AWS SSO federated login messages in CloudTrail

John Wheeler
7 min readJun 26, 2024

It’s in CloudTrail …

Is the common refrain from what I read, but I found few examples of how to locate federated login information in AWS CloudTrail. I’ll go through a sample login and the corresponding CloudTrail log events. I’m working in an AWS organization for multi-account management with AWS Control Tower for security, policy, and governance. CT requires AWS Identity Center and I’ve configured identity center to federate logins to my IdP (Auth0).

Cloudtrail Logs

As part of an AWS org with AWS Control Tower installed we are using an organizational trail with logs stored in a separate log archive account.

Cloudtrail logs configuraiton in management account.

In addition to storing the Cloudtrail Logs in the log archive account in compliance with the AWS Well Architected framework, Control Tower also send the logs to Cloudwatch logs. This handy for quick analysis and forensics. We’ll use this log file to analize the federated user login.

Cloudwatch Log Insights Query

fields @timestamp, eventName,eventSource, eventTime, sourceIPAddress, recipientAccountId…

--

--

John Wheeler

Security professional, Mac enthusiast, writing code when I have to.