"responseElements": {
"accessToken": "HIDDEN_DUE_TO_SECURITY_REASONS", "tokenType": "Bearer",
"expiresIn": 28800,
"refreshToken": "HIDDEN_DUE_TO_SECURITY_REASONS", "idToken": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"eventID": "09a6e1a9-50e5-45c0-9f08-e6ef5089b262", "readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "08966example"
}
Understanding AWS SSO sign-in events
AWS CloudTrail logs successful and unsuccessful sign-in events for all AWS Single Sign-On identity sources. Native SSO and Active Directory (AD Connector and AWS Managed Microsoft AD) sourced identities will include additional sign-in events that are captured each time a user is prompted to solve a specific credential challenge or factor, as well as the status of that particular credential verification request. Only after a user has completed all required credential challenges will the user be signed in, which will result in a UserAuthentication event being logged.
The following table captures each of the AWS SSO sign-in CloudTrail event names, their purpose, and applicability to different identity sources.
Event name Event purpose Identity source applicability
CredentialChallenge Used to notify that AWS SSO has requested the user to solve a specific credential challenge and
CredentialVerification Used to notify that the user has attempted to solve a specific
Event name Event purpose Identity source applicability UserAuthentication Used to notify that all
authentication requirements
The following table captures additional useful event data fields contained within specific sign-in CloudTrail events.
Event name Event purpose Sign-in event
applicability Example values
DeviceEnrollmentRequiredUsed to specify that the user was required to
Example events for AWS SSO sign-in scenarios
The following examples show the expected sequence of CloudTrail events for different sign-in scenarios.
Topics
• Successful sign-in when authenticating with only a password (p. 129)
• Successful sign-in when authenticating with an external identity provider (p. 131)
• Successful sign-in when authenticating with a password and a TOTP authenticator app (p. 131)
• Successful sign-in when authenticating with a password and forced MFA registration is required (p. 134)
• Failed sign-in when authenticating with only a password (p. 136)
Successful sign-in when authenticating with only a password
The following sequence of events captures an example of a successful password only sign-in.
CredentialChallenge (Password)
{ "eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"9de74b32-8362-4a01-a524-de21df59fd83", "CredentialType":"PASSWORD"
},
"CredentialChallenge":"Success"
}}
Successful CredentialVerification (Password)
{ "eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"eventTime":"2020-12-07T20:34:09Z", "eventSource":"signin.amazonaws.com", "eventName":"CredentialVerification", "awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"9de74b32-8362-4a01-a524-de21df59fd83", "CredentialType":"PASSWORD"
},
