4

As the title gives it away, I logged into my AWS console today morning but can't see the logs in Cloudtrail for the same.

My question is

a) Is this default behaviour to log AWS console login to Cloudtrail ? b) What could i possibly have missed ?

Powershel
  • 615
  • 4
  • 11
  • 18
  • CloudTrail should log IAM user login and root login events per the [docs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html). How long after login to the console did you check CloudTrail Logs? – jarmod Jan 27 '22 at 22:30

2 Answers2

5

Console login events are IAM events and IAM is a global service. Global service events are captured in us-east-1 (N. Virginia) region.

So, regardless of which AWS region you are working in, when you login to the AWS console this event will only be captured in us-east-1, not the region you are working in (if different to us-east-1).

To view the console login events for your account, navigate to the CloudTrail event history and select N.Virginia from the region selector. (since Nov. 2021).

This behaviour was implemented as of Nov. 2021 - read this for more -> https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events

jacks
  • 4,614
  • 24
  • 34
  • Thanks, I am not in US and exporting my logs to SIEM, so do you mean my login events will also still be in us-east-1 ? – Powershel Jan 29 '22 at 00:32
  • @Powershel - yes, regardless of where you are and which AWS region you are working in, your console login events are IAM events and IAM is a global service not tied to any region so they are logged in us-east-1. If you check your CloudTrail event history and set the region in the console to us-east-1 (N.Virgina) you should see the console login events. – jacks Jan 29 '22 at 01:24
  • I had no idea IAM events were only logged to us-east-1, makes perfect sense after thinking about it because IAM does not have a region but I feel like AWS should state this somewhere explicitly when it comes to searching for these events in cloud trail. – Troy Zuroske Feb 27 '23 at 16:17
0

2023:

The region, in wich the ConsoleLogin API Calls are logged depend on the login-url.

For example: https://eu-north-1.signin.aws.amazon.com/ -> ConsoleLogin API call will be located in eu-north-1.

https://eu-central-1.signin.aws.amazon.com/ -> ConsoleLogin API call will be located in eu-central-1.

If you use the default login-url, the call will be logged in us-east-1. https://signin.aws.amazon.com/

Heiko
  • 1
  • 1