{
	"id": "3f9d2948-d3bf-4594-b408-9bc2849945fc",
	"created_at": "2026-04-06T00:19:50.620197Z",
	"updated_at": "2026-04-10T03:20:47.956637Z",
	"deleted_at": null,
	"sha1_hash": "75c28883060cd26c42825bedb6d9204abf4bdd67",
	"title": "AWS Management Console sign-in events",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 131795,
	"plain_text": "AWS Management Console sign-in events\r\nArchived: 2026-04-05 21:13:59 UTC\r\nCloudTrail logs attempts to sign in to the AWS Management Console, the AWS Discussion Forums, and the AWS\r\nSupport Center. All IAM user and root user sign-in events, as well as all federated user sign-in events, generate\r\nrecords in CloudTrail log files. For information about finding and viewing logs, see Finding your CloudTrail log\r\nfiles and Downloading your CloudTrail log files.\r\nYou can use AWS User Notifications to set up delivery channels to get notified about AWS CloudTrail events. You\r\nreceive a notification when an event matches a rule that you specify. You can receive notifications for events\r\nthrough multiple channels, including email, Amazon Q Developer in chat applications chat notifications, or AWS\r\nConsole Mobile Application push notifications. You can also see notifications in the Console Notifications Center.\r\nUser Notifications supports aggregation, which can reduce the number of notifications you receive during specific\r\nevents.\r\nNote\r\nThe Region recorded in a ConsoleLogin event varies based on the user type and whether you use a global or\r\nregional endpoint to sign in.\r\nIf you sign in as the root user, CloudTrail records the event in us-east-1.\r\nIf you sign in with an IAM user and use the global endpoint, CloudTrail records the Region of the\r\nConsoleLogin event as follows:\r\nIf an account alias cookie is present in the browser, CloudTrail records the ConsoleLogin event in\r\none of the following regions: us-east-2, eu-north-1, or ap-southeast-2. This is because the console\r\nproxy redirects the user based on the latency from the user sign-in location.\r\nIf an account alias cookie is not present in the browser, CloudTrail records the ConsoleLogin event\r\nin us-east-1. This is because the console proxy redirects back to the global sign-in.\r\nIf you sign in with an IAM user and use a Regional endpoint, CloudTrail records the ConsoleLogin event\r\nin the appropriate Region for the endpoint. For more information about AWS Sign-In endpoints, see AWS\r\nSign-In endpoints and quotas.\r\nTopics\r\nExample event records for IAM users\r\nExample event records for root users\r\nExample event records for federated users\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 1 of 14\n\nExample event records for IAM users\r\nThe following examples show event records for several IAM user sign-in scenarios.\r\nTopics\r\nIAM user, successful sign-in without MFA\r\nIAM user, successful sign-in with MFA\r\nIAM user, unsuccessful sign-in\r\nIAM user, sign-in process checks for MFA (single MFA device type)\r\nIAM user, sign-in process checks for MFA (multiple MFA device types)\r\nIAM user, successful sign-in without MFA\r\nThe following record shows that a user named Anaya successfully signed in to the AWS Management Console\r\nwithout using multi-factor authentication (MFA).\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"EXAMPLE6E4XEGITWATV6R\",\r\n \"arn\": \"arn:aws:iam::999999999999:user/Anaya\",\r\n \"accountId\": \"999999999999\",\r\n \"userName\": \"Anaya\"\r\n },\r\n \"eventTime\": \"2023-07-19T21:44:40Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"LoginTo\": \"https://console.aws.amazon.com/console/home?hashArgs=%23\u0026isauthcode=true\u0026state=hashArgsFromT\r\n \"MobileVersion\": \"No\",\r\n \"MFAUsed\": \"No\"\r\n },\r\n \"eventID\": \"e1bf1000-86a4-4a78-81d7-EXAMPLE83102\",\r\n \"readOnly\": false,\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 2 of 14\n\n\"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"999999999999\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"us-east-1.signin.aws.amazon.com\"\r\n }\r\n}\r\nIAM user, successful sign-in with MFA\r\nThe following record shows that an IAM user named Anaya successfully signed in to the AWS Management\r\nConsole using multi-factor authentication (MFA).