AWS workspaces documentation change
Summary
Updated documentation to expand CloudTrail sign-in event coverage from smart card-only to include password-based authentication for WorkSpaces Personal users. Added new examples for password authentication flows, updated event field descriptions, and clarified authentication method scopes.
Security assessment
The changes enhance documentation of authentication event logging but show no evidence of addressing a specific vulnerability. Updates reflect expanded logging capabilities (password + smart card) and provide clearer security visibility through improved event examples and field documentation. No CVE, vulnerability reference, or incident response language exists.
Diff
diff --git a/workspaces/latest/adminguide/signin-events.md b/workspaces/latest/adminguide/signin-events.md index c6209a8d8..b338115a7 100644 --- a//workspaces/latest/adminguide/signin-events.md +++ b//workspaces/latest/adminguide/signin-events.md @@ -9 +9 @@ Example events for AWS sign-in scenarios -# Understanding AWS sign-in events for smart card users +# Understanding AWS sign-in events for WorkSpaces Personal users @@ -11 +11,7 @@ Example events for AWS sign-in scenarios -AWS CloudTrail logs successful and unsuccessful sign-in events for smart card users. This includes sign-in events that are captured each time a user is prompted to solve a specific credential challenge or factor, as well as the status of that particular credential verification request. A user is signed in only after completing all required credential challenges, which results in a `UserAuthentication` event being logged. +AWS CloudTrail logs successful and unsuccessful sign-in events for WorkSpaces Personal users. These events are generated for all authentication methods supported by the WorkSpaces Personal user login flow, including password-based authentication and smart cards. Each event captures when a user is prompted to solve a specific credential challenge or factor, as well as the status of that particular credential verification request. A user is signed in only after completing all required credential challenges, which results in a `UserAuthentication` event being logged. + +###### Note + +Prior to the rollout of the new user login flow in late 2025 / early 2026, these CloudTrail events were only generated for smart card users. With the introduction of the new user login flow, these events are now recorded for all supported authentication types. The `CredentialType` field in each event identifies the authentication method used (for example, `PASSWORD` or `SMARTCARD`). + +These CloudTrail events are specific to the WorkSpaces Personal directory-based sign-in flow. Other authentication methods, such as SAML federation and TOTP-based MFA, are handled by IAM Sign-In and do not generate these WorkSpaces-specific events. For information about CloudTrail events from IAM Sign-In, see [Logging IAM and AWS STS API calls with AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) in the _IAM User Guide_. @@ -17 +23 @@ Event name | Event purpose -`CredentialChallenge` | Notifies that AWS sign-in has requested that the user solve a specific credential challenge and specifies the `CredentialType` that is required (for example, SMARTCARD). +`CredentialChallenge` | Notifies that AWS sign-in has requested that the user solve a specific credential challenge and specifies the `CredentialType` that is required (for example, `PASSWORD` or `SMARTCARD`). @@ -26,2 +32,2 @@ Event name | Event purpose | Sign-in event applicability | Example values -`CredentialType` | Notifies that the user has attempted to solve a specific `CredentialChallenge` request and specifies whether that credential has succeeded or failed. | `CredentialChallenge`, `CredentialVerification`, `UserAuthentication` | CredentialType": "SMARTCARD" (possible values today: SMARTCARD) -`LoginTo` | Notifies that all authentication requirements that the user was challenged with have been successfully completed and that the user was successfully signed in. When users fail to successfully complete the required credential challenges, no `UserAuthentication` event is logged. | `UserAuthentication` | "LoginTo": "https://skylight.local“ +`CredentialType` | Specifies