记录集成服务的API呼叫 - Amazon 证书 Manager
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

记录集成服务的API呼叫

您可以使用审核 CloudTrail 与集成的服务发出的API呼叫ACM。有关使用的更多信息 CloudTrail,请参阅《Amazon CloudTrail 用户指南》。以下示例显示了可以生成的日志类型,具体取决于您配置ACM证书所依据的 Amazon 资源。

您可以使用审核 CloudTrail 与集成的服务发出的API呼叫ACM。有关使用的更多信息 CloudTrail,请参阅《Amazon CloudTrail 用户指南》。以下示例显示了可以生成的日志类型,具体取决于您配置ACM证书所依据的 Amazon 资源。

以下示例显示了名为 Alice 的IAM用户对该CreateLoadBalancer函数的调用。负载均衡器的名称为TestLinuxDefault,监听器是使用ACM证书创建的。

{ "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::111122223333:user/Alice", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"Alice" }, "eventTime":"2016-01-01T21:10:36Z", "eventSource":"elasticloadbalancing.amazonaws.com", "eventName":"CreateLoadBalancer", "awsRegion":"us-east-1", "sourceIPAddress":"192.0.2.0/24", "userAgent":"aws-cli/1.9.15", "requestParameters":{ "availabilityZones":[ "us-east-1b" ], "loadBalancerName":"LinuxTest", "listeners":[ { "sSLCertificateId":"arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012", "protocol":"HTTPS", "loadBalancerPort":443, "instanceProtocol":"HTTP", "instancePort":80 } ] }, "responseElements":{ "dNSName":"LinuxTest-1234567890.us-east-1.elb.amazonaws.com" }, "requestID":"19669c3b-b0cc-11e5-85b2-57397210a2e5", "eventID":"5d6c00c9-a9b8-46ef-9f3b-4589f5be63f7", "eventType":"AwsApiCall", "recipientAccountId":"111122223333" }

当您在亚马逊弹性计算云 (AmazonEC2) 实例上配置网站或应用程序时,必须让负载均衡器知道该实例。这可以通过 Elastic Load Balancing 控制台或 Amazon Command Line Interface来完成。以下示例显示了对 Amazon 账户 123456789012 LinuxTest 上名RegisterInstancesWithLoadBalancer为的负载均衡器的调用。

{ "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::123456789012:user/ALice", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"Alice", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2016-01-01T19:35:52Z" } }, "invokedBy":"signin.amazonaws.com" }, "eventTime":"2016-01-01T21:11:45Z", "eventSource":"elasticloadbalancing.amazonaws.com", "eventName":"RegisterInstancesWithLoadBalancer", "awsRegion":"us-east-1", "sourceIPAddress":"192.0.2.0/24", "userAgent":"signin.amazonaws.com", "requestParameters":{ "loadBalancerName":"LinuxTest", "instances":[ { "instanceId":"i-c67f4e78" } ] }, "responseElements":{ "instances":[ { "instanceId":"i-c67f4e78" } ] }, "requestID":"438b07dc-b0cc-11e5-8afb-cda7ba020551", "eventID":"9f284ca6-cbe5-42a1-8251-4f0e6b5739d6", "eventType":"AwsApiCall", "recipientAccountId":"123456789012" }

以下示例显示了对与ACM证书关联的私钥进行加密的Encrypt调用。加密是在 Amazon中执行。

{ "Records":[ { "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::111122223333:user/acm", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"acm" }, "eventTime":"2016-01-05T18:36:29Z", "eventSource":"kms.amazonaws.com", "eventName":"Encrypt", "awsRegion":"us-east-1", "sourceIPAddress":"AWS Internal", "userAgent":"aws-internal", "requestParameters":{ "keyId":"arn:aws:kms:us-east-1:123456789012:alias/aws/acm", "encryptionContext":{ "aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" } }, "responseElements":null, "requestID":"3c417351-b3db-11e5-9a24-7d9457362fcc", "eventID":"1794fe70-796a-45f5-811b-6584948f24ac", "readOnly":true, "resources":[ { "ARN":"arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321", "accountId":"123456789012" } ], "eventType":"AwsServiceEvent", "recipientAccountId":"123456789012" } ] }

以下示例显示了解密与证书关联的私钥的DecryptACM调用。解密是在内部执行的 Amazon,解密后的密钥永远不会离开。 Amazon

{ "eventVersion":"1.03", "userIdentity":{ "type":"AssumedRole", "principalId":"AIDACKCEVSQ6C2EXAMPLE:1aba0dc8b3a728d6998c234a99178eff", "arn":"arn:aws:sts::111122223333:assumed-role/DecryptACMCertificate/1aba0dc8b3a728d6998c234a99178eff", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2016-01-01T21:13:28Z" }, "sessionIssuer":{ "type":"Role", "principalId":"APKAEIBAERJR2EXAMPLE", "arn":"arn:aws:iam::111122223333:role/DecryptACMCertificate", "accountId":"111122223333", "userName":"DecryptACMCertificate" } } }, "eventTime":"2016-01-01T21:13:28Z", "eventSource":"kms.amazonaws.com", "eventName":"Decrypt", "awsRegion":"us-east-1", "sourceIPAddress":"AWS Internal", "userAgent":"aws-internal/3", "requestParameters":{ "encryptionContext":{ "aws:elasticloadbalancing:arn":"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/LinuxTest", "aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/87654321-4321-4321-4321-210987654321" } }, "responseElements":null, "requestID":"809a70ff-b0cc-11e5-8f42-c7fdf1cb6e6a", "eventID":"7f89f7a7-baff-4802-8a88-851488607fb9", "readOnly":true, "resources":[ { "ARN":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012", "accountId":"123456789012" } ], "eventType":"AwsServiceEvent", "recipientAccountId":"123456789012" }