# Amazon Cognito logging in AWS CloudTrail CloudTrail logs Amazon Cognito is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon Cognito. CloudTrail captures a subset of API calls for Amazon Cognito as events, including calls from the Amazon Cognito console and from code calls to the Amazon Cognito API operations. If you create a trail, you can choose to deliver CloudTrail events to an Amazon S3 bucket, including events for Amazon Cognito. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to Amazon Cognito, the IP address from which the request was made, who made the request, when it was made, and additional details. To learn more about CloudTrail, including how to configure and activate it, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/). You can also create Amazon CloudWatch alarms for specific CloudTrail events. For example, you can set up CloudWatch to trigger an alarm if an identity pool configuration is changed. For more information, see [Creating CloudWatch alarms for CloudTrail events: Examples](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html). **Topics** + [ ## Information that Amazon Cognito sends to CloudTrail ](#amazon-cognito-info-in-cloudtrail) + [ ## Analyzing Amazon Cognito CloudTrail events with Amazon CloudWatch Logs Insights ](#analyzingcteventscwinsight) + [ # Example Amazon Cognito events ](understanding-amazon-cognito-entries.md) ## Information that Amazon Cognito sends to CloudTrail CloudTrail is turned on when you create your AWS account. When supported event activity occurs in Amazon Cognito, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html). For an ongoing record of events in your AWS account, including events for Amazon Cognito, create a trail. A CloudTrail trail delivers log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see: + [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) + [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-list) + [Configuring amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html) + [Receiving CloudTrail log files from multiple regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html) Every event or log entry contains information about who generated the request. The identity information helps you determine the following: + Whether the request was made with root or IAM user credentials. + Whether the request was made with temporary security credentials for a role or federated user. + Whether the request was made by another AWS service. For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). **Confidential data in AWS CloudTrail** Because user pools and identity pools process user data, Amazon Cognito obscures some private fields in your CloudTrail events with the value `HIDDEN_DUE_TO_SECURITY_REASONS`. For examples of fields that Amazon Cognito doesn't populate to events, see [Example Amazon Cognito events](understanding-amazon-cognito-entries.md). Amazon Cognito only obscures some fields that commonly contain user information, like passwords and tokens. Amazon Cognito doesn't perform any automatic detection or masking of personally-identifying information that you populate to non-private fields in your API requests. ### User pool events Amazon Cognito supports logging for all of the actions listed on the [User pool actions](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html) page as events in CloudTrail log files. Amazon Cognito logs user pool events to CloudTrail as *management events*. The `eventType` field in a Amazon Cognito user pools CloudTrail entry tells you whether your app made the request to the [Amazon Cognito user pools API](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html) or to an [endpoint that serves resources for OpenID Connect, SAML 2.0, or managed login pages](cognito-userpools-server-contract-reference.md). API requests have an `eventType` of `AwsApiCall` and endpoint requests have an `eventType` of `AwsServiceEvent`. Amazon Cognito logs the following requests to your managed login services as events in CloudTrail. ------ #### [ Hosted UI (classic) events ] **Hosted UI (classic) events in CloudTrail** | Operation | Description | | --- | --- | | Login\$1GET, CognitoAuthentication | A user views or submits credentials to your [Login endpoint](login-endpoint.md). | | OAuth2\$1Authorize\$1GET, Beta\$1Authorize\$1GET | A user views your [Authorize endpoint](authorization-endpoint.md). | | OAuth2Response\$1GET, OAuth2Response\$1POST | A user submits an IdP token to your /oauth2/idpresponse endpoint. | | SAML2Response\$1POST, Beta\$1SAML2Response\$1POST | A user submits an IdP SAML assertion to your /saml2/idpresponse endpoint. | | Login\$1OIDC\$1SAML\$1POST | A user enters a username at your [Login endpoint](login-endpoint.md) and matches with an [IdP identifier](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-integrating-3rd-party-saml-providers.html). | | Token\$1POST, Beta\$1Token\$1POST | A user submits an authorization code to your [Token endpoint](token-endpoint.md). | | Signup\$1GET, Signup\$1POST | A user submits sign-up information to your /signup endpoint. | | Confirm\$1GET, Confirm\$1POST | A user submits a confirmation code in the hosted UI. | | ResendCode\$1POST | A user submits a request to resend a confirmation code in the hosted UI. | | ForgotPassword\$1GET, ForgotPassword\$1POST | A user submits a request