Username in sign-in CloudTrail events - AWS IAM Identity Center

Username in sign-in CloudTrail events

IAM Identity Center emits the UserName field under the additionalEventData element once per successful sign-in of an IAM Identity Center user. The following list describes the two sign-in events in scope, and the conditions under which this can happen. Only one of the conditions can be true when a user is signing in.

  • CredentialChallenge

    • When CredentialType is "PASSWORD" – applies to password authentication with AWS Directory Service or IAM Identity Center directory.

    • When CredentialType is "EMAIL_OTP" – applies only to the IAM Identity Center directory when a user created with a CreateUser API call attempts to sign in for the first time, and the user receives a one-time password to sign in with that password once.

  • UserAuthentication

    • When CredentialType is "EXTERNAL_IDP" – applies to authentication with an external IdP.

The value of UserName is as follows for successful authentications:

  • When the identity source is an external IdP, the value is equal to the nameID value in the incoming SAML assertion. This value is equal to the UserName field in the IAM Identity Center directory.

  • When the identity source is an IAM Identity Center directory, the value emitted is equal to the UserName field in this directory.

  • When the identity source is the AWS Directory Service, the value emitted is equal to the username that the user enters during authentication. For example, a user who has the username anyuser@company.com, can authenticate with anyuser, anyuser@company.com, or company.com/anyuser, and in each case the entered value is emitted in CloudTrail respectively.

Note

We recommend you use userId and identityStoreArn for identifying the user behind IAM Identity Center CloudTrail events. If you need to use the userName field, we recommend you use the userName under the additionalEventData element, and avoid using the userName field under the userIdentity element.

For additional information on how you can use the UserName field, refer to Correlating users between IAM Identity Center and external directories.