\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"EXAMPLE6E4XEGITWATV6R\",\r\n \"arn\": \"arn:aws:iam::999999999999:user/Anaya\",\r\n \"accountId\": \"999999999999\",\r\n \"userName\": \"Anaya\"\r\n },\r\n \"eventTime\": \"2023-07-19T22:01:30Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"LoginTo\": \"https://console.aws.amazon.com/console/home?hashArgs=%23\u0026isauthcode=true\u0026state=hashArgsFromT\r\n \"MobileVersion\": \"No\",\r\n \"MFAIdentifier\": \"arn:aws:iam::999999999999:mfa/mfa-device\",\r\n \"MFAUsed\": \"Yes\"\r\n },\r\n \"eventID\": \"e1f76697-5beb-46e8-9cfc-EXAMPLEbde31\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"999999999999\",\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 3 of 14\n\n\"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"us-east-1.signin.aws.amazon.com\"\r\n }\r\n}\r\nIAM user, unsuccessful sign-in\r\nThe following record shows an unsuccessful sign-in attempt from an IAM user named Paulo .\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"EXAMPLE6E4XEGITWATV6R\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"\",\r\n \"userName\": \"Paulo\"\r\n },\r\n \"eventTime\": \"2023-07-19T22:01:20Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\",\r\n \"errorMessage\": \"Failed authentication\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Failure\"\r\n },\r\n \"additionalEventData\": {\r\n \"LoginTo\": \"https://console.aws.amazon.com/console/home?hashArgs=%23\u0026isauthcode=true\u0026state=hashArgsFromT\r\n \"MobileVersion\": \"No\",\r\n \"MFAUsed\": \"Yes\"\r\n },\r\n \"eventID\": \"66c97220-2b7d-43b6-a7a0-EXAMPLEbae9c\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"123456789012\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 4 of 14\n\n\"clientProvidedHostHeader\": \"us-east-1.signin.aws.amazon.com\"\r\n }\r\n}\r\nIAM user, sign-in process checks for MFA (single MFA device type)\r\nThe following shows that the sign-process checked whether multi-factor authentication (MFA) is required for an\r\nIAM user during sign-in. In this example, the mfaType value is U2F MFA , which indicates that the IAM user\r\nenabled either a single MFA device or multiple MFA devices of the same type ( U2F MFA ).\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"EXAMPLE6E4XEGITWATV6R\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"\",\r\n \"userName\": \"Alice\"\r\n },\r\n \"eventTime\": \"2023-07-19T22:01:26Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"CheckMfa\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"CheckMfa\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"MfaType\": \"Virtual MFA\"\r\n },\r\n \"eventID\": \"7d8a0746-b2e7-44f5-9917-EXAMPLEfb77c\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"123456789012\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"us-east-1.signin.aws.amazon.com\"\r\n }\r\n}\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 5 of 14\n\nIAM user, sign-in process checks for MFA (multiple MFA device types)\r\nThe following shows that the sign-process checked whether multi-factor authentication (MFA) is required for an\r\nIAM user during sign-in. In this example, the mfaType value is Multiple MFA Devices , which indicates that the\r\nIAM user enabled multiple MFA device types.\r\n {\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"EXAMPLE6E4XEGITWATV6R\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"\",\r\n \"userName\": \"Mary\"\r\n },\r\n \"eventTime\": \"2023-07-19T23:10:09Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"CheckMfa\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"CheckMfa\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"MfaType\": \"Multiple MFA Devices\"\r\n },\r\n \"eventID\": \"19bd1a1c-76b1-4806-9d8f-EXAMPLE02a96\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"123456789012\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"signin.aws.amazon.com\"\r\n }\r\n}\r\nExample event records for root users\r\nThe following examples show event records for several root user sign-in scenarios. When you sign-in using the\r\nroot user, CloudTrail records the ConsoleLogin event in us-east-1.\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 6 of 14\n\nTopics\r\nRoot user, successful sign-in without MFA\r\nRoot user, successful sign-in with MFA\r\nRoot user, unsuccessful sign-in\r\nRoot user, MFA changed\r\nRoot user, password changed\r\nRoot user, successful sign-in without MFA\r\nThe following shows a successful sign-in event for a root user not using multi-factor authentication (MFA).