IAM Identity Center information in CloudTrail - AWS IAM Identity Center
CloudTrail events of IAM Identity Center API operationsCloudTrail events of Identity Store API operationsCloudTrail events of OIDC API operationsCloudTrail events of AWS access portal API operationsIdentity information in IAM Identity Center CloudTrail events

IAM Identity Center information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in IAM Identity Center, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. You can view, search, and download recent events in your AWS account. For more information, see Viewing events with CloudTrail event history.

Note

For more information about how user identification and tracking of user actions in CloudTrail events is evolving, refer to Important changes to CloudTrail events for IAM Identity Center in the AWS Security Blog.

For an ongoing record of events in your AWS account, including events for IAM Identity Center, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following topics in the AWS CloudTrail User Guide:

When CloudTrail logging is enabled in your AWS account, API calls made to IAM Identity Center actions are tracked in log files. IAM Identity Center records are written together with other AWS service records in a log file. CloudTrail determines when to create and write to a new file based on a time period and file size.

CloudTrail events for supported IAM Identity Center APIs

The following sections provide information about the CloudTrail events associated with the following APIs that IAM Identity Center supports:

CloudTrail events of IAM Identity Center API operations

The following list contains the CloudTrail events that the public IAM Identity Center operations emit with the sso.amazonaws.com event source. For more information about the public IAM Identity Center API operations, see the IAM Identity Center API Reference.

You might find additional events in CloudTrail for IAM Identity Center console API operations that the console relies on. For more information about these console APIs, see the Service Authorization Reference.

CloudTrail events of Identity Store API operations

The following list contains the CloudTrail events that the public Identity Store operations emit with the identitystore.amazonaws.com event source. For more information about the public Identity Store API operations, see the Identity Store API Reference.

You might see additional events in CloudTrail for the Identity Store console API operations with the sso-directory.amazonaws.com event source. These APIs support the console and AWS access portal. If you need to detect the occurrence of a particular operation, such as adding member to a group, we recommend you consider both public and console API operations. For more information about these console APIs, see the Service Authorization Reference.

CloudTrail events of OIDC API operations

The following list contains the CloudTrail events that the public OIDC operations emit. For more information about the public OIDC API operations, see the OIDC API Reference.

CloudTrail events of AWS access portal API operations

The following list contains the CloudTrail events that the AWS access portal API operations emit with the sso.amazonaws.com event source. The API operations noted as being unavailable in the public API support the operations of the AWS access portal. Using the AWS CLI can lead to the emission of CloudTrail events of both the public AWS access portal API operations and those that are unavailable in the public API. For more information about public AWS access portal API operations, see the AWS access portal API Reference.

  • Authenticate (Not available in the public API. Provides login to the AWS access portal.)

  • Federate (Not available in the public API. Provides federation into applications.)

  • ListAccountRoles

  • ListAccounts

  • ListApplications (Not available in the public API. Provides users’ assigned resources for display in the AWS access portal.)

  • ListProfilesForApplication (Not available in the public API. Provides application metadata for display in the AWS access portal.)

  • GetRoleCredentials

  • Logout

Identity information in IAM Identity Center CloudTrail events

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:

  • Whether the request was made with root user or AWS Identity and Access Management (IAM) user credentials.

  • Whether the request was made with temporary security credentials for a role or federated user.

  • Whether the request was made by another AWS service.

  • Whether the request was made by an IAM Identity Center user. If so, the userId and identityStoreArn fields are available in the CloudTrail events to identify the IAM Identity Center user who initiated the request. For more information, see Identifying the user and session in IAM Identity Center user-initiated CloudTrail events .

For more information, see the CloudTrail userIdentity element.

Note

Currently, IAM Identity Center doesn't emit CloudTrail events for the following actions:

  • User sign-in to AWS managed web applications (for example, Amazon SageMaker AI Studio) with the OIDC API. These web applications are a subset of the broader set of AWS managed applications, which also include non-web applications such as Amazon Athena SQL and Amazon S3 Access Grants.

  • Retrieval of user and group attributes by AWS managed applications with the Identity Store API.