"CredentialVerification":"Success"
}}
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"9de74b32-8362-4a01-a524-de21df59fd83", "LoginTo":"https://d-1234567890.awsapps.com/start/?
state=QVlBQmVGMHFiS0wzWlp1SFgrR25BRnFobU5nQUlnQUJBQk5FWVhSaFVHeGhibVZUZEdGMFpWQmhjbUZ0QUFsUVpYSmxaM0pwYm1VQUFRQUhZWGR6TFd0dGN3QkxZWEp1T21GM2N6cHJiWE02ZFhNdFpXRnpkQzB4T2pjNE9ETTJNVFUxTWpnM056cHJaWGt2TjJOa056Um1PR1l0TnpNME5TMDBabUUxTFdFeU5Ea3RZV0kwTVRreE9UTmhOakkxQUxnQkFnRUFlTDJaOW85cm0xUHNKME05RjZtemdJSXczVU81a0trQy8yZktUWHNUbkx4b0FldytIdzFCK1NuM2NVWitsbncxdGdBQUFBQitNSHdHQ1NxR1NJYjNEUUVIQnFCdk1HMENBUUF3YUFZSktvWklodmNOQVFjQk1CNEdDV0NHU0FGbEF3UUJMakFSQkF5TFJxUDNsUUR6b0txUmlKQUNBUkNBTzRhalR4UUM3cUMvUG1ZUHBJWnRLS2ZlQkRHdmVsNXVJS1REdTkvekRNd2JxRFcxcVBTMDRkZUxST2NGYk96K2xzeGdTdUlKZTVYdiswZWdBZ0FBQUFBTUFBQVFBQUFBQUFBQUFBQUFBQUFBQVB5NEdEdUtWYnBzZWRTYTgvL3MrdEQvLy8vL0FBQUFBUUFBQUFBQUFBQUFBQUFBQVFBQUFGTXNzY3Q2V1QrZjg4N3AvbnlXQUNuQzFweGZaVGZvSjNSVWdhREJOKzNjK2F2NEI5WENxRDM2NkxmcTBzaDIrM3RDQ2J0N2VzMmw0Y1lDcXhwRFM3Y1JnRUxxMjQrVGdZSndvZXZkWW83eFV1bG9sVkJkTWFhcVBSenFyb2ZzNGpFR1FjUT0%3D&auth_code=11OawSqh1qmg4ePRn3DGfmBkWhJ5kYC4t6eFTprUDe8A_h_E75G3iwMNuAvLOs73v5vOaP_xA_PYJikGpt9UJ8kX92vRBCZPubpGegAoz__1fHKwL207gI6MVYEQvMKb2xfMf4qCKedRe0i-
BshlIc5OBAA6ftz73M6LsfLWDlfOxviO2K3wet946lC30f_iWdilx- zv__4pSHf7mcUIs&wdc_csrf_token=srAzW1jK4GPYYoR452ruZ38DxEsDY9x81q1tVRSnno5pUjISvP7TqziOLiBLBUSxEjOmQk2XoLlcYolXjOMdiaBoVVBL482Q6iShpDgQcm271KWlODotVsoVADe1tixLr694N70foOPUAuIdi6RxxBSteidgAU7SBZDdfAxeJdqTg45kc4XpnCTKlQiIsrdFShisDnocFsj6EQRDTtEggww2MCXuJBByhpCfUIwg14znJwpR4F9wBw76xyTBBQOv&organization=d-9067230c03®ion=us-east-1",
"CredentialType":"PASSWORD"
},
"UserAuthentication":"Success"
}
}
Successful sign-in when authenticating with an external identity provider
The following sequence of events captures an example of a successful sign-in when authenticated through the SAML protocol using an external identity provider.
Successful UserAuthentication (External Identity Provider)
{
"eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"9de74b32-8362-4a01-a524-de21df59fd83", "LoginTo":"https://d-1234567890.awsapps.com/start/?
state=QVlBQmVGMHFiS0wzWlp1SFgrR25BRnFobU5nQUlnQUJBQk5FWVhSaFVHeGhibVZUZEdGMFpWQmhjbUZ0QUFsUVpYSmxaM0pwYm1VQUFRQUhZWGR6TFd0dGN3QkxZWEp1T21GM2N6cHJiWE02ZFhNdFpXRnpkQzB4T2pjNE9ETTJNVFUxTWpnM056cHJaWGt2TjJOa056Um1PR1l0TnpNME5TMDBabUUxTFdFeU5Ea3RZV0kwTVRreE9UTmhOakkxQUxnQkFnRUFlTDJaOW85cm0xUHNKME05RjZtemdJSXczVU81a0trQy8yZktUWHNUbkx4b0FldytIdzFCK1NuM2NVWitsbncxdGdBQUFBQitNSHdHQ1NxR1NJYjNEUUVIQnFCdk1HMENBUUF3YUFZSktvWklodmNOQVFjQk1CNEdDV0NHU0FGbEF3UUJMakFSQkF5TFJxUDNsUUR6b0txUmlKQUNBUkNBTzRhalR4UUM3cUMvUG1ZUHBJWnRLS2ZlQkRHdmVsNXVJS1REdTkvekRNd2JxRFcxcVBTMDRkZUxST2NGYk96K2xzeGdTdUlKZTVYdiswZWdBZ0FBQUFBTUFBQVFBQUFBQUFBQUFBQUFBQUFBQVB5NEdEdUtWYnBzZWRTYTgvL3MrdEQvLy8vL0FBQUFBUUFBQUFBQUFBQUFBQUFBQVFBQUFGTXNzY3Q2V1QrZjg4N3AvbnlXQUNuQzFweGZaVGZvSjNSVWdhREJOKzNjK2F2NEI5WENxRDM2NkxmcTBzaDIrM3RDQ2J0N2VzMmw0Y1lDcXhwRFM3Y1JnRUxxMjQrVGdZSndvZXZkWW83eFV1bG9sVkJkTWFhcVBSenFyb2ZzNGpFR1FjUT0%3D&auth_code=11OawSqh1qmg4ePRn3DGfmBkWhJ5kYC4t6eFTprUDe8A_h_E75G3iwMNuAvLOs73v5vOaP_xA_PYJikGpt9UJ8kX92vRBCZPubpGegAoz__1fHKwL207gI6MVYEQvMKb2xfMf4qCKedRe0i-
