AWS Management Console sign-in events Archived: 2026-04-05 21:13:59 UTC CloudTrail logs attempts to sign in to the AWS Management Console, the AWS Discussion Forums, and the AWS Support Center. All IAM user and root user sign-in events, as well as all federated user sign-in events, generate records in CloudTrail log files. For information about finding and viewing logs, see Finding your CloudTrail log files and Downloading your CloudTrail log files. You can use AWS User Notifications to set up delivery channels to get notified about AWS CloudTrail events. You receive a notification when an event matches a rule that you specify. You can receive notifications for events through multiple channels, including email, Amazon Q Developer in chat applications chat notifications, or AWS Console Mobile Application push notifications. You can also see notifications in the Console Notifications Center. User Notifications supports aggregation, which can reduce the number of notifications you receive during specific events. Note The Region recorded in a ConsoleLogin event varies based on the user type and whether you use a global or regional endpoint to sign in. If you sign in as the root user, CloudTrail records the event in us-east-1. If you sign in with an IAM user and use the global endpoint, CloudTrail records the Region of the ConsoleLogin event as follows: If an account alias cookie is present in the browser, CloudTrail records the ConsoleLogin event in one of the following regions: us-east-2, eu-north-1, or ap-southeast-2. This is because the console proxy redirects the user based on the latency from the user sign-in location. If an account alias cookie is not present in the browser, CloudTrail records the ConsoleLogin event in us-east-1. This is because the console proxy redirects back to the global sign-in. If you sign in with an IAM user and use a Regional endpoint, CloudTrail records the ConsoleLogin event in the appropriate Region for the endpoint. For more information about AWS Sign-In endpoints, see AWS Sign-In endpoints and quotas. Topics Example event records for IAM users Example event records for root users Example event records for federated users https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 1 of 14 Example event records for IAM users The following examples show event records for several IAM user sign-in scenarios. Topics IAM user, successful sign-in without MFA IAM user, successful sign-in with MFA IAM user, unsuccessful sign-in IAM user, sign-in process checks for MFA (single MFA device type) IAM user, sign-in process checks for MFA (multiple MFA device types) IAM user, successful sign-in without MFA The following record shows that a user named Anaya successfully signed in to the AWS Management Console without using multi-factor authentication (MFA). { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::999999999999:user/Anaya", "accountId": "999999999999", "userName": "Anaya" }, "eventTime": "2023-07-19T21:44:40Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromT "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "e1bf1000-86a4-4a78-81d7-EXAMPLE83102", "readOnly": false, https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 2 of 14 "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "999999999999", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } } IAM user, successful sign-in with MFA The following record shows that an IAM user named Anaya successfully signed in to the AWS Management Console using multi-factor authentication (MFA). { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::999999999999:user/Anaya", "accountId": "999999999999", "userName": "Anaya" }, "eventTime": "2023-07-19T22:01:30Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromT "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::999999999999:mfa/mfa-device", "MFAUsed": "Yes" }, "eventID": "e1f76697-5beb-46e8-9cfc-EXAMPLEbde31", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "999999999999", https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 3 of 14 "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } } IAM user, unsuccessful sign-in The following record shows an unsuccessful sign-in attempt from an IAM user named Paulo . { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "accountId": "123456789012", "accessKeyId": "", "userName": "Paulo" }, "eventTime": "2023-07-19T22:01:20Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "errorMessage": "Failed authentication", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromT "MobileVersion": "No", "MFAUsed": "Yes" }, "eventID": "66c97220-2b7d-43b6-a7a0-EXAMPLEbae9c", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 4 of 14 "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } } IAM user, sign-in process checks for MFA (single MFA device type) The following shows that the sign-process checked whether multi-factor authentication (MFA) is required for an IAM user during sign-in. In this example, the mfaType value is U2F MFA , which indicates that the IAM user enabled either a single MFA device or multiple MFA devices of the same type ( U2F MFA ). { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "accountId": "123456789012", "accessKeyId": "", "userName": "Alice" }, "eventTime": "2023-07-19T22:01:26Z", "eventSource": "signin.amazonaws.com", "eventName": "CheckMfa", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "CheckMfa": "Success" }, "additionalEventData": { "MfaType": "Virtual MFA" }, "eventID": "7d8a0746-b2e7-44f5-9917-EXAMPLEfb77c", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } } https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 5 of 14 IAM user, sign-in process checks for MFA (multiple MFA device types) The following shows that the sign-process checked whether multi-factor authentication (MFA) is required for an IAM user during sign-in. In this example, the mfaType value is Multiple MFA Devices , which indicates that the IAM user enabled multiple MFA device types. { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "accountId": "123456789012", "accessKeyId": "", "userName": "Mary" }, "eventTime": "2023-07-19T23:10:09Z", "eventSource": "signin.amazonaws.com", "eventName": "CheckMfa", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "CheckMfa": "Success" }, "additionalEventData": { "MfaType": "Multiple MFA Devices" }, "eventID": "19bd1a1c-76b1-4806-9d8f-EXAMPLE02a96", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" } } Example event records for root users The following examples show event records for several root user sign-in scenarios. When you sign-in using the root user, CloudTrail records the ConsoleLogin event in us-east-1. