Getting user login and logout information in AWS CloudTrail

Question

I have enabled CloudTrail using the AWS Management Console and the Amazon S3 Bucket policies are the defaults ones that are created automatically when enabling CloudTrail.

I can find logs about my log-in along with all other even logs but there is no information about log-off. Is there something I need to do for it or its simply not there? Doesn't log-off classify as an event?

Edit 1

I am new to CloudTrail, and trying to understand what is possible and what not. I have a IAM User which only read-write access to one bucket and list all buckets. When using it I invoked aws ec2 describe-instances I can see in log that errorCode: "Client.UnauthorizedOperation", but when I do a aws s3 cp or aws s3 ls and its a success, it is not logged. Here is the default bucket policy created.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AWSCloudTrailAclCheck20131101",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::903692715234:root",
                "arn:aws:iam::859597730677:root",
                "arn:aws:iam::814480443879:root",
                "arn:aws:iam::216624486486:root",
                "arn:aws:iam::086441151436:root",
                "arn:aws:iam::388731089494:root",
                "arn:aws:iam::284668455005:root",
                "arn:aws:iam::113285607260:root"
            ]
        },
        "Action": "s3:GetBucketAcl",
        "Resource": "arn:aws:s3:::MY_BUCKET"
    },
    {
        "Sid": "AWSCloudTrailWrite20131101",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::903692715234:root",
                "arn:aws:iam::859597730677:root",
                "arn:aws:iam::814480443879:root",
                "arn:aws:iam::216624486486:root",
                "arn:aws:iam::086441151436:root",
                "arn:aws:iam::388731089494:root",
                "arn:aws:iam::284668455005:root",
                "arn:aws:iam::113285607260:root"
            ]
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::MY_BUCKET/MY_PREFIX/AWSLogs/MY_ACCOUNT_ID/*",
        "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    }
]
}

And where and why did that so may Principal come from - they aren't my accounts, they were created by AWS when I enabled CloudTrail. Are these AWS Accounts that deliver logs to my bucket, should they be there?

Edit 2

From typepad's post, logging for S3 is not yet there. And the log-in that I see is actually because of the AWS Security Token Service (STS) GetSessionToken call. In case of a log-out from the console it seems there is no call to STS, hence no resulting log.

Answer 1

As every so often, AWS has listened to customer demand for greater visibility into when users sign in to the AWS Management Console and just announced that AWS CloudTrail Now Logs AWS Management Console Sign-In Events, thereby obsoleting the indirect method via GetSessionToken and replacing it with explicit and more detailed events:

Logging successful and unsuccessful console sign-in events for AWS IAM and federated users can help you with your compliance and security efforts. With this new feature, you get the following for both IAM and federated users:

• Every successful sign-in.
• Every unsuccessful sign-in attempt.
• Verification of when multi-factor authentication (MFA) was enforced.
• The IP address of every sign-in event.

Additionally, you can see a record of every time a root account successfully signs in. Finally, you can see when an IAM user has not signed in for a period of time, suggesting that you might be able to remove that IAM user.

Unfortunately there's still no visibility in logout events though.