AWS SSO federated login messages in CloudTrail
It’s in CloudTrail …
Is the common refrain from what I read, but I found few examples of how to locate federated login information in AWS CloudTrail. I’ll go through a sample login and the corresponding CloudTrail log events. I’m working in an AWS organization for multi-account management with AWS Control Tower for security, policy, and governance. CT requires AWS Identity Center and I’ve configured identity center to federate logins to my IdP (Auth0).
Cloudtrail Logs
As part of an AWS org with AWS Control Tower installed we are using an organizational trail with logs stored in a separate log archive account.
In addition to storing the Cloudtrail Logs in the log archive account in compliance with the AWS Well Architected framework, Control Tower also send the logs to Cloudwatch logs. This handy for quick analysis and forensics. We’ll use this log file to analize the federated user login.
Cloudwatch Log Insights Query
fields @timestamp, eventName,eventSource, eventTime, sourceIPAddress, recipientAccountId…