# Download and analyse authentication log events

## Downloading log events

We are going to analyse the log events of all users.

To perform this task, you must have aws console access, because the keys are needed to access aws console via the cli.

Run the following cell to download all cloudtrail events for the time interval defined.

In [1]:
%%file download_auth_trails_all.sh

REGION="ap-southeast-2"

#!/bin/bash
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=InitiateAuth \
  --start-time 2025-05-01T00:00:00Z \
  --end-time 2025-05-22T23:59:59Z \
  --region $REGION \
  --output json > auth_trails_all.json

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=RevokeToken \
  --start-time 2025-05-01T00:00:00Z \
  --end-time 2025-05-22T23:59:59Z \
  --region $REGION \
  --output json > revoke_token_trails_all.json
  


Writing download_auth_trails_all.sh


In [2]:
# Run follwing command with keys in the terminal
# bash download_auth_trails_all.sh

## Loading the events and print them


In [4]:
import json
from pprint import pprint

with open("auth_trails_all.json", "r") as file:
    data = json.load(file)

for event in data["Events"]:
    cloudtrail_event = json.loads(event["CloudTrailEvent"])

    try:
        if cloudtrail_event["requestParameters"]["authFlow"] == "USER_PASSWORD_AUTH":
            print(f'User password auth attempted by user "{cloudtrail_event["additionalEventData"]["sub"]}" at {cloudtrail_event["eventTime"]}')
    except KeyError:
        pass


User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:53:31Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:53:06Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:52:09Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:51:10Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:35:11Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:20:47Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:20:44Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:20:40Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-21T23:50:50Z
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-21T13:14:12Z


In [6]:
import json
from pprint import pprint

with open("auth_trails_all.json", "r") as file:
    data = json.load(file)

for event in data["Events"]:
    cloudtrail_event = json.loads(event["CloudTrailEvent"])

    try:
        if cloudtrail_event["requestParameters"]["authFlow"] == "USER_PASSWORD_AUTH":
            print(f'User password auth attempted by user "{cloudtrail_event["additionalEventData"]["sub"]}" at {cloudtrail_event["eventTime"]}')
            if error:= cloudtrail_event.get("errorMessage"):
                print(f'\tError: {error}')
            else:
                print(f'\tSucceeded')
    except KeyError:
        pass


User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:53:31Z
	Succeeded
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:53:06Z
	Succeeded
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:52:09Z
	Succeeded
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:51:10Z
	Succeeded
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:35:11Z
	Succeeded
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:20:47Z
	Succeeded
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:20:44Z
	Error: Incorrect username or password.
User password auth attempted by user "f98e24c8-2011-70ae-9d93-084eb3f4b282" at 2025-05-22T01:20:40Z
	Error: Incorrect username or password.
User password auth attempted by user "f98e24c8-2011-70

In [14]:
import json
from pprint import pprint

with open("revoke_token_trails_all.json", "r") as file:
    data = json.load(file)

for event in data["Events"]:
    cloudtrail_event = json.loads(event["CloudTrailEvent"])

    try:
        print(f'User "{cloudtrail_event["additionalEventData"]["sub"]}" had their refresh token revoked at {cloudtrail_event["eventTime"]}')
    except KeyError:
        pass


User "f98e24c8-2011-70ae-9d93-084eb3f4b282" had their refresh token revoked at 2025-05-22T01:53:34Z
User "f98e24c8-2011-70ae-9d93-084eb3f4b282" had their refresh token revoked at 2025-05-22T01:53:09Z
User "f98e24c8-2011-70ae-9d93-084eb3f4b282" had their refresh token revoked at 2025-05-22T01:52:20Z
User "f98e24c8-2011-70ae-9d93-084eb3f4b282" had their refresh token revoked at 2025-05-22T01:51:15Z
User "f98e24c8-2011-70ae-9d93-084eb3f4b282" had their refresh token revoked at 2025-05-22T01:35:14Z
User "f98e24c8-2011-70ae-9d93-084eb3f4b282" had their refresh token revoked at 2025-05-22T01:35:02Z
User "f98e24c8-2011-70ae-9d93-084eb3f4b282" had their refresh token revoked at 2025-05-22T01:20:29Z
User "f99e5408-00d1-70b5-e2aa-23d6b2a31c4f" had their refresh token revoked at 2025-05-02T06:18:43Z
User "f99e5408-00d1-70b5-e2aa-23d6b2a31c4f" had their refresh token revoked at 2025-05-02T03:15:12Z
User "f98e24c8-2011-70ae-9d93-084eb3f4b282" had their refresh token revoked at 2025-05-01T01:20:09Z


## How to get user details from the sub

In [None]:
# Run this command in the cli with the keys
# aws cognito-idp list-users --user-pool-id ap-southeast-2_3ZrrcagIG --filter "sub = \"f98e24c8-2011-70ae-9d93-084eb3f4b282\"" --region ap-southeast-2

# Update region and the user pool id as required

# {
#     "Users": [
#         {
#             "Username": "admin@example.com",
#             "Attributes": [
#                 {
#                     "Name": "email",
#                     "Value": "admin@example.com"
#                 },
#                 {
#                     "Name": "email_verified",
#                     "Value": "true"
#                 },
#                 {
#                     "Name": "family_name",
#                     "Value": "Admin"
#                 },
#                 {
#                     "Name": "given_name",
#                     "Value": "Admin"
#                 },
#                 {
#                     "Name": "custom:terraform",
#                     "Value": "true"
#                 },
#                 {
#                     "Name": "custom:identity_id",
#                     "Value": "ap-southeast-2:099e873d-80b5-cb64-b9b4-0f64c663bd46"
#                 },
#                 {
#                     "Name": "sub",
#                     "Value": "f98e24c8-2011-70ae-9d93-084eb3f4b282"
#                 }
#             ],
#             "UserCreateDate": "2024-11-20T15:58:30.157000+10:30",
#             "UserLastModifiedDate": "2025-03-13T15:09:11.817000+10:30",
#             "Enabled": true,
#             "UserStatus": "CONFIRMED"
#         }
#     ]
# }