to reset their password to your /forgotPassword endpoint. | | ConfirmForgotPassword\$1GET, ConfirmForgotPassword\$1POST | A user submits a code to your /confirmForgotPassword endpoint that confirms their ForgotPassword request. | | ResetPassword\$1GET, ResetPassword\$1POST | A user submits a new password in the hosted UI. | | Mfa\$1GET, Mfa\$1POST | A user submits a multi-factor authentication (MFA) code in the hosted UI. | | MfaOption\$1GET, MfaOption\$1POST | A user chooses their preferred method for MFA in the hosted UI. | | MfaRegister\$1GET, MfaRegister\$1POST | A user submits a multi-factor authentication (MFA) code in the hosted UI when registering the MFA. | | Logout | A user signs out at your /logout endpoint. | | SAML2Logout\$1POST | A user signs out at your /saml2/logout endpoint. | | Error\$1GET | A user views an error page in the hosted UI. | | UserInfo\$1GET, UserInfo\$1POST | A user or IdP exchanges information with your [userInfo endpoint](userinfo-endpoint.md). | | Confirm\$1With\$1Link\$1GET | A user submits a confirmation based on a link that Amazon Cognito sent in an email message. | | Event\$1Feedback\$1GET | A user submits feedback to Amazon Cognito about a [threat protection](cognito-user-pool-settings-threat-protection.md) event. | ------ #### [ Managed login events ] **Managed login events in CloudTrail** | Operation | Description | | --- | --- | | login\$1POST | A user submits credentials to your [Login endpoint](login-endpoint.md). | | login\$1continue\$1POST | A user who has already signed in one time chooses to sign in again. | | forgotPassword\$1POST | A user resets their password. | | selectChallenge\$1POST | A user responds to an authentication challenge after they submit their username or credentials. | | confirmUser\$1GET | A user opens the link in a [confirmation or verification email message](signing-up-users-in-your-app.md). | | mfa\$1back\$1POST | A user chooses the Back button after an MFA prompt. | | mfa\$1options\$1POST | A user selects an MFA option. | | mfa\$1phone\$1register\$1POST | A user submits a phone number to register as a MFA factor. This operation causes Amazon Cognito to send an MFA code to their phone number. | | mfa\$1phone\$1verify\$1POST | A user submits an MFA code sent to their phone number. | | mfa\$1phone\$1resendCode\$1POST | A user submits a request to resend a MFA code to their phone number. | | mfa\$1totp\$1POST | A user submits a TOTP MFA code. | | signup\$1POST | A user submits information to your /signup managed login page. | | signup\$1confirm\$1POST | A user submits a confirmation code from an email or SMS message. | | verifyCode\$1POST | A user submits a one-time password (OTP) for passwordless authentication. | | passkeys\$1add\$1POST | A user submits a request to register a new passkey credential. | | passkeys\$1add\$1GET | A user navigates to the page where they can register a passkey. | | login\$1passkey\$1POST | A user signs in with a passkey. | ------ **Note** Amazon Cognito records `UserSub` but not `UserName` in CloudTrail logs for requests that are specific to a user. You can find a user for a given `UserSub` by calling the `ListUsers` API, and using a filter for sub. ### Identity pools events **Data events** Amazon Cognito logs the following Amazon Cognito Identity events to CloudTrail as *data events*. [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) are high-volume data-plane API operations that CloudTrail doesn’t log by default. Additional charges apply for data events. + [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html) + [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html) + [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html) + [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html) + [https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_UnlinkIdentity.html](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_UnlinkIdentity.html) To generate CloudTrail logs for these API operations, you must activate data events in your trail and choose event selectors for **Cognito identity pools**. For more information, see [Logging data events for trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide*. You can also add identity pools event selectors to your trail with the following CLI command. ``` aws cloudtrail put-event-selectors --trail-name --advanced-event-selectors \ "{\ \"Name\": \"Cognito Selector\",\ \"FieldSelectors\": [\ {\ \"Field\": \"eventCategory\",\ \"Equals\": [\ \"Data\"\ ]\ },\ {\ \"Field\": \"resources.type\",\ \"Equals\": [\ \"AWS::Cognito::IdentityPool\"\ ]\ }\ ]\ }" ``` **Management events** Amazon Cognito logs the remainder of Amazon Cognito identity pools API operations as *management events*. CloudTrail logs management event API operations by default. For a list of the Amazon Cognito identity pools API operations that Amazon Cognito logs to CloudTrail, see the [Amazon Cognito identity pools API Reference](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_Operations.html). **Amazon Cognito Sync** Amazon Cognito logs all Amazon Cognito Sync API operations as management events. For a list of the Amazon Cognito Sync API operations that Amazon Cognito logs to CloudTrail, see the [Amazon Cognito Sync API Reference](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_Operations.html). ## Analyzing Amazon Cognito CloudTrail