{
	"id": "0446fc6d-d9c5-46ad-984b-671cc03af03d",
	"created_at": "2026-04-06T00:09:27.461187Z",
	"updated_at": "2026-04-10T03:21:08.262161Z",
	"deleted_at": null,
	"sha1_hash": "bfeb296dcc81c36a8991c8390f2c6f18bf178762",
	"title": "Logging IAM and AWS STS API calls with AWS CloudTrail",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 214593,
	"plain_text": "Logging IAM and AWS STS API calls with AWS CloudTrail\r\nArchived: 2026-04-05 13:40:38 UTC\r\nIAM and AWS STS are integrated with AWS CloudTrail, a service that provides a record of actions taken by an\r\nIAM user or role. CloudTrail captures all API calls for IAM and AWS STS as events, including calls from the\r\nconsole and from API calls. If you create a trail, you can enable continuous delivery of CloudTrail events to an\r\nAmazon S3 bucket. If you don't configure a trail, you can still view the most recent events in the CloudTrail\r\nconsole in Event history. You can use CloudTrail to get information about the request that was made to IAM or\r\nAWS STS. For example, you can view the IP address from which the request was made, who made the request,\r\nwhen it was made, and additional details.\r\nTo learn more about CloudTrail, see the AWS CloudTrail User Guide.\r\nTopics\r\nIAM and AWS STS information in CloudTrail\r\nLogging IAM and AWS STS API requests\r\nLogging API requests to other AWS services\r\nLogging user sign-in events\r\nLogging sign-in events for temporary credentials\r\nExample IAM API events in CloudTrail log\r\nExample AWS STS API events in CloudTrail log\r\nExample sign-in events in CloudTrail log\r\nIAM role trust policy behavior\r\nIAM and AWS STS information in CloudTrail\r\nCloudTrail is enabled on your AWS account when you create the account. When activity occurs in IAM or AWS\r\nSTS, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. You\r\ncan view, search, and download recent events in your AWS account. For more information, see Viewing Events\r\nwith CloudTrail Event History.\r\nFor an ongoing record of events in your AWS account, including events for IAM and AWS STS, create a trail. A\r\ntrail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the\r\nconsole, the trail applies to all Regions. The trail logs events from all Regions in the AWS partition and delivers\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 1 of 24\n\nthe log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to\r\nfurther analyze and act upon the event data collected in CloudTrail logs. For more information, see:\r\nOverview for Creating a Trail\r\nCloudTrail Supported Services and Integrations\r\nConfiguring Amazon SNS Notifications for CloudTrail\r\nReceiving CloudTrail Log Files from Multiple Regions and Receiving CloudTrail Log Files from Multiple\r\nAccounts\r\nAll IAM and AWS STS actions are logged by CloudTrail and are documented in the IAM API Reference and the\r\nAWS Security Token Service API Reference.\r\nLogging IAM and AWS STS API requests\r\nCloudTrail logs all authenticated API requests to IAM and AWS STS API operations. CloudTrail also logs non-authenticated requests to the AWS STS actions, AssumeRoleWithSAML and AssumeRoleWithWebIdentity , and\r\nlogs information provided by the identity provider. However, some non-authenticated AWS STS requests might\r\nnot be logged because they do not meet the minimum expectation of being sufficiently valid to be trusted as a\r\nlegitimate request. For cross-account role assumption requests, CloudTrail does not log denied AWS STS requests\r\nin the target account's CloudTrail.\r\nYou can use the logged information to map calls made by an OIDC or SAML federated principal with an assumed\r\nrole back to the originating external federated caller. In the case of AssumeRole , you can map calls back to the\r\noriginating AWS service or to the account of the originating user. The userIdentity section of the JSON data in\r\nthe CloudTrail log entry contains the information that you need to map the AssumeRole* request with a specific\r\nsession principal. For more information, see CloudTrail userIdentity Element in the AWS CloudTrail User Guide.\r\nAWS CloudTrail logs will contain MFA information when the IAM user sign in with MFA. If the IAM user\r\nassumes an IAM role, CloudTrail will also log mfaAuthenticated: true in the sessionContext attributes for\r\nactions performed using the assumed role. However, CloudTrail logging is separate from what IAM requires when\r\nAPI calls are made with the assumed role's credentials. For more information, see CloudTrail userIdentity\r\nElement.\r\nFor example, calls to the IAM CreateUser , DeleteRole , ListGroups , and other API operations are all logged\r\nby CloudTrail.\r\nExamples for this type of log entry are presented later in this topic.\r\nLogging API requests to other AWS services\r\nAuthenticated requests to other AWS service API operations are logged by CloudTrail, and these log entries\r\ncontain information about who generated the request.\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 2 of 24\n\nFor example, assume that you made a request to list Amazon EC2 instances or create an AWS CodeDeploy\r\ndeployment group. Details about the person or service that made the request are contained in the log entry for that\r\nrequest. This information helps you determine whether the request was made by the AWS account root user, an\r\nIAM user, a role, or another AWS service.\r\nFor more details about the user identity information in CloudTrail log entries, see userIdentity Element in the AWS\r\nCloudTrail User Guide.