity.additionalEventData.CredentialType` to "`PASSWORD`", and IAM Identity Center goes through the credentials challenge-response cycle, retrying as needed.
The number of steps depends on the type of [login and the presence of the multi-factor authentication (MFA)](enable-mfa.md). The initial process results in three or five CloudTrail events with `UserAuthentication` ending the sequence for a successful authentication. Unsuccessful password authentication attempts result in additional CloudTrail events as the IAM Identity Center re-issues `CredentialChallenge` for regular or, if enabled, MFA authentication.
The password sign-in flow also covers the scenario where an IAM Identity Center user newly-created with a `CreateUser` API call signs in with a one-time password (OTP). The credential type in this scenario is “`EMAIL_OTP`”.
The **federated sign-in** flow, consisting of steps 1a, 2a, and 8, demonstrates the main steps during the federated authentication process where a [SAML assertion is provided by an identity provider](scim-profile-saml.md), validated by IAM Identity Center, and if successful, results in `UserAuthentication`. IAM Identity Center doesn't invoke the internal MFA authentication sequence in steps 3 – 7 because an external, federated identity provider is responsible for all user credential authentication.
# Username in sign-in CloudTrail events
IAM Identity Center emits the `UserName` field under the `additionalEventData` element once per successful sign-in of an IAM Identity Center user. The following list describes the two sign-in events in scope, and the conditions under which these events happen. Only one of the conditions can be true when a user is signing in.
+ `CredentialChallenge`
+ When `CredentialType` is "`PASSWORD`" – applies to password authentication with Directory Service or IAM Identity Center directory.
+ When `CredentialType` is "`EMAIL_OTP`" – applies only to the IAM Identity Center directory when a user created with a `CreateUser` API call attempts to sign in for the first time, and the user receives a one-time password to sign in with that password once.
+ `UserAuthentication`
+ When `CredentialType` is "`EXTERNAL_IDP`" – applies to authentication with an external IdP.
The value of `UserName` for successful authentications is as follows :
+ When the identity source is an external IdP, the value is equal to the `nameID` value in the incoming SAML assertion. This value is equal to the `UserName` field in the IAM Identity Center directory.
+ When the identity source is an IAM Identity Center directory, the value emitted is equal to the `UserName` field in this directory.
+ When the identity source is the Directory Service, the value emitted is equal to the username that the user enters during authentication. For example, a user who has the username `anyuser@company.com`, can authenticate with `anyuser`, `anyuser@company.com`, or `company.com/anyuser`, and in each case the entered value is emitted in CloudTrail respectively.
**Security masking of incorrect username attempts**
The `UserName` field contains the string `HIDDEN_DUE_TO_SECURITY_REASONS` when the recorded event is a console sign-in failure caused by incorrect user name input. CloudTrail doesn't record the contents in this case because the text could contain sensitive information, as described in the following examples:
+ A user accidentally types a password in the user name field.
+ A user accidentally types the account name of a personal email account, a bank sign-in identifier, or some other private ID.
**Tip**
We recommend you use `userId` and `identityStoreArn` for identifying the user behind IAM Identity Center CloudTrail events. If you need to use the `userName` field, you can use the `userName` under the `additionalEventData` element that's emitted once per successful sign-in.
For additional information on how you can use the `UserName` field, refer to [Correlating user events within the same user sessionCorrelating users between IAM Identity Center and external directories](sso-cloudtrail-use-cases.md#correlating-users).
# Example events for IAM Identity Center sign-in scenarios
The following examples illustrate the typical CloudTrail event sequences generated during various AWS sign-in scenarios. These examples serve as reference patterns to help you interpret authentication logs, identify security issues, and verify that your authentication policies are functioning correctly.
**Topics**
+ [Successful sign-in when authenticating with password only](#sign-in-events-examples-1)
+ [Successful sign-in when authenticating with an external identity provider](#sign-in-events-examples-2)
+ [Successful sign-in when authenticating with a password and a time-based one-time password (TOTP) authenticator app](#sign-in-events-examples-3)
+ [Successful sign-in when authenticating with a password and forced MFA registration is required](#sign-in-events-examples-4)
+ [Failed sign-in due to incorrect password authentication](#sign-in-events-examples-5)
## Successful sign-in when authenticating with password only
The following sequence of events captures an example of a successful password only sign-in.
