Cloudtrail overview

A detailled description of cloudtrail is available on this post.

Sign-in events

Existing IAM User - Successful MFA Console Login

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAXY6RSLOFBLXXXXXXX",
        "arn": "arn:aws:iam::111111111111:user/user-name-1",
        "accountId": "111111111111",
        "userName": "user-name-1"
    },
    "eventTime": "2020-03-29T13:49:13Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "1.2.3.4",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Success"
    },
    "additionalEventData": {
        "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true",
        "MobileVersion": "No",
        "MFAUsed": "Yes"
    },
    "eventID": "45fadea2-caac-4bd4-859a-48a9762c66a5",
    "eventType": "AwsConsoleSignIn",
    "recipientAccountId": "111111111111"
}

Existing IAM User - Failed Console Login

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAXY6RSLOFBLXXXXXXX",
        "accountId": "111111111111",
        "accessKeyId": "",
        "userName": "user-name-1"
    },
    "eventTime": "2020-03-29T15:53:13Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "1.2.3.4",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0",
    "errorMessage": "Failed authentication",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Failure"
    },
    "additionalEventData": {
        "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true",
        "MobileVersion": "No",
        "MFAUsed": "Yes"
    },
    "eventID": "ee74b50a-1272-4e87-907f-e6094bd00e84",
    "eventType": "AwsConsoleSignIn",
    "recipientAccountId": "111111111111"
}

No-existing IAM User - Failed Console Login

Therefore AWS replace the username with HIDDEN_DUE_TO_SECURITY_REASONS.

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "IAMUser",
        "accountId": "111111111111",
        "accessKeyId": "",
        "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "eventTime": "2020-03-29T15:37:18Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "1.2.3.4",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0",
    "errorMessage": "No username found in supplied account",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Failure"
    },
    "additionalEventData": {
        "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true",
        "MobileVersion": "No",
        "MFAUsed": "No"
    },
    "eventID": "c053eda0-fda0-4bd2-b9e9-cc9517556f8a",
    "eventType": "AwsConsoleSignIn",
    "recipientAccountId": "111111111111"
}

Succesfull Console Login with STS tokens

Federation Console link is generated with STS temporary tokens. Therefore the MFA is bypassed.

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AIDAXY6RSLOFBLXXXXXXX:Session_AWS-CLI_1234",
        "arn": "arn:aws:sts::111111111111:assumed-role/user-name-2/Session_AWS-CLI_1234",
        "accountId": "111111111111",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2020-03-26T21:58:31Z"
            },
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AIDAXY6RSLOFBLXXXXXXX",
                "arn": "arn:aws:iam::111111111111:role/user-name-2",
                "accountId": "111111111111",
                "userName": "user-name-2"
            }
        }
    },
    "eventTime": "2020-03-26T22:02:47Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "1.2.3.4",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Success"
    },
    "additionalEventData": {
        "MobileVersion": "No",
        "MFAUsed": "No"
    },
    "eventID": "cb31c487-7527-4540-8b62-d2e294c5db83",
    "eventType": "AwsConsoleSignIn",
    "recipientAccountId": "111111111111"
}

Like this post? Share it on: TwitterLinkedIn


Related Posts


Published

Category

AWS

Tags

Stay in Touch