\r\nLogging user sign-in events\r\nCloudTrail logs sign-in events to the AWS Management Console, local development tools like AWS CLI and\r\nSDKs, the AWS discussion forums, and AWS Marketplace. CloudTrail logs successful and failed sign-in attempts\r\nfor IAM users, SAML and OIDC federated principals, and AWS STS federated user principals.\r\nTo view sample CloudTrail events for successful and unsuccessful root user sign-ins, see Example event records\r\nfor root users in the AWS CloudTrail User Guide.\r\nAs a security best practice, AWS does not log the entered IAM user name text when the sign-in failure is caused\r\nby an incorrect user name. The user name text is masked by the value HIDDEN_DUE_TO_SECURITY_REASONS . For an\r\nexample of this, see Example sign-in failure event caused by incorrect user name, later in this topic. The user\r\nname text is obscured because such failures might be caused by user errors. Logging these errors could expose\r\npotentially sensitive information. For example:\r\nYou accidentally type your password in the user name box.\r\nYou choose the link for the sign-in page of one AWS account, but then type the account number for a\r\ndifferent AWS account.\r\nYou forget which account you are signing in to and accidentally type the account name of your personal\r\nemail account, your bank sign-in identifier, or some other private ID.\r\nLogging sign-in events for temporary credentials\r\nWhen a principal requests temporary credentials, the principal type determines how CloudTrail logs the event.\r\nThis can be complicated when a principal assumes a role in another account. There are multiple API calls to\r\nperform operations related to role cross-account operations. First, the principal calls an AWS STS API to retrieve\r\nthe temporary credentials. That operation is logged in the calling account and the account where the AWS STS\r\noperation is performed. Then the principal then uses the role to perform other API calls in the assumed role's\r\naccount.\r\nYou can use the sts:SourceIdentity condition key in the role trust policy to require users to specify an identity\r\nwhen they assume a role. For example, you can require that IAM users specify their own user name as their source\r\nidentity. This can help you determine which user performed a specific action in AWS. For more information, see\r\nsts:SourceIdentity. You can also use sts:RoleSessionName to require users to specify a session name when they\r\nassume a role. This can help you differentiate between role sessions for a role that is used by different principals\r\nwhen you review AWS CloudTrail logs.\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 3 of 24\n\nThe following table shows how CloudTrail logs different user identity information for each of the AWS STS APIs\r\nthat generate temporary credentials.\r\nPrincipal type STS API\r\nUser identity\r\nin CloudTrail\r\nlog for caller's\r\naccount\r\nUser identity in\r\nCloudTrail log\r\nfor the assumed\r\nrole's account\r\nUser identity in\r\nCloudTrail log\r\nfor the role's\r\nsubsequent API\r\ncalls\r\nAWS account\r\nroot user\r\ncredentials\r\nGetSessionToken\r\nRoot user\r\nidentity\r\nRole owner\r\naccount is same\r\nas calling\r\naccount\r\nRoot user\r\nidentity\r\nAWS account\r\nroot user\r\ncredentials\r\nAssumeRoot\r\nRoot user\r\nsession\r\nAccount number\r\nand principal ID\r\n(if a user)\r\nRoot user\r\nsession\r\nIAM user GetSessionToken\r\nIAM user\r\nidentity\r\nRole owner\r\naccount is same\r\nas calling\r\naccount\r\nIAM user\r\nidentity\r\nIAM user GetFederationToken\r\nIAM user\r\nidentity\r\nRole owner\r\naccount is same\r\nas calling\r\naccount\r\nIAM user\r\nidentity\r\nIAM user AssumeRole\r\nIAM user\r\nidentity\r\nAccount number\r\nand principal ID\r\n(if a user), or\r\nAWS service\r\nprincipal\r\nRole identity\r\nonly (no user)\r\nExternally\r\nauthenticated\r\nuser\r\nAssumeRoleWithSAML n/a\r\nSAML user\r\nidentity\r\nRole identity\r\nonly (no user)\r\nExternally\r\nauthenticated\r\nuser\r\nAssumeRoleWithWebIdentity n/a\r\nOIDC/Web user\r\nidentity\r\nRole identity\r\nonly (no user)\r\nCloudTrail considers an action read-only if it does not have any mutating effect on a resource. When logging a\r\nread-only event, CloudTrail redacts the responseElements information in the log. When CloudTrail logs an\r\nevent that is not read-only, the full responseElements is shown in the log entry. For the AWS STS APIs\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 4 of 24\n\nAssumeRole , AssumeRoleWithSAML , and AssumeRoleWithWebIdentity , even though they are logged as read-only, CloudTrail will include the full responseElements except secretAccessKey in the log for these APIs.\r\nThe following table shows how CloudTrail logs responseElements and readOnly information for each of the\r\nAWS STS APIs that generate temporary credentials.\r\nSTS API Response elements information Read-only\r\nAssumeRole Included true\r\nAssumeRoleWithSAML Included true\r\nAssumeRoleWithWebIdentity Included true\r\nAssumeRoot Included false\r\nGetFederationToken Included false\r\nGetSessionToken Included false\r\nExample IAM API events in CloudTrail log\r\nCloudTrail log files contain events that are formatted using JSON. An API event represents a single API request\r\nand includes information about the principal, the requested action, any parameters, and the date and time of the\r\naction.\r\nExample IAM API event in CloudTrail log file\r\nThe following example shows a CloudTrail log entry for a request made for the IAM GetUserPolicy action.