IAM Identity Center information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in IAM Identity Center, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. You can view, search, and download recent events in your AWS account. For more information, see Viewing events with CloudTrail event history.

For an ongoing record of events in your AWS account, including events for IAM Identity Center, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:

When CloudTrail logging is enabled in your AWS account, API calls made to IAM Identity Center actions are tracked in log files. IAM Identity Center records are written together with other AWS service records in a log file. CloudTrail determines when to create and write to a new file based on a time period and file size.

The following IAM Identity Center CloudTrail operations are supported:

Console API operations	Public API operations
`AssociateDirectory`	`AttachManagedPolicyToPermissionSet`
`AssociateProfile`	`CreateAccountAssignment`
`BatchDeleteSession`	`CreateInstanceAccessControlAttributeConfiguration`
`BatchGetSession`	`CreatePermissionSet`
`CreateApplicationInstance`	`DeleteAccountAssignment`
`CreateApplicationInstanceCertificate`	`DeleteInlinePolicyFromPermissionSet`
`CreatePermissionSet`	`DeleteInstanceAccessControlAttributeConfiguration`
`CreateProfile`	`DeletePermissionSet`
`DeleteApplicationInstance`	`DescribeAccountAssignmentCreationStatus`
`DeleteApplicationInstanceCertificate`	`DescribeAccountAssignmentDeletionStatus`
`DeletePermissionsPolicy`	`DescribeInstanceAccessControlAttributeConfiguration`
`DeletePermissionSet`	`DescribePermissionSet`
`DeleteProfile`	`DescribePermissionSetProvisioningStatus`
`DescribePermissionsPolicies`	`DetachManagedPolicyFromPermissionSet`
`DisassociateDirectory`	`GetInlinePolicyForPermissionSet`
`DisassociateProfile`	`ListAccountAssignmentCreationStatus`
`GetApplicationInstance`	`ListAccountAssignmentDeletionStatus`
`GetApplicationTemplate`	`ListAccountAssignments`
`GetMfaDeviceManagementForDirectory`	`ListAccountsForProvisionedPermissionSet`
`GetPermissionSet`	`ListInstances`
`GetSSOStatus`	`ListManagedPoliciesInPermissionSet`
`ImportApplicationInstanceServiceProviderMetadata`	`ListPermissionSetProvisioningStatus`
`ListApplicationInstances`	`ListPermissionSets`
`ListApplicationInstanceCertificates`	`ListPermissionSetsProvisionedToAccount`
`ListApplicationTemplates`	`ListTagsForResource`
`ListDirectoryAssociations`	`ProvisionPermissionSet`
`ListPermissionSets`	`PutInlinePolicyToPermissionSet`
`ListProfileAssociations`	`TagResource`
`ListProfiles`	`UntagResource`
`ListSessions`	`UpdateInstanceAccessControlAttributeConfiguration`
`PutMfaDeviceManagementForDirectory`	`UpdatePermissionSet`
`PutPermissionsPolicy`
`StartSSO`
`UpdateApplicationInstanceActiveCertificate`
`UpdateApplicationInstanceDisplayData`
`UpdateApplicationInstanceServiceProviderConfiguration`
`UpdateApplicationInstanceStatus`
`UpdateApplicationInstanceResponseConfiguration`
`UpdateApplicationInstanceResponseSchemaConfiguration`
`UpdateApplicationInstanceSecurityConfiguration`
`UpdateDirectoryAssociation`
`UpdateProfile`

For more information about IAM Identity Center’s public API operations, see the IAM Identity Center API Reference Guide.

The following IAM Identity Center Identity Store CloudTrail operations are supported:

AddMemberToGroup
CompleteVirtualMfaDeviceRegistration
CompleteWebAuthnDeviceRegistration
CreateAlias
CreateExternalIdPConfigurationForDirectory
CreateGroup
CreateUser
DeleteExternalIdPConfigurationForDirectory
DeleteGroup
DeleteMfaDeviceForUser
DeleteUser
DescribeDirectory
DescribeGroups
DescribeUsers
DisableExternalIdPConfigurationForDirectory
DisableUser
EnableExternalIdPConfigurationForDirectory
EnableUser
GetAWSSPConfigurationForDirectory
ListExternalIdPConfigurationsForDirectory
ListGroupsForUser
ListMembersInGroup
ListMfaDevicesForUser
PutMfaDeviceManagementForDirectory
RemoveMemberFromGroup
SearchGroups
SearchUsers
StartVirtualMfaDeviceRegistration
StartWebAuthnDeviceRegistration
UpdateExternalIdPConfigurationForDirectory
UpdateGroup
UpdateMfaDeviceForUser
UpdatePassword
UpdateUser
VerifyEmail

The following IAM Identity Center OIDC CloudTrail action is supported:

CreateToken

The following IAM Identity Center Portal CloudTrail actions are supported:

Authenticate
Federate
ListApplications
ListProfilesForApplication
ListAccounts
ListAccountRoles
GetRoleCredentials
Logout

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:

Whether the request was made with root user or AWS Identity and Access Management (IAM) user credentials.
Whether the request was made with temporary security credentials for a role or federated user.
Whether the request was made by another AWS service.

For more information, see the CloudTrail userIdentity element.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Logging IAM Identity Center API calls with AWS CloudTrail

Understanding CloudTrail log file entries for IAM Identity Center