\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"Root\",\r\n \"principalId\": \"111122223333\",\r\n \"arn\": \"arn:aws:iam::111122223333:root\",\r\n \"accountId\": \"111122223333\",\r\n \"accessKeyId\": \"\"\r\n },\r\n \"eventTime\": \"2023-07-12T13:35:31Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"LoginTo\": \"https://console.aws.amazon.com/console/home?hashArgs=%23\u0026isauthcode=true\u0026nc2=h_ct\u0026src=header\r\n \"MobileVersion\": \"No\",\r\n \"MFAUsed\": \"No\"\r\n },\r\n \"eventID\": \"4217cc13-7328-4820-a90c-EXAMPLE8002e6\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"111122223333\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 7 of 14\n\n\"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"signin.aws.amazon.com\"\r\n }\r\n}\r\nRoot user, successful sign-in with MFA\r\nThe following shows a successful sign-in event for a root user using multi-factor authentication (MFA).\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"Root\",\r\n \"principalId\": \"444455556666\",\r\n \"arn\": \"arn:aws:iam::444455556666:root\",\r\n \"accountId\": \"444455556666\",\r\n \"accessKeyId\": \"\"\r\n },\r\n \"eventTime\": \"2023-07-13T03:04:43Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"LoginTo\": \"https://ap-southeast-1.console.aws.amazon.com/ec2/home?region=ap-southeast-1\u0026state=hashArgs%\r\n \"MobileVersion\": \"No\",\r\n \"MFAIdentifier\": \"arn:aws:iam::444455556666:mfa/root-account-mfa-device\",\r\n \"MFAUsed\": \"Yes\"\r\n },\r\n \"eventID\": \"e0176723-ea76-4275-83a3-EXAMPLEf03fb\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"444455556666\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"signin.aws.amazon.com\"\r\n }\r\n}\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 8 of 14\n\nRoot user, unsuccessful sign-in\r\nThe following shows an unsuccessful sign-in event for a root user not using MFA.\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"Root\",\r\n \"principalId\": \"123456789012\",\r\n \"arn\": \"arn:aws:iam::123456789012:root\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"\"\r\n },\r\n \"eventTime\": \"2023-07-16T04:33:40Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.\r\n \"errorMessage\": \"Failed authentication\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Failure\"\r\n },\r\n \"additionalEventData\": {\r\n \"LoginTo\": \"https://us-east-1.console.aws.amazon.com/billing/home?region=us-east-1\u0026state=hashArgs%23%2Fa\r\n \"MobileVersion\": \"No\",\r\n \"MFAUsed\": \"No\"\r\n },\r\n \"eventID\": \"f28d4329-5050-480b-8de0-EXAMPLE07329\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"123456789012\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"signin.aws.amazon.com\"\r\n }\r\n}\r\nRoot user, MFA changed\r\nThe following shows an example event for a root user changing multi-factor authentication (MFA) settings.\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 9 of 14\n\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"Root\",\r\n \"principalId\": \"111122223333\",\r\n \"arn\": \"arn:aws:iam::111122223333:root\",\r\n \"accountId\": \"111122223333\",\r\n \"accessKeyId\": \"EXAMPLE4XX3IEV4PFQTH\",\r\n \"userName\": \"AWS ROOT USER\",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {},\r\n \"webIdFederationData\": {},\r\n \"attributes\": {\r\n \"creationDate\": \"2023-07-15T03:51:12Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2023-07-15T04:37:08Z\",\r\n \"eventSource\": \"iam.amazonaws.com\",\r\n \"eventName\": \"EnableMFADevice\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.\r\n \"requestParameters\": {\r\n \"userName\": \"AWS ROOT USER\",\r\n \"serialNumber\": \"arn:aws:iam::111122223333:mfa/root-account-mfa-device\"\r\n },\r\n \"responseElements\": null,\r\n \"requestID\": \"9b45cd4c-a598-41e7-9170-EXAMPLE535f0\",\r\n \"eventID\": \"b4f18d55-d36f-49a0-afcb-EXAMPLEc026b\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"111122223333\",\r\n \"eventCategory\": \"Management\",\r\n \"sessionCredentialFromConsole\": \"true\"\r\n}\r\nRoot user, password changed\r\nThe following shows an example event for a root user changing their password.\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 10 of 14\n\n\"type\": \"Root\",\r\n \"principalId\": \"444455556666\",\r\n \"arn\": \"arn:aws:iam::444455556666:root\",\r\n \"accountId\": \"444455556666\",\r\n \"accessKeyId\": \"EXAMPLEAOTKEG44KPW5P\",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {},\r\n \"webIdFederationData\": {},\r\n \"attributes\": {\r\n \"creationDate\": \"2022-11-25T13:01:14Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2022-11-25T13:01:14Z\",\r\n \"eventSource\": \"iam.amazonaws.com\",\r\n \"eventName\": \"ChangePassword\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.