Amazon Cognito のサインインイベントの概要 - Amazon Cognito

翻訳は機械翻訳により提供されています。提供された翻訳内容と英語版の間で齟齬、不一致または矛盾がある場合、英語版が優先します。

Amazon Cognito のサインインイベントの概要

証跡は、指定した Amazon S3 バケットにイベントをログファイルとして配信できます。 CloudTrail ログファイルには、1 つ以上のログエントリが含まれます。イベントは任意の送信元からの単一のリクエストを表し、リクエストされたアクション、アクションの日時、リクエストパラメータなどに関する情報が含まれます。 CloudTrail ログファイルは、パブリック API コールの順序付けられたスタックトレースではないため、特定の順序では表示されません。

ホストされた UI サインアップの CloudTrail イベント例

次の CloudTrail イベント例は、ユーザーがホストされた UI からサインアップしたときに Amazon Cognito がログに記録する情報を示しています。

Amazon Cognito は、新しいユーザーがアプリのサインインページに移動すると、次のイベントをログに記録します。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-04-06T05:38:12Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Login_GET", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "errorCode": "", "errorMessage": "", "additionalEventData": { "responseParameters": { "status": 200.0 }, "requestParameters": { "redirect_uri": [ "https://www.amazon.com" ], "response_type": [ "token" ], "client_id": [ "1example23456789" ] } }, "eventID": "382ae09a-151d-4116-8f2b-6ac0a804a38c", "readOnly": true, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

Amazon Cognito は、新しいユーザーがアプリのサインインページで [ Sign up ] を選択すると、次のイベントをログに記録します。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-05T23:21:43Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Signup_GET", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "response_type": [ "code" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_aaaaaaaaa" }, "requestID": "7a63e7c2-b057-4f3d-a171-9d9113264fff", "eventID": "5e7b27a0-6870-4226-adb4-f86cd51ac5d8", "readOnly": true, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

Amazon Cognito は、新しいユーザーがユーザー名を選択し、E メールアドレスを入力し、アプリのサインインページからパスワードを選択すると、次のイベントをログに記録します。Amazon Cognito は、ユーザーのアイデンティティに関する識別情報を に記録しません CloudTrail。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-05T23:22:05Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Signup_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 302 }, "requestParameters": { "password": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "requiredAttributes[email]": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "response_type": [ "code" ], "_csrf": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ], "username": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ] }, "userPoolDomain": "mydomain.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_aaaaaaaaa" }, "requestID": "9ad58dd8-3517-4aa8-96a5-d17a01df9eb4", "eventID": "c75eb7a5-eb8c-43d1-8331-f4412e756e69", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

Amazon Cognito は、新規ユーザーがサインアップ後にホストされた UI のユーザー確認ページにアクセスすると、次のイベントをログに記録します。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-05T23:22:06Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Confirm_GET", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "response_type": [ "code" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_aaaaaaaaa" }, "requestID": "58a5b170-3127-45bb-88cc-3e652d779e0b", "eventID": "7f87291a-6d50-409a-822f-e3a5ec7e60da", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

Amazon Cognito は、ホストされた UI のユーザー確認ページで、Amazon Cognito が送信したコードを E メールメッセージでユーザーが入力したときに、次のイベントをログに記録します。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-05T23:23:32Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Confirm_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 302 }, "requestParameters": { "confirm": [ "" ], "deliveryMedium": [ "EMAIL" ], "sub": [ "704b1e47-34fe-40e9-8c41-504997494531" ], "code": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "destination": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "response_type": [ "code" ], "_csrf": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "cognitoAsfData": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ], "username": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ] }, "userPoolDomain": "mydomain.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_aaaaaaaaa" }, "requestID": "9764300a-ed35-4f87-8a0f-b18b3fe2b11e", "eventID": "e24ac6e5-2f70-4c6e-ad4e-2f08a547bb36", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

SAML リクエストの CloudTrail イベント例

Amazon Cognito は、SAML IdP で認証されたユーザーが SAML アサーションを /saml2/idpresponse エンドポイントに送信すると、次のイベントをログに記録します。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-06T00:50:57Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "SAML2Response_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 302 }, "requestParameters": { "RelayState": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "SAMLResponse": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ] }, "userPoolDomain": "mydomain.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_aaaaaaaaa" }, "requestID": "4f6f15d1-c370-4a57-87f0-aac4817803f7", "eventID": "9824b50f-d9d1-4fb8-a2c1-6aa78ca5902a", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "625647942648", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

トークンエンドポイントへのリクエストの CloudTrail イベント例

次の例は、トークンエンドポイント へのリクエストからのイベントの例です。

Amazon Cognito は、認証して認証コードを受け取ったユーザーがコードを /oauth2/token エンドポイントに送信すると、以下のイベントを記録します。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-12T22:12:30Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Token_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "code": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "grant_type": [ "authorization_code" ], "redirect_uri": [ "https://www.amazon.com" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_aaaaaaaaa" }, "requestID": "f257f752-cc14-4c52-ad5b-152a46915238", "eventID": "0bd1586d-cd3e-4d7a-abaf-fd8bfc3912fd", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

