本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
日志记录中 CloudTrail 支持 ACM API 操作
ACM 支持将以下操作作为事件记录在 CloudTrail 日志文件中:
每个事件或日记账条目都包含有关生成请求的人员信息。身份信息有助于您确定以下内容:
-
请求是使用 Amazon Web Services 账户根用户 或 Amazon Identity and Access Management (IAM) 用户证书发出的。
-
请求是使用角色还是联合用户的临时安全凭证发出的。
-
请求是否由其他 Amazon 服务发出
有关更多信息,请参阅CloudTrail用户身份元素。
以下部分提供了支持的 API 操作的示例日志。
向证书添加标签 (AddTagsToCertificate)
以下 CloudTrail 示例显示了调用 AddTagsToCertificateAPI 的结果。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:53:53Z",
"eventSource":"acm.amazonaws.com",
"eventName":"AddTagsToCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"tags":[
{
"value":"Alice",
"key":"Admin"
}
],
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}删除证书 (DeleteCertificate)
以下 CloudTrail 示例显示了调用 DeleteCertificateAPI 的结果。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:26Z",
"eventSource":"acm.amazonaws.com",
"eventName":"DeleteCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}描述证书 (DescribeCertificate)
以下 CloudTrail 示例显示了调用 DescribeCertificateAPI 的结果。
注意
DescribeCertificate操作 CloudTrail 日志不显示有关您指定的 ACM 证书的信息。您可以使用控制台 Amazon Command Line Interface、或 DescribeCertificateAPI 查看有关证书的信息。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:42Z",
"eventSource":"acm.amazonaws.com",
"eventName":"DescribeCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}导出证书 (ExportCertificate)
以下 CloudTrail 示例显示了调用 ExportCertificateAPI 的结果。
{
"Records":[
{
"version":"0",
"id":"01234567-89ab-cdef-0123-456789abcdef",
"detail-type":"AWS API Call via CloudTrail",
"source":"aws.acm",
"account":"123456789012",
"time":"2018-05-24T15:28:11Z",
"region":"us-east-1",
"resources":[
],
"detail":{
"eventVersion":"1.04",
"userIdentity":{
"type":"Root",
"principalId":"123456789012",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2018-05-24T15:28:11Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ExportCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.15.4 Python/2.7.9 Windows/8 botocore/1.10.4",
"requestParameters":{
"passphrase":{
"hb":[
42,
42,
42,
42,
42,
42,
42,
42,
42,
42
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":10,
"capacity":10,
"address":0
},
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":{
"certificateChain":
"-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----",
"privateKey":"**********",
"certificate":
"-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----"
},
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall"
}
}
]
}导入证书 (ImportCertificate)
以下示例显示了记录 ACM ImportCertificateAPI 操作调用的 CloudTrail 日志条目。
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/Alice",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-10-04T16:01:30Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ImportCertificate",
"awsRegion":"ap-southeast-2",
"sourceIPAddress":"54.240.193.129",
"userAgent":"Coral/Netty",
"requestParameters":{
"privateKey":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":1674,
"capacity":1674,
"address":0
},
"certificateChain":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":2105,
"capacity":2105,
"address":0
},
"certificate":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":2503,
"capacity":2503,
"address":0
}
},
"responseElements":{
"certificateArn":"arn:aws:acm:ap-southeast-2:111122223333:certificate/01234567-89ab-cdef-0123-456789abcdef"
},
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}列出证书 (ListCertificates)
以下 CloudTrail 示例显示了调用 ListCertificatesAPI 的结果。
注意
ListCertificates操作 CloudTrail 日志不显示您的 ACM 证书。您可以使用控制台 Amazon Command Line Interface、或 ListCertificatesAPI 查看证书列表。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:43Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListCertificates",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"maxItems":1000,
"certificateStatuses":[
"ISSUED"
]
},
"responseElements":null,
"requestID":"74c99844-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"cdfe1051-88aa-4aa3-8c33-a325270bff21",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}列出证书的标签 (ListTagsForCertificate)
以下 CloudTrail 示例显示了调用 ListTagsForCertificateAPI 的结果。
注意
该ListTagsForCertificate操作的 CloudTrail 日志不会显示您的标签。您可以使用控制台 Amazon Command Line Interface、或 ListTagsForCertificateAPI 查看标签列表。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:30:11Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListTagsForCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"responseElements":null,
"requestID":"b010767f-fbfb-11e5-b596-79e9a97a2544",
"eventID":"32181be6-a4a0-48d3-8014-c0d972b5163b",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}从证书中删除标签 (RemoveTagsFromCertificate)
以下 CloudTrail 示例显示了调用 RemoveTagsFromCertificateAPI 的结果。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T14:10:01Z",
"eventSource":"acm.amazonaws.com",
"eventName":"RemoveTagsFromCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"tags":[
{
"value":"Bob",
"key":"Admin"
}
]
},
"responseElements":null,
"requestID":"40ded461-fc01-11e5-a747-85804766d6c9",
"eventID":"0cfa142e-ef74-4b21-9515-47197780c424",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}请求证书 (RequestCertificate)
以下 CloudTrail 示例显示了调用 RequestCertificateAPI 的结果。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:49Z",
"eventSource":"acm.amazonaws.com",
"eventName":"RequestCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"subjectAlternativeNames":[
"example.net"
],
"domainName":"example.com",
"domainValidationOptions":[
{
"domainName":"example.com",
"validationDomain":"example.com"
},
{
"domainName":"example.net",
"validationDomain":"example.net"
}
],
"idempotencyToken":"8186023d89681c3ad5"
},
"responseElements":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"requestID":"77dacef3-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"a4954cdb-8f38-44c7-8927-a38ad4be3ac8",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}重新发送验证电子邮件 (ResendValidationEmail)
以下 CloudTrail 示例显示了调用 ResendValidationEmailAPI 的结果。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-17T23:58:25Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ResendValidationEmail",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"domain":"example.com",
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"validationDomain":"example.com"
},
"responseElements":null,
"requestID":"23760b88-ec9c-11e5-b6f4-cb861a6f0a28",
"eventID":"41c11b06-ca91-4c1c-8c61-af349ea8bab8",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}检索证书 (GetCertificate)
以下 CloudTrail 示例显示了调用 GetCertificateAPI 的结果。
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:41Z",
"eventSource":"acm.amazonaws.com",
"eventName":"GetCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"responseElements":{
"certificateChain":
"-----BEGIN CERTIFICATE-----
Base64-encoded certificate chain
-----END CERTIFICATE-----",
"certificate":
"-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----"
},
"requestID":"744dd891-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"7aa4f909-00dd-478a-9a00-b2709bcad2bb",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}