\r\n \"requestParameters\": null,\r\n \"responseElements\": null,\r\n \"requestID\": \"c64254c2-e4ff-49c0-900e-EXAMPLE9e6d2\",\r\n \"eventID\": \"d059176c-4f4d-4a9e-b8d7-EXAMPLE2b7b3\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"444455556666\",\r\n \"eventCategory\": \"Management\"\r\n}\r\nExample event records for federated users\r\nThe following examples show event records for federated users. Federated users are given temporary security\r\ncredentials to access AWS resources through an AssumeRole request.\r\nThe following shows an example event for a federation encryption request. The original access key ID is provided\r\nin the accessKeyId field of the userIdentity element. The accessKeyId field in the responseElements\r\ncontains a new access key ID if the requested sessionDuration is passed in the encryption request, otherwise it\r\ncontains the value of the original access key ID.\r\nNote\r\nIn this example, the mfaAuthenticated value is false and the MFAUsed value is No because the request was\r\nmade by a federated user. These fields will only be set to true if the request was made by an IAM user or root user\r\nusing MFA.\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 11 of 14\n\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"AssumedRole\",\r\n \"principalId\": \"EXAMPLEUU4MH7OYK5ZCOA:JohnDoe\",\r\n \"arn\": \"arn:aws:sts::123456789012:assumed-role/roleName/JohnDoe\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \" originalAccessKeyID \",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {\r\n \"type\": \"Role\",\r\n \"principalId\": \"EXAMPLEUU4MH7OYK5ZCOA\",\r\n \"arn\": \"arn:aws:iam::123456789012:role/roleName\",\r\n \"accountId\": \"123456789012\",\r\n \"userName\": \"roleName\"\r\n },\r\n \"webIdFederationData\": {},\r\n \"attributes\": {\r\n \"creationDate\": \"2023-09-25T21:30:39Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2023-09-25T21:30:39Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"GetSigninToken\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Java/1.8.0_382\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"credentials\": {\r\n \"accessKeyId\": \" accessKeyID \"\r\n },\r\n \"GetSigninToken\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"MobileVersion\": \"No\",\r\n \"MFAUsed\": \"No\"\r\n },\r\n \"eventID\": \"1d66615b-a417-40da-a38e-EXAMPLE8c89b\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"123456789012\",\r\n \"eventCategory\": \"Management\",\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 12 of 14\n\n\"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"us-east-1.signin.aws.amazon.com\"\r\n }\r\n}\r\nThe following shows a successful sign-in event for a federated user; not using multi-factor authentication (MFA).\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"AssumedRole\",\r\n \"principalId\": \"EXAMPLEPHCNW7ZCASLJOH:JohnDoe\",\r\n \"arn\": \"arn:aws:sts::123456789012:assumed-role/ RoleName /JohnDoe\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"AKIAIOSFODNN7EXAMPLE\",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {\r\n \"type\": \"Role\",\r\n \"principalId\": \"EXAMPLEPHCNW7ZCASLJOH\",\r\n \"arn\": \"arn:aws:iam::123456789012:role/ RoleName \",\r\n \"accountId\": \"123456789012\",\r\n \"userName\": \" RoleName \"\r\n },\r\n \"webIdFederationData\": {},\r\n \"attributes\": {\r\n \"creationDate\": \"2023-09-22T16:15:47Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2023-09-22T16:15:47Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"MobileVersion\": \"No\",\r\n \"MFAUsed\": \"No\"\r\n },\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 13 of 14\n\n\"eventID\": \"b73f1ec6-c064-4cd3-ba83-EXAMPLE441d7\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsConsoleSignIn\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"123456789012\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"us-east-1.signin.aws.amazon.com\"\r\n }\r\n}\r\nSource: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html"
	],
	"report_names": [
		"cloudtrail-event-reference-aws-console-sign-in-events.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434790,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75c28883060cd26c42825bedb6d9204abf4bdd67.pdf",
		"text": "https://archive.orkl.eu/75c28883060cd26c42825bedb6d9204abf4bdd67.txt",
		"img": "https://archive.orkl.eu/75c28883060cd26c42825bedb6d9204abf4bdd67.jpg"
	}
}