I’m looking for a way to find out first and last login times for users that login using their email, and not through an IAM account.
For the latter, I can filter Cloudtrail events using this query:
SELECT
"username"
, "accountid"
, "min"("eventtime") "firstlogin"
, "max"("eventtime") "lastlogin"
FROM
(SELECT
"eventtime"
, "awsregion"
, "sourceipaddress"
, "concat"("split_part"("split_part"("resources"[1]."arn", ':', 6), '/', 2), '/', "useridentity"."username") "username"
, "resources"[1]."accountid" "accountid"
FROM
"admin-console"."cloudtrail_logs"
WHERE ("eventname" = 'AssumeRoleWithSAML')
GROUP BY 1, 2, 3, 4, 5)
GROUP BY 1, 2
This query only works for IAM accounts.
Are non-iam login attempts visible in Cloudtrail ? and can I thus do something similar for non IAM users?
Do I need to look somewhere else?