记录集成服务的 API 调用 - Amazon Certificate Manager
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

记录集成服务的 API 调用

您可以使用 CloudTrail 审核与 ACM 集成的服务发出的 API 调用。有关使用 CloudTrail 的更多信息,请参阅 Amazon CloudTrail 用户指南。以下示例显示了可生成的日志的类型,具体取决于您用于预置 ACM 证书的Amazon资源。

您可以使用 CloudTrail 审核与 ACM 集成的服务发出的 API 调用。有关使用 CloudTrail 的更多信息,请参阅 Amazon CloudTrail 用户指南。以下示例显示了可生成的日志的类型,具体取决于您用于预置 ACM 证书的Amazon资源。

以下示例演示名为 Alice 的 IAM 用户对 CreateLoadBalancer 函数的调用。负载均衡器的名称是 TestLinuxDefault,而且侦听器是使用 ACM 证书创建的。

{ "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::111122223333:user/Alice", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"Alice" }, "eventTime":"2016-01-01T21:10:36Z", "eventSource":"elasticloadbalancing.amazonaws.com", "eventName":"CreateLoadBalancer", "awsRegion":"us-east-1", "sourceIPAddress":"192.0.2.0/24", "userAgent":"aws-cli/1.9.15", "requestParameters":{ "availabilityZones":[ "us-east-1b" ], "loadBalancerName":"LinuxTest", "listeners":[ { "sSLCertificateId":"arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012", "protocol":"HTTPS", "loadBalancerPort":443, "instanceProtocol":"HTTP", "instancePort":80 } ] }, "responseElements":{ "dNSName":"LinuxTest-1234567890.us-east-1.elb.amazonaws.com" }, "requestID":"19669c3b-b0cc-11e5-85b2-57397210a2e5", "eventID":"5d6c00c9-a9b8-46ef-9f3b-4589f5be63f7", "eventType":"AwsApiCall", "recipientAccountId":"111122223333" }

当您在某个 Amazon Elastic Compute Cloud (Amazon EC2) 实例上预置网站或应用程序时,负载均衡器必须了解该实例。这可以通过 Elastic Load Balancing 控制台或 Amazon Command Line Interface 来完成。以下示例显示了对 Amazon 账户 123456789012 上负载均衡器 LinuxTest 的 RegisterInstancesWithLoadBalancer 的调用。

{ "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::123456789012:user/ALice", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"Alice", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2016-01-01T19:35:52Z" } }, "invokedBy":"signin.amazonaws.com" }, "eventTime":"2016-01-01T21:11:45Z", "eventSource":"elasticloadbalancing.amazonaws.com", "eventName":"RegisterInstancesWithLoadBalancer", "awsRegion":"us-east-1", "sourceIPAddress":"192.0.2.0/24", "userAgent":"signin.amazonaws.com", "requestParameters":{ "loadBalancerName":"LinuxTest", "instances":[ { "instanceId":"i-c67f4e78" } ] }, "responseElements":{ "instances":[ { "instanceId":"i-c67f4e78" } ] }, "requestID":"438b07dc-b0cc-11e5-8afb-cda7ba020551", "eventID":"9f284ca6-cbe5-42a1-8251-4f0e6b5739d6", "eventType":"AwsApiCall", "recipientAccountId":"123456789012" }

以下示例说明用于加密与 ACM 证书关联的私有密钥的 Encrypt 调用。加密是在 Amazon 中执行。

{ "Records":[ { "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::111122223333:user/acm", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"acm" }, "eventTime":"2016-01-05T18:36:29Z", "eventSource":"kms.amazonaws.com", "eventName":"Encrypt", "awsRegion":"us-east-1", "sourceIPAddress":"AWS Internal", "userAgent":"aws-internal", "requestParameters":{ "keyId":"arn:aws:kms:us-east-1:123456789012:alias/aws/acm", "encryptionContext":{ "aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" } }, "responseElements":null, "requestID":"3c417351-b3db-11e5-9a24-7d9457362fcc", "eventID":"1794fe70-796a-45f5-811b-6584948f24ac", "readOnly":true, "resources":[ { "ARN":"arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321", "accountId":"123456789012" } ], "eventType":"AwsServiceEvent", "recipientAccountId":"123456789012" } ] }

以下示例显示了用于对与 ACM 证书关联的私有密钥进行解密的 Decrypt 调用。解密将在 Amazon 中进行,并且解密的密钥绝不会离开 Amazon。

{ "eventVersion":"1.03", "userIdentity":{ "type":"AssumedRole", "principalId":"AIDACKCEVSQ6C2EXAMPLE:1aba0dc8b3a728d6998c234a99178eff", "arn":"arn:aws:sts::111122223333:assumed-role/DecryptACMCertificate/1aba0dc8b3a728d6998c234a99178eff", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2016-01-01T21:13:28Z" }, "sessionIssuer":{ "type":"Role", "principalId":"APKAEIBAERJR2EXAMPLE", "arn":"arn:aws:iam::111122223333:role/DecryptACMCertificate", "accountId":"111122223333", "userName":"DecryptACMCertificate" } } }, "eventTime":"2016-01-01T21:13:28Z", "eventSource":"kms.amazonaws.com", "eventName":"Decrypt", "awsRegion":"us-east-1", "sourceIPAddress":"AWS Internal", "userAgent":"aws-internal/3", "requestParameters":{ "encryptionContext":{ "aws:elasticloadbalancing:arn":"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/LinuxTest", "aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/87654321-4321-4321-4321-210987654321" } }, "responseElements":null, "requestID":"809a70ff-b0cc-11e5-8f42-c7fdf1cb6e6a", "eventID":"7f89f7a7-baff-4802-8a88-851488607fb9", "readOnly":true, "resources":[ { "ARN":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012", "accountId":"123456789012" } ], "eventType":"AwsServiceEvent", "recipientAccountId":"123456789012" }