Why is the userIdentity.sessionContext field missing from AwsConsoleAction entries in CloudTrail?

0

We are processing CloudTrail logs to check and highlight actions not protected by MFA.

When someone signs in as Root all the events with eventType AwsApiCall have sessionContext populated. For events of type AwsConsoleAction it is missing. Can we get the context and MFA state somehow?

(ConsoleAction events do have tlsDetails which is missing for AwsApiCall)

Topics

Management & Governance

Tags

AWS Management Console AWS CloudTrail

Language

English

asked 6 months ago67 views

No Answers

Newest
Most votes
Most comments

Relevant content

Why does cloudtrail not include AccessDeniedExceptions for KMS actions?
rePost-User-7469975
asked 2 years ago
Missing cloudtrail log events
Shantanu Oak
asked 2 years ago
S3 HeadBucket AccessDenied Events from AWS Config are logged by CloudTrail
THeyer
asked 5 years ago
Finding Specific Actions in CloudTrail
rePost-User-4475545
asked a year ago
Why can't I find the user name that created an EBS volume by searching CloudTrail events logs?
AWS OFFICIALUpdated 2 years ago
Why are Lambda@Edge CloudTrail logs not being delivered?
AWS OFFICIALUpdated 2 years ago
What are the differences between data events and management events in CloudTrail?
AWS OFFICIALUpdated 2 years ago
Why aren't Amazon S3 object-level API actions appearing in my CloudTrail Event history?
AWS OFFICIALUpdated 2 years ago
A Guide to Understanding and Streamlining the DMCA Process
EXPERT
Ben Lee
published 4 months ago
How to customize audit logs in OpenSearch to see which queries were run by users?
EXPERT
Cathy W
published 2 months ago