CloudTrail 日志记录中支持的ACM API 操作 - AWS Certificate Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

CloudTrail 日志记录中支持的ACM API 操作

ACM 支持在 CloudTrail 日志文件中将以下操作记录为事件:

每个事件或日志条目都包含有关生成请求的人员的信息。身份信息帮助您确定以下内容:

  • 请求是使用根用户凭证还是 AWS Identity and Access Management (IAM) 用户凭证发出的

  • 请求是使用角色还是联合身份用户的临时安全凭证发出的

  • 请求是否由其他 AWS 服务发出

有关更多信息,请参阅 CloudTrail userIdentity 元素

以下部分提供了支持的 API 操作的示例日志。

向证书添加标签 (AddTagsToCertificate)

以下 CloudTrail 示例显示调用 AddTagsToCertificate API 的结果。

{ Records: [{ eventVersion: "1.04", userIdentity: { type: "IAMUser", principalId: "AIDACKCEVSQ6C2EXAMPLE", arn: "arn:aws:iam::123456789012:user/Alice", accountId: "123456789012", accessKeyId: "AKIAIOSFODNN7EXAMPLE", userName: "Alice" }, eventTime: "2016-04-06T13:53:53Z", eventSource: "acm.amazonaws.com", eventName: "AddTagsToCertificate", awsRegion: "us-east-1", sourceIPAddress: "192.0.2.0", userAgent: "aws-cli/1.10.16", requestParameters: { tags: [{ value: "Alice", key: "Admin" }], certificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" }, responseElements: null, requestID: "ffd7dd1b-fbfe-11e5-ba7b-5f4e988901f9", eventID: "4e7b10bb-7010-4e60-8376-0cac3bc860a5", eventType: "AwsApiCall", recipientAccountId: "123456789012" }] }

删除证书 (DeleteCertificate)

以下 CloudTrail 示例显示调用 DeleteCertificate API 的结果。

{ "Records": [{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2016-03-18T00:00:26Z", "eventSource": "acm.amazonaws.com", "eventName": "DeleteCertificate", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/1.9.15", "requestParameters": { "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" }, "responseElements": null, "requestID": "6b0f5bb9-ec9c-11e5-a28b-51e7e3169e0f", "eventID": "08f18f8a-a827-4924-b864-afaf98517793", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }] }

描述证书 (DescribeCertificate)

以下 CloudTrail 示例显示调用 DescribeCertificate API 的结果。

注意

DescribeCertificate 操作的 CloudTrail 日志不会显示有关您指定的 ACM 证书的信息。您可以使用控制台、AWS Command Line Interface 或 DescribeCertificate API 查看有关证书的信息。

{ "Records": [{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2016-03-18T00:00:42Z", "eventSource": "acm.amazonaws.com", "eventName": "DescribeCertificate", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/1.9.15", "requestParameters": { "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" }, "responseElements": null, "requestID": "74b91d83-ec9c-11e5-ac34-d1e4dfe1a11b", "eventID": "7779b6da-75c2-4994-b8c1-af3ad47b518a", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }] }

导出证书 (ExportCertificate)

以下 CloudTrail 示例显示调用 ExportCertificate API 的结果。

{ "Records": [{ "version": "0", "id": "12345678-1234-1234-1234-123456789012" "detail-type": "AWS API Call via CloudTrail", "source": "aws.acm", "account": "123456789012", "time": "2018-05-24T15:28:11Z", "region": "us-east-1", "resources": [], "detail": { "eventVersion": "1.04", "userIdentity": { "type": "Root", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2018-05-24T15:28:11Z", "eventSource": "acm.amazonaws.com", "eventName": "ExportCertificate", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/1.15.4 Python/2.7.9 Windows/8 botocore/1.10.4", "requestParameters": { "passphrase": { "hb": [42, 42, 42, 42, 42, 42, 42, 42, 42, 42], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 10, "capacity": 10, "address": 0 }, "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" }, "responseElements": { "certificateChain": "-----BEGIN CERTIFICATE----- base64 certificate -----END CERTIFICATE-----\n" -----BEGIN CERTIFICATE----- base64 certificate -----END CERTIFICATE-----\n", "privateKey": "**********", "certificate": "-----BEGIN CERTIFICATE----- base64 certificate -----END CERTIFICATE-----\n" }, "requestID": "11802113-5f67-11e8-bc6b-d93a70b3bedf", "eventID": "5b66558e-27c5-43b0-9b3a-10f28c527453", "eventType": "AwsApiCall" } }]

导入证书 (ImportCertificate)

以下示例显示记录调用 ACM ImportCertificate API 操作的 CloudTrail 日志条目。

{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2016-10-04T16:01:30Z", "eventSource": "acm.amazonaws.com", "eventName": "ImportCertificate", "awsRegion": "ap-southeast-2", "sourceIPAddress": "54.240.193.129", "userAgent": "Coral/Netty", "requestParameters": { "privateKey": { "hb": [ byte, byte, byte, ... ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 1674, "capacity": 1674, "address": 0 }, "certificateChain": { "hb": [ byte, byte, byte, ... ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 2105, "capacity": 2105, "address": 0 }, "certificate": { "hb": [ byte, byte, byte, ... ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 2503, "capacity": 2503, "address": 0 } }, "responseElements": { "certificateArn": "arn:aws:acm:ap-southeast-2:111122223333:certificate/6ae06649-ea82-4b58-90ee-dc05870d7e99" }, "requestID": "cf1f3db7-8a4b-11e6-88c8-196af94bb7be", "eventID": "fb443118-bfaa-4c90-95c1-beef21e07f8e", "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }

列出证书 (ListCertificates)

以下 CloudTrail 示例显示调用 ListCertificates API 的结果。

注意

ListCertificates 操作的 CloudTrail 日志不会显示您的 ACM 证书。您可以使用控制台、AWS Command Line Interface 或 ListCertificates API 查看证书列表。

{ "Records": [{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2016-03-18T00:00:43Z", "eventSource": "acm.amazonaws.com", "eventName": "ListCertificates", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/1.9.15", "requestParameters": { "maxItems": 1000, "certificateStatuses": ["ISSUED"] }, "responseElements": null, "requestID": "74c99844-ec9c-11e5-ac34-d1e4dfe1a11b", "eventID": "cdfe1051-88aa-4aa3-8c33-a325270bff21", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }] }

列出证书的标签 (ListTagsForCertificate)

以下 CloudTrail 示例显示调用 ListTagsForCertificate API 的结果。

注意

CloudTrail 操作的 ListTagsForCertificate 日志不会显示您的标签。您可以使用控制台、AWS Command Line Interface 或 ListTagsForCertificate API 来查看标签列表。

{ Records: [{ eventVersion: "1.04", userIdentity: { type: "IAMUser", principalId: "AIDACKCEVSQ6C2EXAMPLE", arn: "arn:aws:iam::123456789012:user/Alice", accountId: "123456789012", accessKeyId: "AKIAIOSFODNN7EXAMPLE", userName: "Alice" }, eventTime: "2016-04-06T13:30:11Z", eventSource: "acm.amazonaws.com", eventName: "ListTagsForCertificate", awsRegion: "us-east-1", sourceIPAddress: "192.0.2.0", userAgent: "aws-cli/1.10.16", requestParameters: { certificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" }, responseElements: null, requestID: "b010767f-fbfb-11e5-b596-79e9a97a2544", eventID: "32181be6-a4a0-48d3-8014-c0d972b5163b", eventType: "AwsApiCall", recipientAccountId: "123456789012" }] }

从证书中删除标签 (RemoveTagsFromCertificate)

以下 CloudTrail 示例显示调用 RemoveTagsFromCertificate API 的结果。

{ Records: [{ eventVersion: "1.04", userIdentity: { type: "IAMUser", principalId: "AIDACKCEVSQ6C2EXAMPLE", arn: "arn:aws:iam::123456789012:user/Alice", accountId: "123456789012", accessKeyId: "AKIAIOSFODNN7EXAMPLE", userName: "Alice" }, eventTime: "2016-04-06T14:10:01Z", eventSource: "acm.amazonaws.com", eventName: "RemoveTagsFromCertificate", awsRegion: "us-east-1", sourceIPAddress: "192.0.2.0", userAgent: "aws-cli/1.10.16", requestParameters: { certificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012", tags: [{ value: "Bob", key: "Admin" }] }, responseElements: null, requestID: "40ded461-fc01-11e5-a747-85804766d6c9", eventID: "0cfa142e-ef74-4b21-9515-47197780c424", eventType: "AwsApiCall", recipientAccountId: "123456789012" }] }

请求证书 (RequestCertificate)

以下 CloudTrail 示例显示调用 RequestCertificate API 的结果。

{ "Records": [{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2016-03-18T00:00:49Z", "eventSource": "acm.amazonaws.com", "eventName": "RequestCertificate", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/1.9.15", "requestParameters": { "subjectAlternativeNames": ["example.net"], "domainName": "example.com", "domainValidationOptions": [{ "domainName": "example.com", "validationDomain": "example.com" }, { "domainName": "example.net", "validationDomain": "example.net" }], "idempotencyToken": "8186023d89681c3ad5" }, "responseElements": { "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" }, "requestID": "77dacef3-ec9c-11e5-ac34-d1e4dfe1a11b", "eventID": "a4954cdb-8f38-44c7-8927-a38ad4be3ac8", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }] }

重新发送验证电子邮件 (ResendValidationEmail)

以下 CloudTrail 示例显示调用 ResendValidationEmail API 的结果。

{ "Records": [{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2016-03-17T23:58:25Z", "eventSource": "acm.amazonaws.com", "eventName": "ResendValidationEmail", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/1.9.15", "requestParameters": { "domain": "example.com", "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012", "validationDomain": "example.com" }, "responseElements": null, "requestID": "23760b88-ec9c-11e5-b6f4-cb861a6f0a28", "eventID": "41c11b06-ca91-4c1c-8c61-af349ea8bab8", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }] }

检索证书 (GetCertificate)

以下 CloudTrail 示例显示调用 GetCertificate API 的结果。

{ "Records": [{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2016-03-18T00:00:41Z", "eventSource": "acm.amazonaws.com", "eventName": "GetCertificate", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/1.9.15", "requestParameters": { "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" }, "responseElements": { "certificateChain": "-----BEGIN CERTIFICATE----- Base64-encoded certificate chain -----END CERTIFICATE-----", "certificate": "-----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE-----" }, "requestID": "744dd891-ec9c-11e5-ac34-d1e4dfe1a11b", "eventID": "7aa4f909-00dd-478a-9a00-b2709bcad2bb", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }] }