\r\n{\r\n \"eventVersion\": \"1.09\",\r\n \"userIdentity\": {\r\n \"type\": \"AssumedRole\",\r\n \"principalId\": \"AIDACKCEVSQ6C2EXAMPLE:Role-Session-Name\",\r\n \"arn\": \"arn:aws:sts::111122223333:assumed-role/Role-Name/Role-Session-Name\",\r\n \"accountId\": \"111122223333\",\r\n \"accessKeyId\": \"AKIAIOSFODNN7EXAMPLE\",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {\r\n \"type\": \"Role\",\r\n \"principalId\": \"AIDACKCEVSQ6C2EXAMPLE\",\r\n \"arn\": \"arn:aws:iam::111122223333:role/Admin\",\r\n \"accountId\": \"111122223333\",\r\n \"userName\": \"Admin\"\r\n },\r\n \"attributes\": {\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 5 of 24\n\n\"creationDate\": \"2024-09-09T17:50:16Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2024-09-09T17:51:44Z\",\r\n \"eventSource\": \"iam.amazonaws.com\",\r\n \"eventName\": \"GetUserPolicy\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.101\",\r\n \"userAgent\": \"aws-cli/1.16.96 Python/2.7.8 Linux/10 botocore/1.12.86\",\r\n \"requestParameters\": {\r\n \"userName\": \"ExampleIAMUserName\",\r\n \"policyName\": \"ExamplePoliccyName\"\r\n },\r\n \"responseElements\": null,\r\n \"requestID\": \"9EXAMPLE-0c68-11e4-a24e-d5e16EXAMPLE\",\r\n \"eventID\": \"cEXAMPLE-127e-4632-980d-505a4EXAMPLE\",\r\n \"readOnly\": true,\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"111122223333\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"iam.amazonaws.com\"\r\n }\r\n}\r\nFrom this event information, you can determine that the request was made to get a user policy named\r\nReadOnlyAccess-JaneDoe-201407151307 for user JaneDoe , as specified in the requestParameters element.\r\nYou can also see that the request was made by an IAM user named JaneDoe on July 15, 2014 at 9:40 PM (UTC).\r\nIn this case, the request originated in the AWS Management Console, as you can tell from the userAgent\r\nelement.\r\nExample AWS STS API events in CloudTrail log\r\nCloudTrail log files contain events that are formatted using JSON. An API event represents a single API request\r\nand includes information about the principal, the requested action, any parameters, and the date and time of the\r\naction.\r\nExample cross-account AWS STS API events in CloudTrail log files\r\nThe IAM user named John in account 777788889999 calls the AWS STS AssumeRole action to assume the role\r\nEC2-dev in account 111122223333. The account administrator requires users to set a source identity equal to\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 6 of 24\n\ntheir user name when assuming the role. The user passes in the source identity value of John .\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"AIDAQRSTUVWXYZEXAMPLE\",\r\n \"arn\": \"arn:aws:iam::777788889999:user/John\",\r\n \"accountId\": \"777788889999\",\r\n \"accessKeyId\": \"AKIAIOSFODNN7EXAMPLE\",\r\n \"userName\": \"John\"\r\n },\r\n \"eventTime\": \"2014-07-18T15:07:39Z\",\r\n \"eventSource\": \"sts.amazonaws.com\",\r\n \"eventName\": \"AssumeRole\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"192.0.2.101\",\r\n \"userAgent\": \"aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67\",\r\n \"requestParameters\": {\r\n \"roleArn\": \"arn:aws:iam::111122223333:role/EC2-dev\",\r\n \"roleSessionName\": \"John-EC2-dev\",\r\n \"sourceIdentity\": \"John\",\r\n \"serialNumber\": \"arn:aws:iam::777788889999:mfa\"\r\n },\r\n \"responseElements\": {\r\n \"credentials\": {\r\n \"sessionToken\": \" \u003cencoded session token blob\u003e \",\r\n \"accessKeyId\": \"ASIAI44QH8DHBEXAMPLE\",\r\n \"expiration\": \"Jul 18, 2023, 4:07:39 PM\"\r\n },\r\n \"assumedRoleUser\": {\r\n \"assumedRoleId\": \"AIDAQRSTUVWXYZEXAMPLE:John-EC2-dev\",\r\n \"arn\": \"arn:aws:sts::111122223333:assumed-role/EC2-dev/John-EC2-dev\"\r\n },\r\n \"sourceIdentity\": \"John\"\r\n },\r\n \"resources\": [\r\n {\r\n \"ARN\": \"arn:aws:iam::111122223333:role/EC2-dev\",\r\n \"accountId\": \"111122223333\",\r\n \"type\": \"AWS::IAM::Role\"\r\n }\r\n ],\r\n \"requestID\": \"4EXAMPLE-0e8d-11e4-96e4-e55c0EXAMPLE\",\r\n \"sharedEventID\": \"bEXAMPLE-efea-4a70-b951-19a88EXAMPLE\",\r\n \"eventID\": \"dEXAMPLE-ac7f-466c-a608-4ac8dEXAMPLE\",\r\n \"eventType\": \"AwsApiCall\",\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 7 of 24\n\n\"recipientAccountId\": \"111122223333\"\r\n}\r\nThe second example shows the assumed role account's (111122223333) CloudTrail log entry for the same request.\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"AWSAccount\",\r\n \"principalId\": \"AIDAQRSTUVWXYZEXAMPLE\",\r\n \"accountId\": \"777788889999\"\r\n },\r\n \"eventTime\": \"2014-07-18T15:07:39Z\",\r\n \"eventSource\": \"sts.amazonaws.com\",\r\n \"eventName\": \"AssumeRole\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"192.0.2.101\",\r\n \"userAgent\": \"aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67\",\r\n \"requestParameters\": {\r\n \"roleArn\": \"arn:aws:iam::111122223333:role/EC2-dev\",\r\n \"roleSessionName\": \"John-EC2-dev\",\r\n \"sourceIdentity\": \"John\",\r\n \"serialNumber\": \"arn:aws:iam::777788889999:mfa\"\r\n },\r\n \"responseElements\": {\r\n \"credentials\": {\r\n \"sessionToken\": \" \u003cencoded session token blob\u003e \",\r\n \"accessKeyId\": \"ASIAI44QH8DHBEXAMPLE\",\r\n \"expiration\": \"Jul 18, 2014, 4:07:39 PM\"\r\n },\r\n \"assumedRoleUser\": {\r\n \"assumedRoleId\": \"AIDAQRSTUVWXYZEXAMPLE:John-EC2-dev\",\r\n \"arn\": \"arn:aws:sts::111122223333:assumed-role/EC2-dev/John-EC2-dev\"\r\n },\r\n \"sourceIdentity\": \"John\"\r\n },\r\n \"requestID\": \"4EXAMPLE-0e8d-11e4-96e4-e55c0EXAMPLE\",\r\n \"sharedEventID\": \"bEXAMPLE-efea-4a70-b951-19a88EXAMPLE\",\r\n \"eventID\": \"dEXAMPLE-ac7f-466c-a608-4ac8dEXAMPLE\"\r\n}\r\nExample AWS STS role chaining API event in CloudTrail log file\r\nThe following example shows a CloudTrail log entry for a request made by John Doe in account 111111111111.