Monitoring user login through Cloudtrail for IAM Identity Center[AWS]

AWS IAM Identity Center helps you securely create or connect your identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type.

As there is no lockout/notification system for wrong login attempt in IAM Identity Center, so we will discuss how to configure a system by which we could be notified/get wrong login info.

Config Procedure:

Create a Cloudtrail in that AWS account where the IAM Identity center is configured
Enable Cloudwatch log + Cloudwatch log group + S3 Storage location
Create Cloudwatch Logs Metric Filter
Create SNS and send alarm notifications.

Creating Cloudtrail:

Event in Cloudtrail

Create Cloudwatch Metric Filter:
Now we have to go to Cloudwatch group and set the metric by which Cloudwatch alert will be generated.

Add below pattern

{ $.eventSource = "signin.amazonaws.com" && $.serviceEventDetails.CredentialVerification = "Failure" }

After setting the pattern, you could test the pattern at the time of metric creation.

Now we need to put some values for the metric

Save the changes, so metric will be created and it's time to create a cloudwatch alarm.

Now we set like below to set the threshold values for login attempts.

Set conditions **per requirements and press "next**"

it's time to set notification policies with SNS.

Before that we need create a **SNS **with email endpoint to get the alert to the mail.

How to create SNS:

Create SNS with email subscription

First create a topic with **standard **type. Give a name and description.

After creating the "topic", go to that topic.

Create a "Subscription" where protocol "Email" and set the *endpoint * [email address]to which we want to get the email.