events with Amazon CloudWatch Logs Insights You can search and analyze your Amazon Cognito CloudTrail events with Amazon CloudWatch Logs Insights. When you configure your trail to send events to CloudWatch Logs, CloudTrail sends only the events that match your trail settings. To query or research your Amazon Cognito CloudTrail events, in the CloudTrail console, make sure that you select the **Management events** option in your trail settings so that you can monitor the management operations performed on your AWS resources. You can optionally select the **Insights events** option in your trail settings when you want to identify errors, unusual activity, or unusual user behavior in your account. ### Sample Amazon Cognito queries You can use the following queries in the Amazon CloudWatch console. **General queries** Find the 25 most recently added log events. ``` fields @timestamp, @message | sort @timestamp desc | limit 25 | filter eventSource = "cognito-idp.amazonaws.com" ``` Get a list of the 25 most recently added log events that include exceptions. ``` fields @timestamp, @message | sort @timestamp desc | limit 25 | filter eventSource = "cognito-idp.amazonaws.com" and @message like /Exception/ ``` **Exception and Error Queries** Find the 25 most recently added log events with error code `NotAuthorizedException` along with Amazon Cognito user pool `sub`. ``` fields @timestamp, additionalEventData.sub as user | sort @timestamp desc | limit 25 | filter eventSource = "cognito-idp.amazonaws.com" and errorCode= "NotAuthorizedException" ``` Find the number of records with `sourceIPAddress` and corresponding `eventName`. ``` filter eventSource = "cognito-idp.amazonaws.com" | stats count(*) by sourceIPAddress, eventName ``` Find the top 25 IP addresses that triggered a `NotAuthorizedException` error. ``` filter eventSource = "cognito-idp.amazonaws.com" and errorCode= "NotAuthorizedException" | stats count(*) as count by sourceIPAddress, eventName | sort count desc | limit 25 ``` Find the top 25 IP addresses that called the `ForgotPassword` API. ``` filter eventSource = "cognito-idp.amazonaws.com" and eventName = 'ForgotPassword' | stats count(*) as count by sourceIPAddress | sort count desc | limit 25 ``` # Example Amazon Cognito events Example events Amazon Cognito logs information to AWS CloudTrail about user authentication activity and administrative management activity. This applies to both user pools and identity pools. For example, you can see `GetId` and `UpdateIdentityPool` events in the same trail, or `UpdateAuthEventFeedback` and `SetRiskConfiguration` events. You'll also see user pool logs for hosted UI activity that doesn't correspond to operations in the user pools API. This section has some examples of logs you might see. To understand the CloudTrail event schema for any operation, generate a request for that operation and review the events that it creates in your trail. A trail can deliver events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files are not an ordered stack trace of the public API calls, so they do not appear in any specific order. **Topics** + [ ## Example CloudTrail events for a hosted UI sign-up ](#cognito-cloudtrail-events-federated-sign-up) + [ ## Example CloudTrail event for a SAML request ](#cognito-cloudtrail-event-saml-post) + [ ## Example CloudTrail events for requests to the token endpoint ](#cognito-cloudtrail-events-token-endpoint-requests) + [ ## Example CloudTrail event for CreateIdentityPool ](#cognito-cloudtrail-events-createidentitypool) + [ ## Example CloudTrail event for GetCredentialsForIdentity ](#cognito-cloudtrail-events-getcredentialsforidentity) + [ ## Example CloudTrail event for GetId ](#cognito-cloudtrail-events-getid) + [ ## Example CloudTrail event for GetOpenIdToken ](#cognito-cloudtrail-events-getopenidtoken) + [ ## Example CloudTrail event for GetOpenIdTokenForDeveloperIdentity ](#cognito-cloudtrail-events-getopenidtokenfordeveloperidentity) + [ ## Example CloudTrail event for UnlinkIdentity ](#cognito-cloudtrail-events-unlinkidentity) ## Example CloudTrail events for a hosted UI sign-up The following example CloudTrail events demonstrate the information that Amazon Cognito logs when a user signs up through the hosted UI. Amazon Cognito logs the following event when a new user navigates to the sign-in page for your app. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-04-06T05:38:12Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Login_GET", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "errorCode": "", "errorMessage": "", "additionalEventData": { "responseParameters": { "status": 200.0 }, "requestParameters": { "redirect_uri": [ "https://www.amazon.com" ], "response_type": [ "token" ], "client_id": [ "1example23456789" ] } }, "eventID": "382ae09a-151d-4116-8f2b-6ac0a804a38c", "readOnly": true, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` Amazon Cognito logs the following event when a new user chooses **Sign up** from the sign-in page for your app. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-05T23:21:43Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Signup_GET", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "response_type": [ "code" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_EXAMPLE" }, "requestID": "7a63e7c2-b057-4f3d-a171-9d9113264fff", "eventID": "5e7b27a0-6870-4226-adb4-f86cd51ac5d8", "readOnly": true, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` Amazon Cognito logs the following event when a new user chooses a username, enters an email address, and chooses a password from the sign-in page for your app. Amazon Cognito doesn't log identifying information about the user's identity to CloudTrail. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-05T23:22:05Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Signup_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 302 }, "requestParameters": { "password": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "requiredAttributes[email]": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "response_type": [ "code" ], "_csrf": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ], "username": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ] }, "userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_EXAMPLE" }, "requestID": "9ad58dd8-3517-4aa8-96a5-d17a01df9eb4", "eventID": "c75eb7a5-eb8c-43d1-8331-f4412e756e69", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` Amazon Cognito logs the following event when a new user accesses the user confirmation page in the hosted UI after they sign up. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-05T23:22:06Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Confirm_GET", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "response_type": [ "code" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_EXAMPLE" }, "requestID": "58a5b170-3127-45bb-88cc-3e652d779e0b", "eventID": "7f87291a-6d50-409a-822f-e3a5ec7e60da", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` Amazon Cognito logs the following event when, in the user confirmation page in the hosted UI, a user enters a code that Amazon Cognito sent them in an email message. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-05T23:23:32Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Confirm_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 302 }, "requestParameters": { "confirm": [ "" ], "deliveryMedium": [ "EMAIL" ], "sub": [ "704b1e47-34fe-40e9-8c41-504997494531" ], "code": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "destination": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "response_type": [ "code" ], "_csrf": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "cognitoAsfData": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ], "username": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ] }, "userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_EXAMPLE" }, "requestID": "9764300a-ed35-4f87-8a0f-b18b3fe2b11e", "eventID": "e24ac6e5-2f70-4c6e-ad4e-2f08a547bb36", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` ## Example CloudTrail event for a SAML request Amazon Cognito logs the following event when a user who has authenticated with your SAML IdP submits the SAML assertion to your `/saml2/idpresponse` endpoint. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-06T00:50:57Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "SAML2Response_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 302 }, "requestParameters": { "RelayState": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "SAMLResponse": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ] }, "userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_EXAMPLE" }, "requestID": "4f6f15d1-c370-4a57-87f0-aac4817803f7", "eventID": "9824b50f-d9d1-4fb8-a2c1-6aa78ca5902a", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "625647942648", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` ## Example CloudTrail events for requests to the token endpoint Example CloudTrail events for requests to the token endpoint The following are example events from requests to the [Token endpoint](token-endpoint.md). Amazon Cognito logs the following event when a user who has authenticated and received an authorization code submits the code to your `/oauth2/token` endpoint. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-12T22:12:30Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Token_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "code": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "grant_type": [ "authorization_code" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_EXAMPLE" }, "requestID": "f257f752-cc14-4c52-ad5b-152a46915238", "eventID": "0bd1586d-cd3e-4d7a-abaf-fd8bfc3912fd", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` Amazon Cognito logs the following event when your backend system submits a `client_credentials` request for an access token to your `/oauth2/token` endpoint. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-12T21:07:05Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Token_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "grant_type": [ "client_credentials" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_EXAMPLE" }, "requestID": "4f871256-6825-488a-871b-c2d9f55caff2", "eventID": "473e5cbc-a5b3-4578-9ad6-3dfdcb8a6d34", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` Amazon Cognito logs the following event when your app exchanges a refresh token for a new ID and access token with your `/oauth2/token` endpoint. ``` { "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-12T22:16:40Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Token_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "refresh_token": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "grant_type": [ "refresh_token" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.auth.