\r\nJohn previously used his John user to assume the JohnRole1 role. For this request, he uses the credentials from\r\nthat role to assume the JohnRole2 role. This is known as role chaining. The source identity that he set when he\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 8 of 24\n\nassumed the John1 role persists in the request to assume JohnRole2 . If John tries to set a different source\r\nidentity when assuming the role, the request is denied. John passes two session tags into the request. He sets those\r\ntwo tags as transitive. The request inherits the Department tag as transitive because John set it as transitive when\r\nhe assumed JohnRole1 . For more information about source identity, see Monitor and control actions taken with\r\nassumed roles. For more information about transitive keys in role chains, see Chaining roles with session tags.\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"AssumedRole\",\r\n \"principalId\": \"AROAIN5ATK5U7KEXAMPLE:JohnRole1\",\r\n \"arn\": \"arn:aws:sts::111111111111:assumed-role/John/JohnRole1\",\r\n \"accountId\": \"111111111111\",\r\n \"accessKeyId\": \"ASIAIOSFODNN7EXAMPLE\",\r\n \"sessionContext\": {\r\n \"attributes\": {\r\n \"mfaAuthenticated\": \"false\",\r\n \"creationDate\": \"2019-10-02T21:50:54Z\"\r\n },\r\n \"sessionIssuer\": {\r\n \"type\": \"Role\",\r\n \"principalId\": \"AROAIN5ATK5U7KEXAMPLE\",\r\n \"arn\": \"arn:aws:iam::111111111111:role/JohnRole1\",\r\n \"accountId\": \"111111111111\",\r\n \"userName\": \"John\"\r\n },\r\n \"sourceIdentity\": \"John\"\r\n }\r\n },\r\n \"eventTime\": \"2019-10-02T22:12:29Z\",\r\n \"eventSource\": \"sts.amazonaws.com\",\r\n \"eventName\": \"AssumeRole\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"123.145.67.89\",\r\n \"userAgent\": \"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239\"\r\n \"requestParameters\": {\r\n \"incomingTransitiveTags\": {\r\n \"Department\": \"Engineering\"\r\n },\r\n \"tags\": [\r\n {\r\n \"value\": \"johndoe@example.com\",\r\n \"key\": \"Email\"\r\n },\r\n {\r\n \"value\": \"12345\",\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 9 of 24\n\n\"key\": \"CostCenter\"\r\n }\r\n ],\r\n \"roleArn\": \"arn:aws:iam::111111111111:role/JohnRole2\",\r\n \"roleSessionName\": \"Role2WithTags\",\r\n \"sourceIdentity\": \"John\",\r\n \"transitiveTagKeys\": [\r\n \"Email\",\r\n \"CostCenter\"\r\n ],\r\n \"durationSeconds\": 3600\r\n },\r\n \"responseElements\": {\r\n \"credentials\": {\r\n \"accessKeyId\": \"ASIAI44QH8DHBEXAMPLE\",\r\n \"expiration\": \"Oct 2, 2019, 11:12:29 PM\",\r\n \"sessionToken\": \"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/m\r\n },\r\n \"assumedRoleUser\": {\r\n \"assumedRoleId\": \"AROAIFR7WHDTSOYQYHFUE:Role2WithTags\",\r\n \"arn\": \"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags\"\r\n },\r\n \"sourceIdentity\": \"John\"\r\n },\r\n \"requestID\": \"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE\",\r\n \"eventID\": \"1917948f-3042-46ec-98e2-62865EXAMPLE\",\r\n \"resources\": [\r\n {\r\n \"ARN\": \"arn:aws:iam::111111111111:role/JohnRole2\",\r\n \"accountId\": \"111111111111\",\r\n \"type\": \"AWS::IAM::Role\"\r\n }\r\n ],\r\n \"eventType\": \"AwsApiCall\",\r\n \"recipientAccountId\": \"111111111111\"\r\n}\r\nExample AWS service AWS STS API event in CloudTrail log file\r\nThe following example shows a CloudTrail log entry for a request made by an AWS service calling another\r\nservice API using permissions from a service role. It shows the CloudTrail log entry for the request made in\r\naccount 777788889999.\r\n{\r\n \"eventVersion\": \"1.04\",\r\n \"userIdentity\": {\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 10 of 24\n\n\"type\": \"AssumedRole\",\r\n \"principalId\": \"AROAQRSTUVWXYZEXAMPLE:devdsk\",\r\n \"arn\": \"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk\",\r\n \"accountId\": \"777788889999\",\r\n \"accessKeyId\": \"ASIAI44QH8DHBEXAMPLE\",\r\n \"sessionContext\": {\r\n \"attributes\": {\r\n \"mfaAuthenticated\": \"false\",\r\n \"creationDate\": \"2016-11-14T17:25:26Z\"\r\n },\r\n \"sessionIssuer\": {\r\n \"type\": \"Role\",\r\n \"principalId\": \"AROAQRSTUVWXYZEXAMPLE\",\r\n \"arn\": \"arn:aws:iam::777788889999:role/AssumeNothing\",\r\n \"accountId\": \"777788889999\",\r\n \"userName\": \"AssumeNothing\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2016-11-14T17:25:45Z\",\r\n \"eventSource\": \"s3.amazonaws.com\",\r\n \"eventName\": \"DeleteBucket\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"192.0.2.1\",\r\n \"userAgent\": \"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]\",\r\n \"requestParameters\": {\r\n \"bucketName\": \"amzn-s3-demo-bucket\"\r\n },\r\n \"responseElements\": null,\r\n \"requestID\": \"EXAMPLE463D56D4C\",\r\n \"eventID\": \"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE\",\r\n \"eventType\": \"AwsApiCall\",\r\n \"recipientAccountId\": \"777788889999\"\r\n}\r\nExample SAML AWS STS API event in CloudTrail log file\r\nThe following example shows a CloudTrail log entry for a request made for the AWS STS\r\nAssumeRoleWithSAML action. The request includes the SAML attributes CostCenter and Project that are\r\npassed through the SAML assertion as session tags. Those tags are set as transitive so that they persist in role\r\nchaining scenarios. The request includes the optional API parameter DurationSeconds , represented as\r\ndurationSeconds in the CloudTrail log, and is set to 1800 seconds. The request also includes the SAML\r\nattribute sourceIdentity , which is passed in the SAML assertion. If someone uses the resulting role session\r\ncredentials to assume another role, this source identity persists.