**CredentialChallenge (Password)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-07T20:33:58Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialChallenge",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"9de74b32-8362-4a01-a524-de21df59fd83",
"UserName":"bobsmith@example.com",
"CredentialType":"PASSWORD"
},
"requestID":"5be44ffb-6946-4f47-acaf-1adebd4afead",
"eventID":"27ea7725-c1fd-4355-bdba-d0e628e0e604",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"serviceEventDetails":{
"CredentialChallenge":"Success"
}
}
```
**Successful CredentialVerification (Password)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-07T20:34:09Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialVerification",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"9de74b32-8362-4a01-a524-de21df59fd83",
"CredentialType":"PASSWORD"
},
"requestID":"f3cf52ad-fd3d-4889-8c15-f18d1a7c7393",
"eventID":"c49640f6-0c8a-43d3-a6e0-900e3bb188d4",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialVerification":"Success"
}
}
```
**Successful UserAuthentication (Password Only)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-07T20:34:09Z",
"eventSource":"signin.amazonaws.com",
"eventName":"UserAuthentication",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"9de74b32-8362-4a01-a524-de21df59fd83",
"LoginTo":"https://d-1234567890.awsapps.com/start/?state=QVlBQmVGMHFiS0wzWlp1SFgrR25BRnFobU5nQUlnQUJBQk5FWVhSaFVHeGhibVZUZEdGMFpWQmhjbUZ0QUFsUVpYSmxaM0pwYm1VQUFRQUhZWGR6TFd0dGN3QkxZWEp1T21GM2N6cHJiWE02ZFhNdFpXRnpkQzB4T2pjNE9ETTJNVFUxTWpnM056cHJaWGt2TjJOa056Um1PR1l0TnpNME5TMDBabUUxTFdFeU5Ea3RZV0kwTVRreE9UTmhOakkxQUxnQkFnRUFlTDJaOW85cm0xUHNKME05RjZtemdJSXczVU81a0trQy8yZktUWHNUbkx4b0FldytIdzFCK1NuM2NVWitsbncxdGdBQUFBQitNSHdHQ1NxR1NJYjNEUUVIQnFCdk1HMENBUUF3YUFZSktvWklodmNOQVFjQk1CNEdDV0NHU0FGbEF3UUJMakFSQkF5TFJxUDNsUUR6b0txUmlKQUNBUkNBTzRhalR4UUM3cUMvUG1ZUHBJWnRLS2ZlQkRHdmVsNXVJS1REdTkvekRNd2JxRFcxcVBTMDRkZUxST2NGYk96K2xzeGdTdUlKZTVYdiswZWdBZ0FBQUFBTUFBQVFBQUFBQUFBQUFBQUFBQUFBQVB5NEdEdUtWYnBzZWRTYTgvL3MrdEQvLy8vL0FBQUFBUUFBQUFBQUFBQUFBQUFBQVFBQUFGTXNzY3Q2V1QrZjg4N3AvbnlXQUNuQzFweGZaVGZvSjNSVWdhREJOKzNjK2F2NEI5WENxRDM2NkxmcTBzaDIrM3RDQ2J0N2VzMmw0Y1lDcXhwRFM3Y1JnRUxxMjQrVGdZSndvZXZkWW83eFV1bG9sVkJkTWFhcVBSenFyb2ZzNGpFR1FjUT0%3D&auth_code=11OawSqh1qmg4ePRn3DGfmBkWhJ5kYC4t6eFTprUDe8A_h_E75G3iwMNuAvLOs73v5vOaP_xA_PYJikGpt9UJ8kX92vRBCZPubpGegAoz__1fHKwL207gI6MVYEQvMKb2xfMf4qCKedRe0i-BshlIc5OBAA6ftz73M6LsfLWDlfOxviO2K3wet946lC30f_iWdilx-zv__4pSHf7mcUIs&wdc_csrf_token=srAzW1jK4GPYYoR452ruZ38DxEsDY9x81q1tVRSnno5pUjISvP7TqziOLiBLBUSxEjOmQk2XoLlcYolXjOMdiaBoVVBL482Q6iShpDgQcm271KWlODotVsoVADe1tixLr694N70foOPUAuIdi6RxxBSteidgAU7SBZDdfAxeJdqTg45kc4XpnCTKlQiIsrdFShisDnocFsj6EQRDTtEggww2MCXuJBByhpCfUIwg14znJwpR4F9wBw76xyTBBQOv&organization=d-9067230c03®ion=us-east-1",
"CredentialType":"PASSWORD"
},
"requestID":"f3cf52ad-fd3d-4889-8c15-f18d1a7c7393",
"eventID":"e959a95a-2b33-478d-906c-4fe303e8a9f1",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"UserAuthentication":"Success"
}
}
```
## Successful sign-in when authenticating with an external identity provider
The following sequence of events captures an example of a successful sign-in when authenticated through the SAML protocol using an external identity provider.
