Export user activity logs on Amazon Cognito

Organizations look to improve security postures and protect end users in their applications. Early detection of suspicious unauthorized activity can help you apply mitigation strategies to block malicious threat actors and help you establish intelligence for an overall security monitoring and detection program.

Cognito’s advanced security features generates a risk score, based on various factors including device and user information, for how likely the sign-in request is to be from a compromised source. You can use the risk rating to configure adaptive authentication for each user’s authentication attempt. Cognito also captures user authentication logs and risk score in CloudTrail.

Now, you can export these user authentication logs to an external log-management system like Amazon S3, Amazon data Firehose, or CloudWatch Logs.

You can see a sample user authentication event below, with the riskLevel is shown as HIGH and flagged for ACCOUNT_TAKEOVER risk. You can also see the challenge that Cognito throws to user and whether user has successfully pass the challenge or not.

With the new user activity log export feature, you can export logs to your preferred destination and monitor threat landscape towards your application’s authentication process, as well as gain visibility in your application security landscape. You can further aggregate the user activity logs and use them as additional security feed for organizational threat detection and monitoring program. For example, financial services customer can correlate unusual user authentication logs from Cognito with user in-app transaction activities to build fraud detection capabilities.

Try out this new addition to Cognito's Advanced Security feature and share your feedback!