\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 11 of 24\n\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"SAMLUser\",\r\n \"principalId\": \"SampleUkh1i4+ExamplexL/jEvs=:SamlExample\",\r\n \"userName\": \"SamlExample\",\r\n \"identityProvider\": \"bdGOnTesti4+ExamplexL/jEvs=\"\r\n },\r\n \"eventTime\": \"2023-08-28T18:30:58Z\",\r\n \"eventSource\": \"sts.amazonaws.com\",\r\n \"eventName\": \"AssumeRoleWithSAML\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"AWS Internal\",\r\n \"userAgent\": \"aws-internal/3 aws-sdk-java/1.12.479 Linux/5.10.186-157.751.amzn2int.x86_64 OpenJDK_64-Bit_Ser\r\n \"requestParameters\": {\r\n \"sAMLAssertionID\": \"_c0046cEXAMPLEb9d4b8eEXAMPLE2619aEXAMPLE\",\r\n \"roleSessionName\": \"MyAssignedRoleSessionName\",\r\n \"sourceIdentity\": \"MySAMLUser\",\r\n \"principalTags\": {\r\n \"CostCenter\": \"987654\",\r\n \"Project\": \"Unicorn\",\r\n \"Department\": \"Engineering\"\r\n },\r\n \"transitiveTagKeys\": [\r\n \"CostCenter\",\r\n \"Project\"\r\n ],\r\n \"roleArn\": \"arn:aws:iam::444455556666:role/SAMLTestRoleShibboleth\",\r\n \"principalArn\": \"arn:aws:iam::444455556666:saml-provider/Shibboleth\",\r\n \"durationSeconds\": 1800\r\n },\r\n \"responseElements\": {\r\n \"credentials\": {\r\n \"accessKeyId\": \"ASIAIOSFODNN7EXAMPLE\",\r\n \"sessionToken\": \" \u003cencoded session token blob\u003e \",\r\n \"expiration\": \"Aug 28, 2023, 7:00:58 PM\"\r\n },\r\n \"assumedRoleUser\": {\r\n \"assumedRoleId\": \"AROAD35QRSTUVWEXAMPLE:MyAssignedRoleSessionName\",\r\n \"arn\": \"arn:aws:sts::444455556666:assumed-role/SAMLTestRoleShibboleth/MyAssignedRoleSessionName\"\r\n },\r\n \"packedPolicySize\": 1,\r\n \"subject\": \"SamlExample\",\r\n \"subjectType\": \"transient\",\r\n \"issuer\": \"https://server.example.com/idp/shibboleth\",\r\n \"audience\": \"https://signin.aws.amazon.com/saml\",\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 12 of 24\n\n\"nameQualifier\": \"bdGOnTesti4+ExamplexL/jEvs=\",\r\n \"sourceIdentity\": \"MySAMLUser\"\r\n },\r\n \"requestID\": \"6EXAMPLE-e595-11e5-b2c7-c974fEXAMPLE\",\r\n \"eventID\": \"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE\",\r\n \"readOnly\": true,\r\n \"resources\": [\r\n {\r\n \"accountId\": \"444455556666\",\r\n \"type\": \"AWS::IAM::Role\",\r\n \"ARN\": \"arn:aws:iam::444455556666:role/SAMLTestRoleShibboleth\"\r\n },\r\n {\r\n \"accountId\": \"444455556666\",\r\n \"type\": \"AWS::IAM::SAMLProvider\",\r\n \"ARN\": \"arn:aws:iam::444455556666:saml-provider/test-saml-provider\"\r\n }\r\n ],\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"444455556666\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.2\",\r\n \"cipherSuite\": \"ECDHE-RSA-AES128-GCM-SHA256\",\r\n \"clientProvidedHostHeader\": \"sts.us-east-2.amazonaws.com\"\r\n }\r\n}\r\nExample OIDC AWS STS API event in CloudTrail log file\r\nThe following example shows a CloudTrail log entry for a request made for the AWS STS\r\nAssumeRoleWithWebIdentity action. The request includes the attributes CostCenter and Project that are\r\npassed through the OpenID Connect (OIDC) identity provider (IdP) token as session tags. Those tags are set as\r\ntransitive so that they persist in role chaining. The request includes the sourceIdentity attribute from the\r\nidentity provider token. If someone uses the resulting role session credentials to assume another role, this source\r\nidentity persists.\r\nThe CloudTrail log entry also contains an additionalEventData field with an\r\nidentityProviderConnectionVerificationMethod attribute. This attribute indicates the method AWS used to\r\nverify the connection with the OIDC provider. The attribute value will be either IAMTrustStore or Thumbprint .\r\nThe IAMTrustStore value indicates that AWS successfully verified the connection with the OIDC IdP using our\r\nlibrary of trusted root certificate authorities (CAs). The Thumbprint value indicates that AWS used a certificate\r\nthumbprint set in the IdP configuration to verify the OIDC IdP server certificate.\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 13 of 24\n\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"WebIdentityUser\",\r\n \"principalId\": \"arn:aws:iam::444455556666:oidc-provider/ \u003cissuer url of OIDC provider\u003e : \u003cid of application\u003e : \u003c\r\n \"userName\": \" \u003cid of user\u003e \",\r\n \"identityProvider\": \"arn:aws:iam::444455556666:oidc-provider/ \u003cissuer url of OIDC provider\u003e \"\r\n },\r\n \"eventTime\": \"2024-07-09T15:41:37Z\",\r\n \"eventSource\": \"sts.amazonaws.com\",\r\n \"eventName\": \"AssumeRoleWithWebIdentity\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"192.0.2.101\",\r\n \"userAgent\": \"aws-cli/2.13.29 Python/3.11.6 Windows/10 exe/AMD64 prompt/off command/sts.assume-role-with-web-i\r\n \"requestParameters\": {\r\n \"roleArn\": \"arn:aws:iam::444455556666:role/FederatedWebIdentityRole\",\r\n \"roleSessionName\": \" \u003cassigned role session name\u003e \",\r\n \"sourceIdentity\": \"MyWebIdentityUser\",\r\n \"durationSeconds\": 3600,\r\n \"principalTags\": {\r\n \"CostCenter\": \"24680\",\r\n \"Project\": \"Pegasus\"\r\n },\r\n \"transitiveTagKeys\": [\r\n \"CostCenter\",\r\n \"Project\"\r\n ]\r\n },\r\n \"responseElements\": {\r\n \"credentials\": {\r\n \"accessKeyId\": \"ASIAIOSFODNN7EXAMPLE\",\r\n \"sessionToken\": \" \u003cencoded session token blob\u003e \",\r\n \"expiration\": \"Jul 9, 2024, 4:41:37 PM\"\r\n },\r\n \"subjectFromWebIdentityToken\": \" \u003cid of user\u003e \",\r\n \"sourceIdentity\": \"MyWebIdentityUser\",\r\n \"assumedRoleUser\": {\r\n \"assumedRoleId\": \"AROA123456789EXAMPLE: \u003cassigned role session name\u003e \",\r\n \"arn\": \"arn:aws:sts::444455556666:assumed-role/FederatedWebIdentityRole/ \u003cassigned role session name\u003e \"\r\n },\r\n \"provider\": \"arn:aws:iam::444455556666:oidc-provider/ \u003cissuer url of OIDC provider\u003e \",\r\n \"audience\": \" \u003cid of application\u003e \"\r\n },\r\n \"additionalEventData\": {\r\n \"identityProviderConnectionVerificationMethod\": \"IAMTrustStore\"\r\n },\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 14 of 24\n\n\"requestID\": \"aEXAMPLE-0b26-40df-8973-c7012EXAMPLE\",\r\n \"eventID\": \"aEXAMPLE-ee29-4ac0-a0ed-3f5c5EXAMPLE\",\r\n \"readOnly\": true,\r\n \"resources\": [\r\n {\r\n \"accountId\": \"444455556666\",\r\n \"type\": \"AWS::IAM::Role\",\r\n \"ARN\": \"arn:aws:iam::444455556666:role/FederatedWebIdentityRole\"\r\n }\r\n ],\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"444455556666\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"sts.us-east-2.amazonaws.com\"\r\n }\r\n}\r\nExample AWS STS API event using the global endpoint in CloudTrail log file\r\nFor requests to the AWS Security Token Service (AWS STS) global endpoint ( https://sts.amazonaws.com ),\r\nAWS STS includes additional AWS CloudTrail log fields: endpointType and awsServingRegion . These fields\r\nappear under the addtionalEventData RequestDetails element to log the serving AWS Region and endpoint\r\ntype being called. The endpointType field can have a value of global or regional to indicate the type of\r\nglobal endpoint that served the request. For more information about the AWS STS global endpoint changes, see\r\nAWS STS Regions and endpoints.\r\nNote\r\nAWS CloudTrail logs for requests made to the AWS STS global endpoint will be sent to the US East (N. Virginia)\r\nRegion. CloudTrail logs for requests served by AWS STS Regional endpoints will continue to be logged to their\r\nrespective Region in CloudTrail.\r\nThe following example shows a CloudTrail log entry for an AWS STS request made to the global endpoint\r\n( https://sts.amazonaws.com ) that originated from the Europe (Stockholm) Region - eu-north-1. The\r\nendpointType field value of global indicates that the AWS STS request was served by the global endpoint in\r\nthe Europe (Stockholm) Region.\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"AssumedRole\",\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 15 of 24\n\n\"principalId\": \"AROA123456789EXAMPLE:developer\",\r\n \"arn\": \"arn:aws:sts::777788889999:assumed-role/Admin/developer\",\r\n \"accountId\": \"777788889999\",\r\n \"accessKeyId\": \"ASIAIOSFODNN7EXAMPLE\",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {\r\n \"type\": \"Role\",\r\n \"principalId\": \"AROA123456789EXAMPLE\",\r\n \"arn\": \"arn:aws:iam::777788889999:role/Admin\",\r\n \"accountId\": \"777788889999\",\r\n \"userName\": \"Admin\"\r\n },\r\n \"webIdFederationData\": {},\r\n \"attributes\": {\r\n \"creationDate\": \"2025-02-12T21:44:28Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2025-02-12T22:16:48Z\",\r\n \"eventSource\": \"sts.amazonaws.com\",\r\n \"eventName\": \"AssumeRole\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"aws-cli/2.15.33 Python/3.11.8 Linux/5.10.233-204.894.amzn2int.x86_64 exe/x86_64.amzn.2 prompt/\r\n \"requestParameters\": {\r\n \"roleArn\": \"arn:aws:iam::777788889999:role/test-role\",\r\n \"roleSessionName\": \"test-global-assume-role\"\r\n },\r\n \"responseElements\": {\r\n \"credentials\": {\r\n \"accessKeyId\": \"ASIAIOSFODNN7EXAMPLE\",\r\n \"sessionToken\": \" \u003cencoded session token blob\u003e \",\r\n \"expiration\": \"Feb 12, 2025, 11:16:48 PM\"\r\n },\r\n \"assumedRoleUser\": {\r\n \"assumedRoleId\": \"AROA987654321EXAMPLE:test-global-assume-role\",\r\n \"arn\": \"arn:aws:sts::777788889999:assumed-role/test-role/test-global-assume-role\"\r\n }\r\n },\r\n \"additionalEventData\": {\r\n \"RequestDetails\": {\r\n \"awsServingRegion\": \"eu-north-1\",\r\n \"endpointType\": \"global\"\r\n }\r\n },\r\n \"requestID\": \"EXAMPLE7-2497-457a-9586-f21feEXAMPLE\",\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 16 of 24\n\n\"eventID\": \"EXAMPLEc-3d26-4c3a-9c94-722a9EXAMPLE\",\r\n \"readOnly\": true,\r\n \"resources\": [\r\n {\r\n \"accountId\": \"777788889999\",\r\n \"type\": \"AWS::IAM::Role\",\r\n \"ARN\": \"arn:aws:iam::777788889999:role/test-role\"\r\n }\r\n ],\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"777788889999\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"sts-global.eu-north-1.amazonaws.com\"\r\n }\r\n}\r\nFor comparison, the following example shows a CloudTrail log entry for an AWS STS request made to the\r\nRegional endpoint ( https://sts.us-west-2.amazonaws.com ) that was served by the Regional endpoint in the\r\nEurope (Stockholm) Region - eu-north-1. The endpointType field value of regional indicates that the AWS\r\nSTS request was served by the global endpoint in the Europe (Stockholm) Region.