**Successful UserAuthentication (External Identity Provider)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-07T20:34:09Z",
"eventSource":"signin.amazonaws.com",
"eventName":"UserAuthentication",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"9de74b32-8362-4a01-a524-de21df59fd83",
"LoginTo":"https://d-1234567890.awsapps.com/start/?state=QVlBQmVGMHFiS0wzWlp1SFgrR25BRnFobU5nQUlnQUJBQk5FWVhSaFVHeGhibVZUZEdGMFpWQmhjbUZ0QUFsUVpYSmxaM0pwYm1VQUFRQUhZWGR6TFd0dGN3QkxZWEp1T21GM2N6cHJiWE02ZFhNdFpXRnpkQzB4T2pjNE9ETTJNVFUxTWpnM056cHJaWGt2TjJOa056Um1PR1l0TnpNME5TMDBabUUxTFdFeU5Ea3RZV0kwTVRreE9UTmhOakkxQUxnQkFnRUFlTDJaOW85cm0xUHNKME05RjZtemdJSXczVU81a0trQy8yZktUWHNUbkx4b0FldytIdzFCK1NuM2NVWitsbncxdGdBQUFBQitNSHdHQ1NxR1NJYjNEUUVIQnFCdk1HMENBUUF3YUFZSktvWklodmNOQVFjQk1CNEdDV0NHU0FGbEF3UUJMakFSQkF5TFJxUDNsUUR6b0txUmlKQUNBUkNBTzRhalR4UUM3cUMvUG1ZUHBJWnRLS2ZlQkRHdmVsNXVJS1REdTkvekRNd2JxRFcxcVBTMDRkZUxST2NGYk96K2xzeGdTdUlKZTVYdiswZWdBZ0FBQUFBTUFBQVFBQUFBQUFBQUFBQUFBQUFBQVB5NEdEdUtWYnBzZWRTYTgvL3MrdEQvLy8vL0FBQUFBUUFBQUFBQUFBQUFBQUFBQVFBQUFGTXNzY3Q2V1QrZjg4N3AvbnlXQUNuQzFweGZaVGZvSjNSVWdhREJOKzNjK2F2NEI5WENxRDM2NkxmcTBzaDIrM3RDQ2J0N2VzMmw0Y1lDcXhwRFM3Y1JnRUxxMjQrVGdZSndvZXZkWW83eFV1bG9sVkJkTWFhcVBSenFyb2ZzNGpFR1FjUT0%3D&auth_code=11OawSqh1qmg4ePRn3DGfmBkWhJ5kYC4t6eFTprUDe8A_h_E75G3iwMNuAvLOs73v5vOaP_xA_PYJikGpt9UJ8kX92vRBCZPubpGegAoz__1fHKwL207gI6MVYEQvMKb2xfMf4qCKedRe0i-BshlIc5OBAA6ftz73M6LsfLWDlfOxviO2K3wet946lC30f_iWdilx-zv__4pSHf7mcUIs&wdc_csrf_token=srAzW1jK4GPYYoR452ruZ38DxEsDY9x81q1tVRSnno5pUjISvP7TqziOLiBLBUSxEjOmQk2XoLlcYolXjOMdiaBoVVBL482Q6iShpDgQcm271KWlODotVsoVADe1tixLr694N70foOPUAuIdi6RxxBSteidgAU7SBZDdfAxeJdqTg45kc4XpnCTKlQiIsrdFShisDnocFsj6EQRDTtEggww2MCXuJBByhpCfUIwg14znJwpR4F9wBw76xyTBBQOv&organization=d-9067230c03®ion=us-east-1",
"CredentialType":"EXTERNAL_IDP",
"UserName":"bobsmith@example.com"
},
"requestID":"f3cf52ad-fd3d-4889-8c15-f18d1a7c7393",
"eventID":"e959a95a-2b33-478d-906c-4fe303e8a9f1",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"UserAuthentication":"Success"
}
}
```
## Successful sign-in when authenticating with a password and a time-based one-time password (TOTP) authenticator app
The following sequence of events captures an example where multi-factor authentication was required during sign-in and the user successfully signed in using a password and a TOTP authenticator app.