the type of credential used for the authentication attempt. | `CredentialChallenge`, `CredentialVerification`, `UserAuthentication` | "CredentialType": "PASSWORD" or "CredentialType": "SMARTCARD" (possible values: PASSWORD, SMARTCARD) +`LoginTo` | Notifies that all authentication requirements that the user was challenged with have been successfully completed and that the user was successfully signed in. When users fail to successfully complete the required credential challenges, no `UserAuthentication` event is logged. | `UserAuthentication` | "LoginTo": "https://clients.amazonaws.com/workspaces“ @@ -34,0 +41,2 @@ The following examples show the expected sequence of CloudTrail events for diffe + * Successful sign-in when authenticating with password + @@ -41,0 +50,122 @@ The following examples show the expected sequence of CloudTrail events for diffe +### Successful sign-in when authenticating with password + +The following sequence of events captures an example of a successful password-based sign-in through the WorkSpaces Personal user login flow. + +**CredentialChallenge** + + + + { + "eventVersion": "1.11", + "userIdentity": { + "type": "Unknown", + "principalId": "123456789012", + "arn": "", + "accountId": "123456789012", + "accessKeyId": "", + "userName": "exampleuser" + }, + "eventTime": "2026-04-14T23:56:26Z", + "eventSource": "signin.amazonaws.com", + "eventName": "CredentialChallenge", + "awsRegion": "us-east-1", + "sourceIPAddress": "198.51.100.1", + "userAgent": "Mozilla/5.0 ...", + "requestParameters": null, + "responseElements": null, + "additionalEventData": { + "AuthWorkflowID": "9de74b32-8362-4a01-a524-de21df59fd83", + "CredentialType": "PASSWORD" + }, + "requestID": "2da067db-b2ad-42de-bfb3-16ac48d08435", + "eventID": "01dc9ac8-2e6b-4ef7-9390-a76b3935620e", + "readOnly": false, + "eventType": "AwsServiceEvent", + "managementEvent": true, + "eventCategory": "Management", + "recipientAccountId": "123456789012", + "serviceEventDetails": { + "CredentialChallenge": "Success" + } + } + + +**Successful CredentialVerification** + + + + { + "eventVersion": "1.11", + "userIdentity": { + "type": "Unknown", + "principalId": "123456789012", + "arn": "", + "accountId": "123456789012", + "accessKeyId": "", + "userName": "exampleuser" + }, + "eventTime": "2026-04-14T23:56:29Z", + "eventSource": "signin.amazonaws.com", + "eventName": "CredentialVerification", + "awsRegion": "us-east-1", + "sourceIPAddress": "198.51.100.1", + "userAgent": "Mozilla/5.0 ...", + "requestParameters": null, + "responseElements": null, + "additionalEventData": { + "AuthWorkflowID": "9de74b32-8362-4a01-a524-de21df59fd83", + "CredentialType": "PASSWORD" + }, + "requestID": "3b178a74-4c5c-4fa8-8730-c2995e751f78", + "eventID": "2127ca9e-40d2-49bb-b6c4-fe07be79b2a5", + "readOnly": false, + "eventType": "AwsServiceEvent", + "managementEvent": true, + "eventCategory": "Management", + "recipientAccountId": "123456789012", + "serviceEventDetails": { + "CredentialVerification": "Success" + } + } + + +**Successful UserAuthentication** + + + + { + "eventVersion": "1.11", + "userIdentity": { + "type": "Unknown", + "principalId": "123456789012", + "arn": "", + "accountId": "123456789012", + "accessKeyId": "", + "userName": "exampleuser" + }, + "eventTime": "2026-04-14T23:56:29Z", + "eventSource": "signin.amazonaws.com", + "eventName": "UserAuthentication", + "awsRegion": "us-east-1", + "sourceIPAddress": "198.51.100.1", + "userAgent": "Mozilla/5.0 ...", + "requestParameters": null, + "responseElements": null, + "additionalEventData": { + "AuthWorkflowID": "9de74b32-8362-4a01-a524-de21df59fd83", + "LoginTo": "https://clients.amazonaws.com/workspaces", + "CredentialType": "PASSWORD" + }, + "requestID": "3b178a74-4c5c-4fa8-8730-c2995e751f78", + "eventID": "25616659-7efb-46dd-804e-305bed7db3ac", + "readOnly": false, + "eventType": "AwsServiceEvent", + "managementEvent": true, + "eventCategory": "Management", + "recipientAccountId": "123456789012", + "serviceEventDetails": { + "UserAuthentication": "Success" + } + } + + @@ -145 +275 @@ The following sequence of events captures an example of a successful smart card - "LoginTo": "https://skylight.local", + "LoginTo": "https://clients.amazonaws.com/workspaces",