\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"AssumedRole\",\r\n \"principalId\": \"AROA123456789EXAMPLE:developer\",\r\n \"arn\": \"arn:aws:sts::777788889999:assumed-role/Admin/developer\",\r\n \"accountId\": \"777788889999\",\r\n \"accessKeyId\": \"ASIAIOSFODNN7EXAMPLE\",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {\r\n \"type\": \"Role\",\r\n \"principalId\": \"AROA123456789EXAMPLE\",\r\n \"arn\": \"arn:aws:iam::777788889999:role/Admin\",\r\n \"accountId\": \"777788889999\",\r\n \"userName\": \"Admin\"\r\n },\r\n \"webIdFederationData\": {},\r\n \"attributes\": {\r\n \"creationDate\": \"2025-02-12T21:44:28Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 17 of 24\n\n}\r\n },\r\n \"eventTime\": \"2025-02-12T22:16:30Z\",\r\n \"eventSource\": \"sts.amazonaws.com\",\r\n \"eventName\": \"AssumeRole\",\r\n \"awsRegion\": \"eu-north-1\",\r\n \"sourceIPAddress\": \"192.0.2.0\",\r\n \"userAgent\": \"aws-cli/2.15.33 Python/3.11.8 Linux/5.10.233-204.894.amzn2int.x86_64 exe/x86_64.amzn.2 prompt/\r\n \"requestParameters\": {\r\n \"roleArn\": \"arn:aws:iam::777788889999:role/test-role\",\r\n \"roleSessionName\": \"test-global-assume-role\"\r\n },\r\n \"responseElements\": {\r\n \"credentials\": {\r\n \"accessKeyId\": \"ASIAIOSFODNN7EXAMPLE\",\r\n \"sessionToken\": \" \u003cencoded session token blob\u003e \",\r\n \"expiration\": \"Feb 12, 2025, 11:16:30 PM\"\r\n },\r\n \"assumedRoleUser\": {\r\n \"assumedRoleId\": \"AROA987654321EXAMPLE:test-global-assume-role\",\r\n \"arn\": \"arn:aws:sts::777788889999:assumed-role/test-role/test-global-assume-role\"\r\n }\r\n },\r\n \"additionalEventData\": {\r\n \"RequestDetails\": {\r\n \"endpointType\": \"regional\",\r\n \"awsServingRegion\": \"eu-north-1\"\r\n }\r\n },\r\n \"requestID\": \"EXAMPLEd-2116-4cd7-bd72-9f72fEXAMPLE\",\r\n \"eventID\": \"EXAMPLEd-219a-48ed-bc54-00e3cEXAMPLE\",\r\n \"readOnly\": true,\r\n \"resources\": [\r\n {\r\n \"accountId\": \"777788889999\",\r\n \"type\": \"AWS::IAM::Role\",\r\n \"ARN\": \"arn:aws:iam::777788889999:role/test-role\"\r\n }\r\n ],\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"777788889999\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.3\",\r\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n \"clientProvidedHostHeader\": \"sts.eu-north-1.amazonaws.com\"\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 18 of 24\n\n}\r\n}\r\nExample sign-in events in CloudTrail log\r\nCloudTrail log files contain events that are formatted using JSON. A sign-in event represents a single sign-in\r\nrequest and includes information about the sign-in principal, the Region, and the date and time of the action.\r\nExample sign-in success event in CloudTrail log file\r\nThe following example shows a CloudTrail log entry for a successful sign-in event.\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"AIDACKCEVSQ6C2EXAMPLE\",\r\n \"arn\":\"arn:aws:iam::111122223333:user/John\",\r\n \"accountId\": \"111122223333\",\r\n \"userName\": \"John\"\r\n },\r\n \"eventTime\": \"2014-07-16T15:49:27Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"192.0.2.110\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Success\"\r\n },\r\n \"additionalEventData\": {\r\n \"MobileVersion\": \"No\",\r\n \"LoginTo\": \"https://console.aws.amazon.com/s3/\",\r\n \"MFAUsed\": \"No\"\r\n },\r\n \"eventID\": \"3fcfb182-98f8-4744-bd45-10a395ab61cb\"\r\n}\r\nThe following example shows a CloudTrail log entry for a successful authorization code request.\r\n{\r\n\"eventVersion\": \"1.11\",\r\n\"userIdentity\": {\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 19 of 24\n\n\"type\": \"AssumedRole\",\r\n\"principalId\": \"AROATJHQDX737YZP72NTF:thesjain-Isengard\",\r\n\"arn\": \"arn:aws:sts::225989345271:assumed-role/Admin/thesjain-Isengard\",\r\n\"accountId\": \"225989345271\",\r\n\"sessionContext\": {\r\n\"sessionIssuer\": {\r\n\"type\": \"Role\",\r\n\"principalId\": \"AROATJHQDX737YZP72NTF\",\r\n\"arn\": \"arn:aws:iam::225989345271:role/Admin\",\r\n\"accountId\": \"225989345271\",\r\n\"userName\": \"Admin\"\r\n},\r\n\"attributes\": {\r\n\"creationDate\": \"2025-11-17T22:50:14Z\",\r\n\"mfaAuthenticated\": \"false\"\r\n}\r\n}\r\n},\r\n\"eventTime\": \"2025-11-17T22:51:32Z\",\r\n\"eventSource\": \"signin.amazonaws.com\",\r\n\"eventName\": \"AuthorizeOAuth2Access\",\r\n\"awsRegion\": \"us-east-1\",\r\n\"sourceIPAddress\": \"52.94.133.136\",\r\n\"userAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.\r\n\"requestParameters\": {\r\n\"scope\": \"openid\",\r\n\"redirect_uri\": \"http://127.0.0.1:53037/oauth/callback\",\r\n\"code_challenge_method\": \"SHA-256\",\r\n\"client_id\": \"arn:aws:signin:::devtools/same-device\"\r\n},\r\n\"responseElements\": null,\r\n\"additionalEventData\": {\r\n\"success\": \"true\",\r\n\"x-amzn-vpce-id\": \"\"\r\n},\r\n\"requestID\": \"e2854c76-1cba-4360-9fd1-5037b591466b\",\r\n\"eventID\": \"59e1720d-3deb-44ff-933d-6828be2a860a\",\r\n\"readOnly\": true,\r\n\"eventType\": \"AwsApiCall\",\r\n\"managementEvent\": true,\r\n\"recipientAccountId\": \"225989345271\",\r\n\"eventCategory\": \"Management\",\r\n\"tlsDetails\": {\r\n\"tlsVersion\": \"TLSv1.3\",\r\n\"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n\"clientProvidedHostHeader\": \"us-east-1.signin.aws.amazon.com\"\r\n}\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 20 of 24\n\n}\r\n \r\nThe following example shows a CloudTrail log entry for a successful OAuth2 token creation request.