本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 记录集成服务的 API 调用
您可以使用审核 CloudTrail 与 ACM 集成的服务发出的 API 调用。有关使用的更多信息 CloudTrail,请参阅《[Amazon CloudTrail 用户指南》](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。以下示例显示了可生成的日志的类型,具体取决于您用于预置 ACM 证书的 Amazon 资源。
**Topics**
+ [创建负载均衡器](#ct-related-lb)
## 创建负载均衡器
您可以使用审核 CloudTrail 与 ACM 集成的服务发出的 API 调用。有关使用的更多信息 CloudTrail,请参阅《[Amazon CloudTrail 用户指南》](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。以下示例显示了可以生成的日志类型,具体取决于您配置 ACM 证书所依据的 Amazon 资源。
**Topics**
+ [创建负载均衡器](#ct-related-lb)
+ [使用负载均衡器注册 Amazon EC2 实例](#ct-related-ec2)
+ [加密私有密钥](#ct-related-encrypt)
+ [解密私有密钥](#ct-related-decrypt)
### 创建负载均衡器
以下示例演示名为 Alice 的 IAM 用户对 `CreateLoadBalancer` 函数的调用。负载均衡器的名称是 `TestLinuxDefault`,而且侦听器是使用 ACM 证书创建的。
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/Alice",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-01-01T21:10:36Z",
"eventSource":"elasticloadbalancing.amazonaws.com",
"eventName":"CreateLoadBalancer",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0/24",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"availabilityZones":[
"us-east-1b"
],
"loadBalancerName":"LinuxTest",
"listeners":[
{
"sSLCertificateId":"arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012",
"protocol":"HTTPS",
"loadBalancerPort":443,
"instanceProtocol":"HTTP",
"instancePort":80
}
]
},
"responseElements":{
"dNSName":"LinuxTest-1234567890.us-east-1.elb.amazonaws.com"
},
"requestID":"19669c3b-b0cc-11e5-85b2-57397210a2e5",
"eventID":"5d6c00c9-a9b8-46ef-9f3b-4589f5be63f7",
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}
```
### 使用负载均衡器注册 Amazon EC2 实例
当您在某个 Amazon Elastic Compute Cloud (Amazon EC2) 实例上预置网站或应用程序时,负载均衡器必须了解该实例。这可以通过 Elastic Load Balancing 控制台或 Amazon Command Line Interface来完成。以下示例显示了对 Amazon 账户 123456789012 LinuxTest 上名`RegisterInstancesWithLoadBalancer`为的负载均衡器的调用。
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/ALice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice",
"sessionContext":{
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2016-01-01T19:35:52Z"
}
},
"invokedBy":"signin.amazonaws.com"
},
"eventTime":"2016-01-01T21:11:45Z",
"eventSource":"elasticloadbalancing.amazonaws.com",
"eventName":"RegisterInstancesWithLoadBalancer",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0/24",
"userAgent":"signin.amazonaws.com",
"requestParameters":{
"loadBalancerName":"LinuxTest",
"instances":[
{
"instanceId":"i-c67f4e78"
}
]
},
"responseElements":{
"instances":[
{
"instanceId":"i-c67f4e78"
}
]
},
"requestID":"438b07dc-b0cc-11e5-8afb-cda7ba020551",
"eventID":"9f284ca6-cbe5-42a1-8251-4f0e6b5739d6",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
```
### 加密私有密钥
以下示例说明用于加密与 ACM 证书关联的私有密钥的 `Encrypt` 调用。加密是在 Amazon中执行。
```
{
"Records":[
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/acm",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"acm"
},
"eventTime":"2016-01-05T18:36:29Z",
"eventSource":"kms.amazonaws.com",
"eventName":"Encrypt",
"awsRegion":"us-east-1",
"sourceIPAddress":"AWS Internal",
"userAgent":"aws-internal",
"requestParameters":{
"keyId":"arn:aws:kms:us-east-1:123456789012:alias/aws/acm",
"encryptionContext":{
"aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
}
},
"responseElements":null,
"requestID":"3c417351-b3db-11e5-9a24-7d9457362fcc",
"eventID":"1794fe70-796a-45f5-811b-6584948f24ac",
"readOnly":true,
"resources":[
{
"ARN":"arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321",
"accountId":"123456789012"
}
],
"eventType":"AwsServiceEvent",
"recipientAccountId":"123456789012"
}
]
}
```
### 解密私有密钥
以下示例显示了用于对与 ACM 证书关联的私有密钥进行解密的 `Decrypt` 调用。解密是在内部执行的 Amazon,解密后的密钥永远不会离开。 Amazon
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"AssumedRole",
"principalId":"AIDACKCEVSQ6C2EXAMPLE:1aba0dc8b3a728d6998c234a99178eff",
"arn":"arn:aws:sts::111122223333:assumed-role/DecryptACMCertificate/1aba0dc8b3a728d6998c234a99178eff",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"sessionContext":{
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2016-01-01T21:13:28Z"
},
"sessionIssuer":{
"type":"Role",
"principalId":"APKAEIBAERJR2EXAMPLE",
"arn":"arn:aws:iam::111122223333:role/DecryptACMCertificate",
"accountId":"111122223333",
"userName":"DecryptACMCertificate"
}
}
},
"eventTime":"2016-01-01T21:13:28Z",
"eventSource":"kms.amazonaws.com",
"eventName":"Decrypt",
"awsRegion":"us-east-1",
"sourceIPAddress":"AWS Internal",
"userAgent":"aws-internal/3",
"requestParameters":{
"encryptionContext":{
"aws:elasticloadbalancing:arn":"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/LinuxTest",
"aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/87654321-4321-4321-4321-210987654321"
}
},
"responseElements":null,
"requestID":"809a70ff-b0cc-11e5-8f42-c7fdf1cb6e6a",
"eventID":"7f89f7a7-baff-4802-8a88-851488607fb9",
"readOnly":true,
"resources":[
{
"ARN":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
"accountId":"123456789012"
}
],
"eventType":"AwsServiceEvent",
"recipientAccountId":"123456789012"
}
```