Chanci Turner

Significant Updates to CloudTrail Events for AWS IAM Identity Center

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

In response to user feedback, we have revised the effective date for the changes previously announced from January 13, 2025, to July 14, 2025. It’s important to clarify that these updates specifically pertain to IAM Identity Center CloudTrail events.

To enhance user identification within CloudTrail events for IAM Identity Center, we are streamlining the information captured, focusing solely on essential fields needed for audit and incident response workflows. This initiative is designed to address customer concerns and improve the correlation of users in the IAM Identity Center directory with external directory services like Okta Universal Directory and Microsoft Active Directory. Notably, these updates will not impact CloudTrail events of other AWS services.

Starting July 14, 2025, IAM Identity Center will cease to emit the userName and principalId fields within the user identity element of CloudTrail events. This includes events triggered when users log into IAM Identity Center, access the AWS portal, or utilize the AWS CLI. Instead, IAM Identity Center will provide userId and identityStoreArn fields to replace the previous userName and principalId fields, thereby simplifying user identification. Furthermore, the identity type for IAM Identity Center CloudTrail events will be specified as IdentityCenterUser rather than Unknown, ensuring clearer user identification. Additionally, when creating or updating a group, IAM Identity Center will no longer include a group’s displayName value in CloudTrail events; however, attributes such as displayName can still be accessed via the Identity Store DescribeGroup API operation for authorized workflows.

We strongly encourage you to update your workflows that involve the userName, principalId, userIdentity type, or group displayName fields in CloudTrail events for IAM Identity Center before the July 14, 2025, deadline. This blog post offers valuable guidance for these necessary updates.

Preparing Workflows for Changes in IAM Identity Center User Identification in CloudTrail

In an effort to simplify user identification, IAM Identity Center is making significant alterations to the user identity element within its CloudTrail events. These changes will allow you to update your workflows to associate CloudTrail events with specific users, correlate users with their external directories, and monitor user activity across sessions. A sample CloudTrail event reflecting the updated user identity element can be found at the end of this section.

IAM Identity Center will modify the userIdentity type for CloudTrail events that are generated during user sign-ins, AWS portal usage, and AWS CLI access. For authenticated users, the userIdentity type will transition from Unknown to IdentityCenterUser. For unauthenticated users, the userIdentity type will remain Unknown. We recommend updating your workflows to accommodate both values.

To identify the user associated with a CloudTrail event, IAM Identity Center will now emit userId and identityStoreArn fields to replace the userName and principalId fields. The userId serves as a unique, immutable identifier assigned to each user in the Identity Store, which is referenced by the identityStoreArn. These new fields significantly enhance user identification and action tracking in CloudTrail and will be included in entries where the userIdentity type is IdentityCenterUser. For more details about the user identity element including the new fields and instructions to retrieve user attributes using the user ID and Identity Store ARN, refer to the Identifying the user and session in IAM Identity Center user-initiated CloudTrail events section of the IAM Identity Center User Guide.

Among other user attributes, you can utilize the describe-user CLI command to gain access to the external ID linked to a user within the Identity Store. This external ID can be used to connect Identity Store users with their external directories. For example, if you are working with Microsoft Active Directory or Okta Universal Directory, this information will be invaluable.

Note: IAM Identity Center does not emit an external ID in CloudTrail. Access to the Identity Store is necessary to retrieve an external ID based on the userId and identityStoreArn fields in CloudTrail.

If you have access to CloudTrail events but not the Identity Store, the UserName field within the additionalEventData element can still be used to associate users with their external directories. This field reflects the username used by the user during authentication or federation when accessing IAM Identity Center. For additional information, see the Correlating users between IAM Identity Center and external directories section of the IAM Identity Center User Guide.

Important Notes:

  • When the identity source is the AWS Directory Service, the UserName value recorded in the additionalEventData element will match the username entered during authentication. For instance, a user with the username anyuser@company.com can log in using anyuser, anyuser@company.com, or company.comanyuser, and the respective value will be emitted in CloudTrail based on what they entered.
  • In cases of sign-in failures due to incorrect username input, IAM Identity Center will log the UserName field in its CloudTrail event as HIDDEN_DUE_TO_SECURITY_REASONS. This is to protect potentially sensitive information that could be included in the username.
  • To monitor user activity within the same session, IAM Identity Center will also emit the credentialId field in CloudTrail events for user actions taken in the AWS access portal or via the AWS CLI. The credentialId contains the AWS access portal session ID for a user, aiding in tracking user actions throughout their session.

The following table displays an example of a CloudTrail event illustrating the fields (highlighted in yellow) that will be modified on July 14, 2025. IAM Identity Center has recently begun emitting userId, identityStoreArn, credentialId, and UserName in the additional event data for its CloudTrail events; thus, this example considers them as existing fields.

Before the upcoming changes:

{
  "eventName": "CredentialChallenge",
  "eventSource": "signin.amazonaws.com",
  "userIdentity": {
    "type": "Unknown",
    "userName": "anyuser",
    "accountId": "123456789012",
    "principalId": "123456789012",
    "onBehalfOf": {
      "userId": "a11111-1111-1111-11a1-111aa111aa11",
      "identityStoreArn": "arn:aws:identitystore::111111111:identitystore/d-111111a1a"
    },
    "credentialId": "1111a111111111a1a11111a1a[…]"
  },
  "additionalEventData": {
      "CredentialType": "PASSWORD",
      "UserName": "anyuser"
  }
}

After the upcoming changes:

{
  "eventName": "CredentialChallenge",
  "eventSource": "signin.amazonaws.com",
  "userIdentity": {
    "type": "IdentityCenterUser",
    "accountId": "123456789012",
    "onBehalfOf": {
      "userId": "a11111-1111-1111-11a1-111aa111aa11",
      "identityStoreArn": "arn:aws:identitystore::111111111:identitystore/d-111111a1a"
    },
    "credentialId": "1111a111111111a1a11111a1a[…]"
  },
  "additionalEventData": {
      "CredentialType": "PASSWORD",
      "UserName": "anyuser"
  }
}

Preparing Workflows for Changes to IAM Identity Center Group Management Events in CloudTrail

As you adjust your workflows, it’s crucial to keep in mind the potential impact of these modifications. For those interested in further exploring these topics, Amazon has an excellent resource available here.

For further reading on managing workplace relations, you might also find this article from SHRM insightful: Cleaning Coronavirus Exposure, especially in the context of current health guidelines. Lastly, for tips on careers in entertainment, check out this post on Career Contessa: Career Tips in Entertainment.

Related Topics:

Chanci Turner