\r\n{\r\n\"eventVersion\": \"1.11\",\r\n\"userIdentity\": {\r\n\"type\": \"AssumedRole\",\r\n\"principalId\": \"AROATJHQDX737YZP72NTF:jacobjoj-Isengard\",\r\n\"arn\": \"arn:aws:sts::225989345271:assumed-role/Admin/jacobjoj-Isengard\",\r\n\"accountId\": \"225989345271\",\r\n\"sessionContext\": {\r\n\"sessionIssuer\": {\r\n\"type\": \"Role\",\r\n\"principalId\": \"AROATJHQDX737YZP72NTF\",\r\n\"arn\": \"arn:aws:iam::225989345271:role/Admin\",\r\n\"accountId\": \"225989345271\",\r\n\"userName\": \"Admin\"\r\n},\r\n\"attributes\": {\r\n\"creationDate\": \"2025-11-18T20:38:10Z\",\r\n\"mfaAuthenticated\": \"false\"\r\n}\r\n}\r\n},\r\n\"eventTime\": \"2025-11-18T20:38:44Z\",\r\n\"eventSource\": \"signin.amazonaws.com\",\r\n\"eventName\": \"CreateOAuth2Token\",\r\n\"awsRegion\": \"us-east-1\",\r\n\"sourceIPAddress\": \"15.248.6.6\",\r\n\"userAgent\": \"aws-cli/2.32.0 md/awscrt#0.28.4 ua/2.1 os/macos#24.6.0 md/arch#arm64 lang/python#3.13.9 md/pyimpl#\r\n\"requestParameters\": {\r\n\"client_id\": \"arn:aws:signin:::devtools/same-device\"\r\n},\r\n\"responseElements\": null,\r\n\"additionalEventData\": {\r\n\"success\": \"true\",\r\n\"x-amzn-vpce-id\": \"\"\r\n},\r\n\"requestID\": \"94562943-c85b-4dc1-bf72-43b0fd42d6de\",\r\n\"eventID\": \"0b338fac-6a10-4740-b34d-1bb6923e799e\",\r\n\"readOnly\": true,\r\n\"eventType\": \"AwsApiCall\",\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 21 of 24\n\n\"managementEvent\": true,\r\n\"recipientAccountId\": \"225989345271\",\r\n\"eventCategory\": \"Management\",\r\n\"tlsDetails\": {\r\n\"tlsVersion\": \"TLSv1.3\",\r\n\"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\r\n\"clientProvidedHostHeader\": \"us-east-1.signin.aws.amazon.com\"\r\n}\r\n}\r\n \r\nFor more details about the information contained in CloudTrail log files, see CloudTrail Event Reference in the\r\nAWS CloudTrail User Guide.\r\nExample sign-in failure event in CloudTrail log file\r\nThe following example shows a CloudTrail log entry for a failed sign-in event.\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"AIDACKCEVSQ6C2EXAMPLE\",\r\n \"arn\":\"arn:aws:iam::111122223333:user/JaneDoe\",\r\n \"accountId\": \"111122223333\",\r\n \"userName\": \"JaneDoe\"\r\n },\r\n \"eventTime\": \"2014-07-08T17:35:27Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"192.0.2.100\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\r\n \"errorMessage\": \"Failed authentication\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Failure\"\r\n },\r\n \"additionalEventData\": {\r\n \"MobileVersion\": \"No\",\r\n \"LoginTo\": \"https://console.aws.amazon.com/sns\",\r\n \"MFAUsed\": \"No\"\r\n },\r\n \"eventID\": \"11ea990b-4678-4bcd-8fbe-62509088b7cf\"\r\n}\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 22 of 24\n\nFrom this information, you can determine that the sign-in attempt was made by an IAM user named JaneDoe , as\r\nshown in the userIdentity element. You can also see that the sign-in attempt failed, as shown in the\r\nresponseElements element. You can see that JaneDoe tried to sign in to the Amazon SNS console at 5:35 PM\r\n(UTC) on July 8, 2014.\r\nExample sign-in failure event caused by incorrect user name\r\nThe following example shows a CloudTrail log entry for an unsuccessful sign-in event caused by the user entering\r\nan incorrect user name. AWS masks the userName text with HIDDEN_DUE_TO_SECURITY_REASONS to help prevent\r\nexposing potentially sensitive information.\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"\",\r\n \"userName\": \"HIDDEN_DUE_TO_SECURITY_REASONS\"\r\n },\r\n \"eventTime\": \"2015-03-31T22:20:42Z\",\r\n \"eventSource\": \"signin.amazonaws.com\",\r\n \"eventName\": \"ConsoleLogin\",\r\n \"awsRegion\": \"us-east-2\",\r\n \"sourceIPAddress\": \"192.0.2.101\",\r\n \"userAgent\": \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\r\n \"errorMessage\": \"No username found in supplied account\",\r\n \"requestParameters\": null,\r\n \"responseElements\": {\r\n \"ConsoleLogin\": \"Failure\"\r\n },\r\n \"additionalEventData\": {\r\n \"LoginTo\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23\u0026isauthcode=true\",\r\n \"MobileVersion\": \"No\",\r\n \"MFAUsed\": \"No\"\r\n },\r\n \"eventID\": \"a7654656-0417-45c6-9386-ea8231385051\",\r\n \"eventType\": \"AwsConsoleSignin\",\r\n \"recipientAccountId\": \"123456789012\"\r\n}\r\nIAM role trust policy behavior\r\nOn September 21st, 2022, AWS made changes to IAM role trust policy behavior to require explicit allows in a\r\nrole trust policy when a role assumes itself. IAM roles in the legacy behavior allow list have an\r\nadditionalEventData field present for explicitTrustGrant for AssumeRole events. The value of\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 23 of 24\n\nexplicitTrustGrant is false when a role on the legacy allow list assumes itself using the legacy behavior. When\r\na role on the legacy allow list assumes itself but the role trust policy behavior has been updated to explicitly allow\r\nthe role to assume itself, the value of explicitTrustGrant is true.\r\nOnly a very small number of IAM roles are on the allow list for the legacy behavior, and this field is only present\r\nin CloudTrail logs for these roles when they assume themselves. In most cases, it is not necessary for an IAM role\r\nto assume itself. AWS recommends updating your processes, code, or configurations to remove this behavior or\r\nupdating your role trust policies to explicitly allow for this behavior. For more information, see Announcing an\r\nupdate to IAM role trust policy behavior.\r\nSource: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"
	],
	"report_names": [
		"cloudtrail-integration.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434167,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bfeb296dcc81c36a8991c8390f2c6f18bf178762.pdf",
		"text": "https://archive.orkl.eu/bfeb296dcc81c36a8991c8390f2c6f18bf178762.txt",
		"img": "https://archive.orkl.eu/bfeb296dcc81c36a8991c8390f2c6f18bf178762.jpg"
	}
}