Set up user access logging

You can set up user access logging to record the following user events:

Session start - Marks the beginning of a WorkSpaces Secure Browser session.
Session end - Marks the end of a WorkSpaces Secure Browser session.
URL navigation - Logs the URL that a user loads.

Note
URL navigation logs are recorded from the browser history. URLs not recorded in browser history (either visited in incognito mode, or deleted from browser history) are not recorded in logs. It is up to customers to determine whether to turn off incognito mode or history deletion with their browser policy.

In addition, the following information is included for each event:

Event time
Username
Web portal ARN

Customers are responsible for understanding the potential legal issues that arise with their use of WorkSpaces Secure Browser, and ensuring that their use of WorkSpaces Secure Browser complies with all applicable laws and regulations. These include laws that regulate an employer's ability to monitor an employee's use of WorkSpaces Secure Browser, including activities performed within the application.

Activating user access logs on your WorkSpaces Secure Browser portal might result in charges from Amazon Kinesis Data Streams. For more details on pricing, see Amazon Kinesis Data Streams pricing.

To activate user access logging in the WorkSpaces Secure Browser console, under User access logging, select the Kinesis Stream ID that you want to use to receive data. The data recorded will be delivered directly to that stream.

For more information about how to create an Amazon Kinesis Data Stream, see What Is Amazon Kinesis Data Streams?

Note

In order to receive logs from WorkSpaces Secure Browser, you must have an Amazon Kinesis Data Stream that starts with "amazon-workspaces-web-*". Your Amazon Kinesis data stream must either have server-side encryption turned off, or must use AWS managed keys for server-side encryption.

For more information about setting server-side encryption in Amazon Kinesis, see How Do I Get Started with Server-Side Encryption?.

Sample logs

Below is an example of each available event, including Validation, StartSession, VisitPage, and EndSession.

The following fields are always included for each event:

timestamp is included as epoch time in milliseconds.
eventType is included as a string.
details is included as another json object.
portalArn and userName are included for every event except for Validation.


{
  "timestamp": "1665430373875",
  "eventType": "Validation",
  "details": {
    "permission": "Kinesis:PutRecord",
    "userArn": "userArn",
    "operation": "AssociateUserAccessLoggingSettings",
    "userAccessLoggingSettingsArn": "userAccessLoggingSettingsArn"
  }
}

{
  "timestamp": "1665179071723",
  "eventType": "StartSession",
  "details": {},
  "portalArn": "portalArn",
  "userName": "userName"
}

{
  "timestamp": "1665179084578",
  "eventType": "VisitPage",
  "details": {
    "title": "Amazon",
    "url": "https://www.amazon.com/"
  },
  "portalArn": "portalArn",
  "userName": "userName"
}

{
  "timestamp": "1665179155953",
  "eventType": "EndSession",
  "details": {},
  "portalArn": "portalArn",
  "userName": "userName"
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Control the interval for re-authenticating a SAML IdP token

Set or edit your browser policy