**CredentialChallenge (Password)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-08T20:40:13Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialChallenge",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729",
"CredentialType":"PASSWORD",
"UserName":"bobsmith@example.com"
},
"requestID":"e454ea66-1027-4d00-9912-09c0589649e1",
"eventID":"d89cc0b5-a23a-4b88-843a-89329aeaef2e",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialChallenge":"Success"
}
}
```
**Successful CredentialVerification (Password)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-08T20:40:20Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialVerification",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729",
"CredentialType":"PASSWORD"
},
"requestID":"92c4ac90-0d9b-452d-95d5-728487612f5e",
"eventID":"4533fd49-6669-4d0b-b272-a0b2139309a8",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialVerification":"Success"
}
}
```
**CredentialChallenge (TOTP)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-08T20:40:20Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialChallenge",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729",
"CredentialType":"TOTP"
},
"requestID":"92c4ac90-0d9b-452d-95d5-728487612f5e",
"eventID":"29202f08-f240-40cc-b789-c0cea8a27847",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialChallenge":"Success"
}
}
```
**Successful CredentialVerification (TOTP)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-08T20:40:27Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialVerification",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729",
"CredentialType":"TOTP"
},
"requestID":"c40a691f-eeb1-4352-b286-5e909f96f318",
"eventID":"e889ff1d-fcaf-454f-805d-7132cf2362a4",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialVerification":"Success"
}
}
```
**Successful UserAuthentication (Password \$1 TOTP)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-08T20:40:27Z",
"eventSource":"signin.amazonaws.com",
"eventName":"UserAuthentication",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729",
"LoginTo":"https://d-1234567890.awsapps.com/start/?state\u003dQVlBQmVLeFhWeDRmZFJmMmxHcWYwdzhZck5RQUlnQUJBQk5FWVhSaFVHeGhibVZUZEdGMFpWQmhjbUZ0QUFsUVpYSmxaM0pwYm1VQUFRQUhZWGR6TFd0dGN3QkxZWEp1T21GM2N6cHJiWE02ZFhNdFpXRnpkQzB4T2pjNE9ETTJNVFUxTWpnM056cHJaWGt2TjJOa056Um1PR1l0TnpNME5TMDBabUUxTFdFeU5Ea3RZV0kwTVRreE9UTmhOakkxQUxnQkFnRUFlTDJaOW85cm0xUHNKME05RjZtemdJSXczVU81a0trQy8yZktUWHNUbkx4b0FjT3lLZ2RQUFBTRzN6d2l0WmJOSFVRQUFBQitNSHdHQ1NxR1NJYjNEUUVIQnFCdk1HMENBUUF3YUFZSktvWklodmNOQVFjQk1CNEdDV0NHU0FGbEF3UUJMakFSQkF3aHFPL1ZoaFU4bmJFaEoxZ0NBUkNBTzJYZ0xpem12MlJoM3lnRGJaQ2dUcUZlbk5iWGN2ZWVzUjV6WmpLeXZUVnBwTjk2ZGVUZ3plcURod3hRMmNTR1pkTnBVd1RWWWFxbGp2akRBZ0FBQUFBTUFBQVFBQUFBQUFBQUFBQUFBQUFBQUxhZjZTVnRvMlFKWWt0Q0crWjd6NnIvLy8vL0FBQUFBUUFBQUFBQUFBQUFBQUFBQVFBQUFGUFhUR3dad0NheXAwUlZBQjJOelZsZnJ1aEdEOUNPeDNqMENBakdseU9DSWxFejlnZWRqcUZxUHZnUzIrN1ltZE84R1BvN21FQ0sybnBqdm13enozWEdBdnJFcVNzZ2RVQVBReXFpcS9oWTdFaUxhZHBYclhYZDlKeUkxZGJ4K3k3Wk80WT0%3D\u0026auth_code\u003d11Fir1mCVJ-4Y5UY6RI10UCXvRePCHd6195xvYg1rwo1Pj7B-7UGIGlYUUVe31Nkzd7ihxKn6DMdnFfO01O8qc3RFR8FUd1w8Z91Txh_4i9y47-Sx-pjBXKG_jUcvBk_UILdGytV4o1u97h42B-TA_6uwdmJiw1dcCz_Rv44d_BS0PkulW-5LVJy1oeP1H0FPPMeheyuk5Uy48d5of9-c\u0026wdc_csrf_token\u003dNMlui44guoVnxRd0qu2tYJIdyyFPX6SDRNTspIScfMM0AgFbho1nvvCaxPTghHbgHCRIXdffFtzH0sL1ow419BobnmqBsnJNx17h3kujsGzt9DJFaJCgbZQOF7pSbr1pHVMGg1MOOvniFekN6YmJ2CB1FeKUBbfNAz2bGZYnXrXQe6bTenIh5f0Pu9lhZJZ5KDQVka7afWFqOaQCzLEFwgATcJ44N6YcmmZBJbKHx3gyEDMzkwRuNJrwjoVpkmDH\u0026organization\u003dd-9067230c03\u0026region\u003dus-east-1",
"CredentialType":"PASSWORD,TOTP"
},
"requestID":"c40a691f-eeb1-4352-b286-5e909f96f318",
"eventID":"7a8c8725-db2f-488d-a43e-788dc6c73a4a",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"UserAuthentication":"Success"
}
}
```
## Successful sign-in when authenticating with a password and forced MFA registration is required
The following sequence of events demonstrates a successful password authentication where the user was required to register and successfully complete multi-factor authentication (MFA) before finalizing their sign-in process.
**CredentialChallenge (Password)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-09T01:24:02Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialChallenge",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"76d8a26d-ad9c-41a4-90c3-d607cdd7155c",
"CredentialType":"PASSWORD",
"UserName":"bobsmith@example.com"
},
"requestID":"321f4b13-42b5-4005-a0f7-826cad26d159",
"eventID":"8c707b0f-e45a-4a9c-bee2-ff68638d2f1b",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialChallenge":"Success"
}
}
```
**Successful CredentialVerification (Password)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-09T01:24:09Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialVerification",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"76d8a26d-ad9c-41a4-90c3-d607cdd7155c",
"CredentialType":"PASSWORD"
},
"requestID":"12b57efa-0a92-4479-91a3-5b6641817c21",
"eventID":"783b0c89-7142-4942-8b84-6ee0de1b992e",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialVerification":"Success"
}
}
```
**Successful UserAuthentication (Password \$1 MFA Registration Required)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"IdentityCenterUser",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
"onBehalfOf": {
"userId": "94d00cd8-e9e6-4810-b177-b08e84725435",
"identityStoreArn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"credentialId" : "8f761cae-883d-4a3d-af67-3abf46488f71"
},
"eventTime":"2020-12-09T01:24:14Z",
"eventSource":"signin.amazonaws.com",
"eventName":"UserAuthentication",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"76d8a26d-ad9c-41a4-90c3-d607cdd7155c",