BshlIc5OBAA6ftz73M6LsfLWDlfOxviO2K3wet946lC30f_iWdilx- zv__4pSHf7mcUIs&wdc_csrf_token=srAzW1jK4GPYYoR452ruZ38DxEsDY9x81q1tVRSnno5pUjISvP7TqziOLiBLBUSxEjOmQk2XoLlcYolXjOMdiaBoVVBL482Q6iShpDgQcm271KWlODotVsoVADe1tixLr694N70foOPUAuIdi6RxxBSteidgAU7SBZDdfAxeJdqTg45kc4XpnCTKlQiIsrdFShisDnocFsj6EQRDTtEggww2MCXuJBByhpCfUIwg14znJwpR4F9wBw76xyTBBQOv&organization=d-9067230c03®ion=us-east-1",
"CredentialType":"EXTERNAL_IDP"
},
"UserAuthentication":"Success"
} }
Successful sign-in when authenticating with a password and a TOTP authenticator app
The following sequence of events captures an example where multi-factor authentication was required during sign-in and the user successfully signed in using a password and a TOTP authenticator app.
CredentialChallenge (Password)
{ "eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333",
"accessKeyId":"", "userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729", "CredentialType":"PASSWORD"
},
"CredentialChallenge":"Success"
}
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729", "CredentialType":"PASSWORD"
},
"CredentialVerification":"Success"
}}
CredentialChallenge (TOTP)
{ "eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729", "CredentialType":"TOTP"
},
"CredentialChallenge":"Success"
}
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729", "CredentialType":"TOTP"
},
"requestID":"c40a691f-eeb1-4352-b286-5e909f96f318", "eventID":"e889ff1d-fcaf-454f-805d-7132cf2362a4",
"readOnly":false,
"CredentialVerification":"Success"
}}
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"303486b5-fce1-4d59-ba1d-eb3acb790729", "LoginTo":"https://d-1234567890.awsapps.com/start/?state
\u003dQVlBQmVLeFhWeDRmZFJmMmxHcWYwdzhZck5RQUlnQUJBQk5FWVhSaFVHeGhibVZUZEdGMFpWQmhjbUZ0QUFsUVpYSmxaM0pwYm1VQUFRQUhZWGR6TFd0dGN3QkxZWEp1T21GM2N6cHJiWE02ZFhNdFpXRnpkQzB4T2pjNE9ETTJNVFUxTWpnM056cHJaWGt2TjJOa056Um1PR1l0TnpNME5TMDBabUUxTFdFeU5Ea3RZV0kwTVRreE9UTmhOakkxQUxnQkFnRUFlTDJaOW85cm0xUHNKME05RjZtemdJSXczVU81a0trQy8yZktUWHNUbkx4b0FjT3lLZ2RQUFBTRzN6d2l0WmJOSFVRQUFBQitNSHdHQ1NxR1NJYjNEUUVIQnFCdk1HMENBUUF3YUFZSktvWklodmNOQVFjQk1CNEdDV0NHU0FGbEF3UUJMakFSQkF3aHFPL1ZoaFU4bmJFaEoxZ0NBUkNBTzJYZ0xpem12MlJoM3lnRGJaQ2dUcUZlbk5iWGN2ZWVzUjV6WmpLeXZUVnBwTjk2ZGVUZ3plcURod3hRMmNTR1pkTnBVd1RWWWFxbGp2akRBZ0FBQUFBTUFBQVFBQUFBQUFBQUFBQUFBQUFBQUxhZjZTVnRvMlFKWWt0Q0crWjd6NnIvLy8vL0FBQUFBUUFBQUFBQUFBQUFBQUFBQVFBQUFGUFhUR3dad0NheXAwUlZBQjJOelZsZnJ1aEdEOUNPeDNqMENBakdseU9DSWxFejlnZWRqcUZxUHZnUzIrN1ltZE84R1BvN21FQ0sybnBqdm13enozWEdBdnJFcVNzZ2RVQVBReXFpcS9oWTdFaUxhZHBYclhYZDlKeUkxZGJ4K3k3Wk80WT0%3D "CredentialType":"PASSWORD,TOTP"
},
"UserAuthentication":"Success"
} }
Successful sign-in when authenticating with a password and forced MFA registration is required The following sequence of events captures an example of a successful password sign in, but the user was required and successfully completed registering an MFA device before completing their sign-in.
