search

bcgov / ocp-sso

BCGov Single Sign-On KeyCloak
http://oidc.gov.bc.ca/
Apache License 2.0
8 stars 8 forks source link

Investigate Cognito Logging #383

Closed ConradBoydElliottGustafson closed 3 years ago

ConradBoydElliottGustafson commented 3 years ago

Answer some questions:

  1. What kind of data is available by default
  2. If we wanted audit data at the IDP level, could we get it?
  3. If we wanted audit data at the client app level, could we get it?
  4. How would we set up notifications?
  5. If an IDP interaction fails for some reason, would we be able to troubleshoot?
  6. Does it use CloudWatch? How much does it cost? (might have to ask the cloud pathfinder team)
jlangy commented 3 years ago

Cloudwatch

Turning on auditing for a user pool under advanced security gives some default logging:

These cloudwatch events are nice to make widgets in the console for graphing and easy to setup email notifications.

Cloudtrail

Cognito API events are logged into cloud trail, e.g creating a pool, deleting a pool by default. Saved for 90 days but can be saved into an S3 butcket for longer life. More information here

Lambda

for more granular logging, lambda functions can be setup, which support triggers like pre-authentication. See here for a full list of available triggers.

If logging with a pre-authentication trigger you can see the identity provider used in the attempt, along with timestamp and user information. So generating an audit log of sign in attempts and ID providers is possible.

There isn't a failed auth trigger though, only a post-auth (successful authentication) trigger. So auditing failed auth attempts could be tricky.