"LoginTo":"https://d-1234567890.awsapps.com/start/?state\u003dQVlBQmVGQ3VqdHF5aW9CUDdrNXRTVTJUaWNnQUlnQUJBQk5FWVhSaFVHeGhibVZUZEdGMFpWQmhjbUZ0QUFsUVpYSmxaM0pwYm1VQUFRQUhZWGR6TFd0dGN3QkxZWEp1T21GM2N6cHJiWE02ZFhNdFpXRnpkQzB4T2pjNE9ETTJNVFUxTWpnM056cHJaWGt2TjJOa056Um1PR1l0TnpNME5TMDBabUUxTFdFeU5Ea3RZV0kwTVRreE9UTmhOakkxQUxnQkFnRUFlTDJaOW85cm0xUHNKME05RjZtemdJSXczVU81a0trQy8yZktUWHNUbkx4b0FSOVdDcXQ5bUxQeUJ2dFhJNTNFaGhvQUFBQitNSHdHQ1NxR1NJYjNEUUVIQnFCdk1HMENBUUF3YUFZSktvWklodmNOQVFjQk1CNEdDV0NHU0FGbEF3UUJMakFSQkF6Y0FYakw5TE1mdjh5a3owc0NBUkNBT3p5cTd4TXdzTFh3WnJ4dFNvVUF0MXVEU3J1WVBPWGc0UGFhNTNZQWxqamI2VFVyOGRYNjhpRDVoRCs3VVIrWVZUck1YOThsRGJCMmNHNHpBZ0FBQUFBTUFBQVFBQUFBQUFBQUFBQUFBQUFBQU03N1hhMlp4R1MzRUppT2xSY3ZRUnYvLy8vL0FBQUFBUUFBQUFBQUFBQUFBQUFBQVFBQUFGTVNpc3RSRGR6c0FmZmgwbHhsYks2RjZSNTg1NmdOZTRsaWxsT2x1QmVKZVRSRGtrVkVJRVl0Y0t4eFliRDJoV0JsUG9VbElCb01UYy9XbVNyRE1WU2JzcEl0ZXFMMVdxN2MrT2RRUXZFWEdHRUdkRXFpNHFpdmlmQmJhU2V1bGtmSERBOD0%3D\u0026auth_code\u003d11eZ80S_maUsZ7ABETjeQhyWfvIHYz52rgR28sYAKN1oEk2G07czrwzXvE9HLlN2K9De8LyBEV83SFeDQfrWpkwXfaBc2kNR125q_9JkiAeID3_5NkgvDEastjRV_mpFk0sf__0jRcr8vRm-FJyJqkoGrt_w6rm_MpAn0uyrVq8udY EgU3fhOL3QWvWiquYnDPMyPmmy_qkZgR9rz__BI\u0026wdc_csrf_token\u003dJih9U62o5LQDtYLNqCK8a6xj0gJg5BRWq2tbl75y8vAmwZhAqrgrgbxXat2M646UZGp93krw7WYQdHIgi5OYI9QSckf4aovh0maPetDfTj5twOa6FcUKKzMSMBkhJEwiMKgQ1ncaZTPRhdV8o53cyzTYPtZNp0KgrmxlLyZVscVnECUKogJxllWy67XU7po8K68iFqOCq5IGuAbv6zdblbQpaIR2OjgdHZgCjrPNFTUhaabhpOFtXdQNPDArJna1\u0026organization\u003dd-9067230c03\u0026region\u003dus-east-1",
"CredentialType":"PASSWORD",
"DeviceEnrollmentRequired":"true"
},
"requestID":"74d24604-a365-4237-8c4a-350795494b92",
"eventID":"a15bf257-7f37-46c0-b67c-fea5fa6166be",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"UserAuthentication":"Success"
}
}
```
## Failed sign-in due to incorrect password authentication
The following sequence of events demonstrates an authentication attempt where the user successfully entered their username but failed the password verification step, resulting in an unsuccessful sign-in.
**CredentialChallenge (Password)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"Unknown",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
},
"eventTime":"2020-12-08T18:56:15Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialChallenge",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"adbf67c4-8188-4e2b-8527-fe539e328fa7",
"CredentialType":"PASSWORD",
"UserName":"bobsmith@example.com"
},
"requestID":"f54848ea-b1aa-402f-bf0d-a54561a2ffcc",
"eventID":"d96f1d6c-dbd9-4a0b-9a45-6a2b66078c78",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialChallenge":"Success"
}
}
```
**Failed CredentialVerification (Password)**
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"Unknown",
"arn":"",
"accountId":"111122223333",
"accessKeyId":"",
},
"eventTime":"2020-12-08T18:56:21Z",
"eventSource":"signin.amazonaws.com",
"eventName":"CredentialVerification",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null,
"responseElements":null,
"additionalEventData":{
"AuthWorkflowID":"adbf67c4-8188-4e2b-8527-fe539e328fa7",
"CredentialType":"PASSWORD"
},
"requestID":"04528c82-a678-4a1f-a56d-ea2c6445a72a",
"eventID":"9160fe06-fc2a-474f-9b78-000ee067a09d",
"readOnly":false,
"eventType":"AwsServiceEvent",
"managementEvent":true,
"eventCategory":"Management",
"recipientAccountId":"111122223333",
"serviceEventDetails":{
"CredentialVerification":"Failure"
}
}
```