バックエンドシステムが /oauth2/token エンドポイントにアクセストークンの client_credentials リクエストを送信すると、Amazon Cognito は次のイベントをログに記録します。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-12T21:07:05Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Token_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "grant_type": [ "client_credentials" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_aaaaaaaaa" }, "requestID": "4f871256-6825-488a-871b-c2d9f55caff2", "eventID": "473e5cbc-a5b3-4578-9ad6-3dfdcb8a6d34", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

Amazon Cognito は、アプリが更新トークンを新しい ID に交換し、/oauth2/token エンドポイントとトークンにアクセスすると、次のイベントをログに記録します。

{ "eventVersion": "1.08", "userIdentity": { "accountId": "123456789012" }, "eventTime": "2022-05-12T22:16:40Z", "eventSource": "cognito-idp.amazonaws.com", "eventName": "Token_POST", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "requestParameters": null, "responseElements": null, "additionalEventData": { "responseParameters": { "status": 200 }, "requestParameters": { "refresh_token": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ], "grant_type": [ "refresh_token" ], "client_id": [ "1example23456789" ] }, "userPoolDomain": "mydomain.us-west-2.amazoncognito.com", "userPoolId": "us-west-2_aaaaaaaaa" }, "requestID": "2829f0c6-a3a9-4584-b046-11756dfe8a81", "eventID": "12bd3464-59c7-44fa-b8ff-67e1cf092018", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "123456789012", "serviceEventDetails": { "serviceAccountId": "111122223333" }, "eventCategory": "Management" }

の CloudTrail イベントの例 CreateIdentityPool

次の例は、CreateIdentityPool アクションに対するリクエストのログエントリを示しています。リクエストは Alice という IAM ユーザーによって行われました。

{ "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "['EXAMPLE_KEY_ID']", "userName": "Alice" }, "eventTime": "2016-01-07T02:04:30Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "CreateIdentityPool", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "USER_AGENT", "requestParameters": { "identityPoolName": "TestPool", "allowUnauthenticatedIdentities": true, "supportedLoginProviders": { "graph.facebook.com": "000000000000000" } }, "responseElements": { "identityPoolName": "TestPool", "identityPoolId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE", "allowUnauthenticatedIdentities": true, "supportedLoginProviders": { "graph.facebook.com": "000000000000000" } }, "requestID": "15cc73a1-0780-460c-91e8-e12ef034e116", "eventID": "f1d47f93-c708-495b-bff1-cb935a6064b2", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }

の CloudTrail イベントの例 GetCredentialsForIdentity

次の例は、GetCredentialsForIdentity アクションに対するリクエストのログエントリを示しています。

{ "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetCredentialsForIdentity", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-credentials-for-identity", "requestParameters": { "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "responseElements": { "credentials": { "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionToken": "aAaAaAaAaAaAab1111111111EXAMPLE", "expiration": "Jan 19, 2023 5:55:08 PM" }, "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "659dfc23-7c4e-4e7c-858a-1abce884d645", "eventID": "6ad1c766-5a41-4b28-b5ca-e223ccb00f0d", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" }

の CloudTrail イベントの例 GetId

次の例は、GetId アクションに対するリクエストのログエントリを示しています。

{ "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:05Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetId", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-id", "requestParameters": { "identityPoolId": "us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE", "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" } }, "responseElements": { "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "dc28def9-07c8-460a-a8f3-3816229e6664", "eventID": "c5c459d9-40ec-41fd-8f6b-57865d5a9975", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" }

の CloudTrail イベントの例 GetOpenIdToken

次の例は、GetOpenIdToken アクションに対するリクエストのログエントリを示しています。

{ "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetOpenIdToken", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-open-id-token", "requestParameters": { "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE", "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" } }, "responseElements": { "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "a506ba18-10d7-4fdb-9548-a8187b2e38bb", "eventID": "19ffc1a6-6ed8-4580-a4e1-3062c5ce6457", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" }

の CloudTrail イベントの例 GetOpenIdTokenForDeveloperIdentity

次の例は、GetOpenIdTokenForDeveloperIdentity アクションに対するリクエストのログエントリを示しています。

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROA1EXAMPLE:johns-AssumedRoleSession", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/johns-AssumedRoleSession", "accountId": "111122223333", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA1EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "attributes": { "creationDate": "2023-01-19T16:53:14Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetOpenIdTokenForDeveloperIdentity", "awsRegion": "us-east-1", "sourceIPAddress": "27.0.3.154", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-open-id-token-for-developer-identity", "requestParameters": { "tokenDuration": 900, "identityPoolId": "us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE", "logins": { "JohnsDeveloperProvider": "HIDDEN_DUE_TO_SECURITY_REASONS" } }, "responseElements": { "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "b807df87-57e7-4dd6-b90c-b06f46a61c21", "eventID": "f26fed91-3340-4d70-91ae-cdf555547b76", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" }

の CloudTrail イベントの例 UnlinkIdentity

次の例は、UnlinkIdentity アクションに対するリクエストのログエントリを示しています。

{ "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "UnlinkIdentity", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.unlink-identity", "requestParameters": { "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE", "loginsToRemove": ["cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa"] }, "responseElements": null, "requestID": "99c2c8e2-9c29-416f-bb17-b650a5cbada9", "eventID": "d8e26126-202a-43c2-b458-3f225efaedc7", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" }