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 6 of 14 Topics Root user, successful sign-in without MFA Root user, successful sign-in with MFA Root user, unsuccessful sign-in Root user, MFA changed Root user, password changed Root user, successful sign-in without MFA The following shows a successful sign-in event for a root user not using multi-factor authentication (MFA). { "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "111122223333", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2023-07-12T13:35:31Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0. "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&nc2=h_ct&src=header "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "4217cc13-7328-4820-a90c-EXAMPLE8002e6", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 7 of 14 "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" } } Root user, successful sign-in with MFA The following shows a successful sign-in event for a root user using multi-factor authentication (MFA). { "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "444455556666", "arn": "arn:aws:iam::444455556666:root", "accountId": "444455556666", "accessKeyId": "" }, "eventTime": "2023-07-13T03:04:43Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://ap-southeast-1.console.aws.amazon.com/ec2/home?region=ap-southeast-1&state=hashArgs% "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::444455556666:mfa/root-account-mfa-device", "MFAUsed": "Yes" }, "eventID": "e0176723-ea76-4275-83a3-EXAMPLEf03fb", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "444455556666", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" } } https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 8 of 14 Root user, unsuccessful sign-in The following shows an unsuccessful sign-in event for a root user not using MFA. { "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "" }, "eventTime": "2023-07-16T04:33:40Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0. "errorMessage": "Failed authentication", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "additionalEventData": { "LoginTo": "https://us-east-1.console.aws.amazon.com/billing/home?region=us-east-1&state=hashArgs%23%2Fa "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "f28d4329-5050-480b-8de0-EXAMPLE07329", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" } } Root user, MFA changed The following shows an example event for a root user changing multi-factor authentication (MFA) settings. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 9 of 14 { "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "111122223333", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "EXAMPLE4XX3IEV4PFQTH", "userName": "AWS ROOT USER", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-15T03:51:12Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-15T04:37:08Z", "eventSource": "iam.amazonaws.com", "eventName": "EnableMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0. "requestParameters": { "userName": "AWS ROOT USER", "serialNumber": "arn:aws:iam::111122223333:mfa/root-account-mfa-device" }, "responseElements": null, "requestID": "9b45cd4c-a598-41e7-9170-EXAMPLE535f0", "eventID": "b4f18d55-d36f-49a0-afcb-EXAMPLEc026b", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management", "sessionCredentialFromConsole": "true" } Root user, password changed The following shows an example event for a root user changing their password. { "eventVersion": "1.08", "userIdentity": { https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 10 of 14 "type": "Root", "principalId": "444455556666", "arn": "arn:aws:iam::444455556666:root", "accountId": "444455556666", "accessKeyId": "EXAMPLEAOTKEG44KPW5P", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2022-11-25T13:01:14Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-11-25T13:01:14Z", "eventSource": "iam.amazonaws.com", "eventName": "ChangePassword", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0. "requestParameters": null, "responseElements": null, "requestID": "c64254c2-e4ff-49c0-900e-EXAMPLE9e6d2", "eventID": "d059176c-4f4d-4a9e-b8d7-EXAMPLE2b7b3", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "444455556666", "eventCategory": "Management" } Example event records for federated users The following examples show event records for federated users. Federated users are given temporary security credentials to access AWS resources through an AssumeRole request. The following shows an example event for a federation encryption request. The original access key ID is provided in the accessKeyId field of the userIdentity element. The accessKeyId field in the responseElements contains a new access key ID if the requested sessionDuration is passed in the encryption request, otherwise it contains the value of the original access key ID. Note In this example, the mfaAuthenticated value is false and the MFAUsed value is No because the request was made by a federated user. These fields will only be set to true if the request was made by an IAM user or root user using MFA. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 11 of 14 { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEUU4MH7OYK5ZCOA:JohnDoe", "arn": "arn:aws:sts::123456789012:assumed-role/roleName/JohnDoe", "accountId": "123456789012", "accessKeyId": " originalAccessKeyID ", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEUU4MH7OYK5ZCOA", "arn": "arn:aws:iam::123456789012:role/roleName", "accountId": "123456789012", "userName": "roleName" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-25T21:30:39Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-09-25T21:30:39Z", "eventSource": "signin.amazonaws.com", "eventName": "GetSigninToken", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Java/1.8.0_382", "requestParameters": null, "responseElements": { "credentials": { "accessKeyId": " accessKeyID " }, "GetSigninToken": "Success" }, "additionalEventData": { "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "1d66615b-a417-40da-a38e-EXAMPLE8c89b", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 12 of 14 "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } } The following shows a successful sign-in event for a federated user; not using multi-factor authentication (MFA). { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEPHCNW7ZCASLJOH:JohnDoe", "arn": "arn:aws:sts::123456789012:assumed-role/ RoleName /JohnDoe", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEPHCNW7ZCASLJOH", "arn": "arn:aws:iam::123456789012:role/ RoleName ", "accountId": "123456789012", "userName": " RoleName " }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-22T16:15:47Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-09-22T16:15:47Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "MobileVersion": "No", "MFAUsed": "No" }, https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 13 of 14 "eventID": "b73f1ec6-c064-4cd3-ba83-EXAMPLE441d7", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } } Source: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html Page 14 of 14