AWS Security ChangesHomeSearch

AWS singlesignon medium security documentation change

Service: singlesignon · 2025-07-19 · Security-related medium

File: singlesignon/latest/userguide/username-sign-in-cloudtrail-events.md

Summary

Added security masking for failed login attempts and updated recommendations for user identification in logs

Security assessment

Explicitly documents security measures to mask sensitive information in failed login attempts (showing 'HIDDEN_DUE_TO_SECURITY_REASONS') and provides guidance to use secure identifiers. This directly addresses potential information leakage risks in audit logs.

Diff

diff --git a/singlesignon/latest/userguide/username-sign-in-cloudtrail-events.md b/singlesignon/latest/userguide/username-sign-in-cloudtrail-events.md
index ef0e8ccc7..28b5f05e8 100644
--- a//singlesignon/latest/userguide/username-sign-in-cloudtrail-events.md
+++ b//singlesignon/latest/userguide/username-sign-in-cloudtrail-events.md
@@ -7 +7 @@
-IAM Identity Center emits the `UserName` field under the `additionalEventData` element once per successful sign-in of an IAM Identity Center user. The following list describes the two sign-in events in scope, and the conditions under which this can happen. Only one of the conditions can be true when a user is signing in.
+IAM Identity Center emits the `UserName` field under the `additionalEventData` element once per successful sign-in of an IAM Identity Center user. The following list describes the two sign-in events in scope, and the conditions under which these events happen. Only one of the conditions can be true when a user is signing in.
@@ -22 +22 @@ IAM Identity Center emits the `UserName` field under the `additionalEventData` e
-The value of `UserName` is as follows for successful authentications:
+The value of `UserName` for successful authentications is as follows :
@@ -33 +33 @@ The value of `UserName` is as follows for successful authentications:
-###### Note
+**Security masking of incorrect username attempts**
@@ -35 +35 @@ The value of `UserName` is as follows for successful authentications:
-We recommend you use `userId` and `identityStoreArn` for identifying the user behind IAM Identity Center CloudTrail events. If you need to use the `userName` field, we recommend you use the `userName` under the `additionalEventData` element, and avoid using the `userName` field under the `userIdentity` element. 
+The `UserName` field contains the string `HIDDEN_DUE_TO_SECURITY_REASONS` when the recorded event is a console sign-in failure caused by incorrect user name input. CloudTrail doesn't record the contents in this case because the text could contain sensitive information, as described in the following examples:
@@ -37 +37,12 @@ We recommend you use `userId` and `identityStoreArn` for identifying the user be
-For additional information on how you can use the `UserName` field, refer to [Correlating users between IAM Identity Center and external directories](./sso-cloudtrail-use-cases.html#correlating-users).
+  * A user accidentally types a password in the user name field.
+
+  * A user accidentally types the account name of a personal email account, a bank sign-in identifier, or some other private ID.
+
+
+
+
+###### Tip
+
+We recommend you use `userId` and `identityStoreArn` for identifying the user behind IAM Identity Center CloudTrail events. If you need to use the `userName` field, you can use the `userName` under the `additionalEventData` element that's emitted once per successful sign-in.
+
+For additional information on how you can use the `UserName` field, refer to [Correlating user events within the same user session](./sso-cloudtrail-use-cases.html#correlating-users).