1

We are using AWS Cognito service for our web application for authentication. We want create report in AWS QuickSight for auditing Login, Logout and Forgot Password events for all the application users. So we have enabled CloudTrail Logs and created table in Athena in which logs are stored. Using this Athena table, we are creating dataset in QuickSight using custom SQL. Now, we want to know which events should we consider for capturing Sign In / Sign Out and Forgot password actions done by the user.

The logs contain user name i.e. sub (UUID) and not the actual Email ID of the user. Also, in CloudTrail, we do not see any events logged in for Signout / Forgot Password. So for the audit report, required fields are Email ID of the logged in user, Sign In Time, Sign Out Time, Forgot Password Time. Any assistance you can provide would be greatly appreciated.

aws_ik
  • 11
  • 1
  • Does the use case for the audit report require ability to have (near-)realtime data? If not, what is an acceptable delay -- can the report data be generated daily or monthly, for example? – sytech Aug 31 '21 at 16:45
  • Hi, Thanks a lot for your response. The acceptable delay can be an hour. i.e. one hour old is also okay. The requirement is to get Email ID, Sign In , Sign Out and Forgot Password events for each user in QuickSight report. – aws_ik Sep 01 '21 at 12:48

2 Answers2

0

Unfortunately it's still quite hard to set up an audit trail for cognito events. On of the problems is that not all events are captured by cloudtrail (e.g. signout event). See supported events here

Your options are basically

(A) modify your use-case and only log events actually captured by cloudtrail. You can add the user email address either before storing the event (e.g. set up an EventBridge event-rule that invokes a lambda on the required events, enriches the data, then dumps the data to some data store). Alternatively you create a separate table the keeps the mappings from user-id => user email and join them together in the quicksight dataset.

(B) Create something like an api gateway to sit in between your front-end and the cognito api's. Use the front-end to call your api gateway and perform custom logic there. For example: when called, first add the entry to audit table, then call the cognito endpoint or vice versa.

Both are a lot more work than what you have tried so far, but unfortunately Cognito does not yet offer the features that you want there.

Edit: I'd like to add that cognito advanced security adds some events, but they are not captured by cloudtrail and are not super-useful for integration purposes.

Also, cognito lambda triggers can be used to add custom logic to authentication flows, but unfortunately sign-out is not one of them.

LRutten
  • 1,634
  • 7
  • 17
  • Thanks a lot for response @LRutten. There is ForgotPassword event of Cognito. We have checked for this for application users but in CloudTrail there is no ForgotPassword event getting logged. Also, I have changed Advanced Security from Audit only to Yes, still do not see any Sign In , Sign Out or Forgot Password events. I can see only 3 events in CloudTrail which are AdminUpdateUserAttributes (pre auth), AdminUpdateUserAttributes(post-auth) and GetUser - these are logged as soon as user logs in the application and the eventSource is cognito-idp.amazonaws.com. – aws_ik Sep 01 '21 at 12:52
  • The advanced security issue is intended behaviour. Advanced security does add events, but they are not cloudtrail events and thus are not captured in your setup. The forgot password event is strange if it's not logged. Then I'd need to see the code doing the actual logic to see if the API is even called at all. – LRutten Sep 01 '21 at 15:17
0

Okay, here I see two primary questions:

  1. How to identify CloudTrail events for Signout and Forgot Password
  2. How to get the EmailId of users in your quicksight reports (from the UserSub present in CloudTrail)

On (1) identifying events for Signout and Forgot Password:

The only authentication audit events for Cognito are SignIn, SignUp, and ForgotPassword. So, you can use a query on eventName = 'ForgotPassword' for ForgotPassword events. However, there is no audit event for signouts, so you won't be able to track them this way with CloudTrail.

In order to capture sign out events, you'll need a different/additional approach to get your sign outs, which may be difficult, if even possible, depending on whether you use federated identities or not.

On (2) getting the EmailId of users in your quicksight reports:

As noted in the Cognito developer guide:

Amazon Cognito supports logging for all of the actions listed on the User Pool Actions page as events in CloudTrail log files. Amazon Cognito records UserSub but not UserName in CloudTrail logs for requests that are specific to a user

If you need more information than what CloudTrail provides inherently here, you can find a user for a given UserSub by calling the ListUsers API, and using a filter for the sub.

Now, in order to get the QuickSight report you want, you need to somehow process the CloudTrail output yourself to get all the data you want (e.g. processing the UserSub using cognito APIs to get the EmailId) into a data source that can be queried with QuickSight. How you might architect this solution depends a lot on whether you need the data in realtime or not.

If you need a (near-)realtime solution, you could achieve this with a serverless setup where you stream cloudtrail -> cloudwatch logs (optionally filtered) -> kinesis streams -> stream consumer (e.g. Lambda) that processes UserSub to the data you want -> datasource for QuickSight (s3/athena/dynamodb/etc).

Near-realtime processing architecture

If you do not need a near-realtime solution, you could adopt a similar approach, except instead of streaming the log events, you might just accumulate logs in an S3 bucket. Then, periodically, you process the logs from S3 and put the processed data in the data source of your choosing connected to QuickSight.

sytech
  • 29,298
  • 3
  • 45
  • 86
  • Thanks a lot @sytech for your response. So basically, with my current design, I can't get Email ID for userSub. Also, I do not see any CloudTrail logs for SignIn, SignOut and ForgotPassword events. But why these events are not getting logged in CloudTrail e.g. ForgotPassword event is mentioned in the documentation but I do not see in the logs. – aws_ik Sep 01 '21 at 13:11