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_EXAMPLE" }, "requestID": "2829f0c6-a3a9-4584-b046-11756dfe8a81", "eventID": "12bd3464-59c7-44fa-b8ff-67e1cf092018", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" } ``` ## Example CloudTrail event for CreateIdentityPool The following example is a log entry for a request for the `CreateIdentityPool` action. The request was made by an IAM user named Alice. ``` { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "['EXAMPLE_KEY_ID']", "userName": "Alice" }, "eventTime": "2016-01-07T02:04:30Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "CreateIdentityPool", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "USER_AGENT", "requestParameters": { "identityPoolName": "TestPool", "allowUnauthenticatedIdentities": true, "supportedLoginProviders": { "graph.facebook.com": "000000000000000" } }, "responseElements": { "identityPoolName": "TestPool", "identityPoolId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE", "allowUnauthenticatedIdentities": true, "supportedLoginProviders": { "graph.facebook.com": "000000000000000" } }, "requestID": "15cc73a1-0780-460c-91e8-e12ef034e116", "eventID": "f1d47f93-c708-495b-bff1-cb935a6064b2", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" } ``` ## Example CloudTrail event for GetCredentialsForIdentity The following example is a log entry for a request for the `GetCredentialsForIdentity` action. ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetCredentialsForIdentity", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-credentials-for-identity", "requestParameters": { "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "responseElements": { "credentials": { "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionToken": "aAaAaAaAaAaAab1111111111EXAMPLE", "expiration": "Jan 19, 2023 5:55:08 PM" }, "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "659dfc23-7c4e-4e7c-858a-1abce884d645", "eventID": "6ad1c766-5a41-4b28-b5ca-e223ccb00f0d", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" } ``` ## Example CloudTrail event for GetId The following example is a log entry for a request for the `GetId` action. ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:05Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetId", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-id", "requestParameters": { "identityPoolId": "us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE", "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" } }, "responseElements": { "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "dc28def9-07c8-460a-a8f3-3816229e6664", "eventID": "c5c459d9-40ec-41fd-8f6b-57865d5a9975", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" } ``` ## Example CloudTrail event for GetOpenIdToken The following example is a log entry for a request for the `GetOpenIdToken` action. ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetOpenIdToken", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-open-id-token", "requestParameters": { "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE", "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" } }, "responseElements": { "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "a506ba18-10d7-4fdb-9548-a8187b2e38bb", "eventID": "19ffc1a6-6ed8-4580-a4e1-3062c5ce6457", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" } ``` ## Example CloudTrail event for GetOpenIdTokenForDeveloperIdentity The following example is a log entry for a request for the `GetOpenIdTokenForDeveloperIdentity` action. ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROA1EXAMPLE:johns-AssumedRoleSession", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/johns-AssumedRoleSession", "accountId": "111122223333", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA1EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "attributes": { "creationDate": "2023-01-19T16:53:14Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetOpenIdTokenForDeveloperIdentity", "awsRegion": "us-east-1", "sourceIPAddress": "27.0.3.154", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-open-id-token-for-developer-identity", "requestParameters": { "tokenDuration": 900, "identityPoolId": "us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE", "logins": { "JohnsDeveloperProvider": "HIDDEN_DUE_TO_SECURITY_REASONS" } }, "responseElements": { "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "b807df87-57e7-4dd6-b90c-b06f46a61c21", "eventID": "f26fed91-3340-4d70-91ae-cdf555547b76", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" } ``` ## Example CloudTrail event for UnlinkIdentity The following example is a log entry for a request for the `UnlinkIdentity` action. ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "UnlinkIdentity", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.unlink-identity", "requestParameters": { "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE", "loginsToRemove": ["cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa"] }, "responseElements": null, "requestID": "99c2c8e2-9c29-416f-bb17-b650a5cbada9", "eventID": "d8e26126-202a-43c2-b458-3f225efaedc7", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" } ```