CredentialChallenge (Password)
{
"eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"76d8a26d-ad9c-41a4-90c3-d607cdd7155c", "CredentialType":"PASSWORD"
},
"CredentialChallenge":"Success"
}}
Successful CredentialVerification (Password)
{ "eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"76d8a26d-ad9c-41a4-90c3-d607cdd7155c", "CredentialType":"PASSWORD"
},
"recipientAccountId":"111122223333", "serviceEventDetails":{
"CredentialVerification":"Success"
} }
Successful UserAuthentication (Password + MFA Registration Required)
{ "eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"76d8a26d-ad9c-41a4-90c3-d607cdd7155c", "LoginTo":"https://d-1234567890.awsapps.com/start/?state
\u003dQVlBQmVGQ3VqdHF5aW9CUDdrNXRTVTJUaWNnQUlnQUJBQk5FWVhSaFVHeGhibVZUZEdGMFpWQmhjbUZ0QUFsUVpYSmxaM0pwYm1VQUFRQUhZWGR6TFd0dGN3QkxZWEp1T21GM2N6cHJiWE02ZFhNdFpXRnpkQzB4T2pjNE9ETTJNVFUxTWpnM056cHJaWGt2TjJOa056Um1PR1l0TnpNME5TMDBabUUxTFdFeU5Ea3RZV0kwTVRreE9UTmhOakkxQUxnQkFnRUFlTDJaOW85cm0xUHNKME05RjZtemdJSXczVU81a0trQy8yZktUWHNUbkx4b0FSOVdDcXQ5bUxQeUJ2dFhJNTNFaGhvQUFBQitNSHdHQ1NxR1NJYjNEUUVIQnFCdk1HMENBUUF3YUFZSktvWklodmNOQVFjQk1CNEdDV0NHU0FGbEF3UUJMakFSQkF6Y0FYakw5TE1mdjh5a3owc0NBUkNBT3p5cTd4TXdzTFh3WnJ4dFNvVUF0MXVEU3J1WVBPWGc0UGFhNTNZQWxqamI2VFVyOGRYNjhpRDVoRCs3VVIrWVZUck1YOThsRGJCMmNHNHpBZ0FBQUFBTUFBQVFBQUFBQUFBQUFBQUFBQUFBQU03N1hhMlp4R1MzRUppT2xSY3ZRUnYvLy8vL0FBQUFBUUFBQUFBQUFBQUFBQUFBQVFBQUFGTVNpc3RSRGR6c0FmZmgwbHhsYks2RjZSNTg1NmdOZTRsaWxsT2x1QmVKZVRSRGtrVkVJRVl0Y0t4eFliRDJoV0JsUG9VbElCb01UYy9XbVNyRE1WU2JzcEl0ZXFMMVdxN2MrT2RRUXZFWEdHRUdkRXFpNHFpdmlmQmJhU2V1bGtmSERBOD0%3D "CredentialType":"PASSWORD",
"DeviceEnrollmentRequired":"true"
},
"UserAuthentication":"Success"
}}
Failed sign-in when authenticating with only a password
The following sequence of events captures an example of a failed password only sign-in.
CredentialChallenge (Password)
{ "eventVersion":"1.08", "userIdentity":{
"type":"Unknown",
"principalId":"111122223333", "arn":"",
"accountId":"111122223333",
"accessKeyId":"", "userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"adbf67c4-8188-4e2b-8527-fe539e328fa7", "CredentialType":"PASSWORD"
},
"CredentialChallenge":"Success"
}
"principalId":"111122223333", "arn":"",
"accountId":"111122223333", "accessKeyId":"",
"userName":"user1"
},
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"requestParameters":null, "responseElements":null, "additionalEventData":{
"AuthWorkflowID":"adbf67c4-8188-4e2b-8527-fe539e328fa7", "CredentialType":"PASSWORD"
},
"CredentialVerification":"Failure"
}}