本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 Amazon CLI 管理跟踪记录
Amazon CLI 包括其他几个可帮助您管理跟踪记录的命令。这些命令将标签添加到跟踪记录、获取跟踪记录状态、对跟踪记录启动和停止日志记录以及删除跟踪记录。您必须从创建跟踪的同一个 Amazon 区域(其主区域)运行这些命令。当使用 Amazon CLI 时,请记住您的命令在为您的配置文件配置的 Amazon 区域中运行。如果您想要在不同的区域中运行命令,可以为配置文件更改默认区域,或者与命令一起使用 --region 参数。
主题
将一个或多个标签添加到跟踪
要将一个或多个标签添加到现有跟踪,请运行 add-tags 命令。
以下示例向美国东部(俄亥俄)区域中 ARN 为 arn:aws:cloudtrail: 的跟踪记录添加了一个名为 us-east-2:123456789012:trail/my-trailOwner、值为 Mary 的标签。
aws cloudtrail add-tags --resource-id arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail--tags-list Key=Owner,Value=Mary--region us-east-2
如果成功,该命令不返回任何内容。
列出一个或多个跟踪记录的标签
要查看与一个或多个现有跟踪记录相关联的标签,请使用 list-tags 命令。
以下示例列出了 Trail1 和 Trail2 的标签。
aws cloudtrail list-tags --resource-id-list arn:aws:cloudtrail:us-east-2:123456789012:trail/Trail1arn:aws:cloudtrail:us-east-2:123456789012:trail/Trail2
如果成功,该命令返回类似以下内容的输出。
{ "ResourceTagList": [ { "ResourceId": "arn:aws:cloudtrail:us-east-2:123456789012:trail/Trail1", "TagsList": [ { "Value": "Alice", "Key": "Name" }, { "Value": "Ohio", "Key": "Location" } ] }, { "ResourceId": "arn:aws:cloudtrail:us-east-2:123456789012:trail/Trail2", "TagsList": [ { "Value": "Bob", "Key": "Name" } ] } ] }
从跟踪中删除一个或多个标签
要从现有跟踪中删除一个或多个标签,请运行 remove-tags 命令。
以下示例从美国东部(俄亥俄)区域中 ARN 为 arn:aws:cloudtrail: 的跟踪记录删除了名为 us-east-2:123456789012:trail/Trail1Location 和 Name 的标签。
aws cloudtrail remove-tags --resource-id arn:aws:cloudtrail:us-east-2:123456789012:trail/Trail1--tags-list Key=Name Key=Location --region us-east-2
如果成功,该命令不返回任何内容。
检索跟踪设置和跟踪状态
运行 describe-trails 命令来检索有关 Amazon 区域中跟踪记录的信息。以下示例返回美国东部(俄亥俄)区域中配置的跟踪记录的信息。
aws cloudtrail describe-trails --region us-east-2
如果命令成功,则将显示类似于以下内容的输出。
{ "trailList": [ { "Name": "my-trail", "S3BucketName": "my-bucket", "S3KeyPrefix": "my-prefix", "IncludeGlobalServiceEvents": true, "IsMultiRegionTrail": true, "HomeRegion": "us-east-2" "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": false, "HasCustomEventSelectors": false, "SnsTopicName": "my-topic", "IsOrganizationTrail": false, }, { "Name": "my-special-trail", "S3BucketName": "another-bucket", "S3KeyPrefix": "example-prefix", "IncludeGlobalServiceEvents": false, "IsMultiRegionTrail": false, "HomeRegion": "us-east-2", "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-special-trail", "LogFileValidationEnabled": false, "HasCustomEventSelectors": true, "IsOrganizationTrail": false }, { "Name": "my-org-trail", "S3BucketName": "my-bucket", "S3KeyPrefix": "my-prefix", "IncludeGlobalServiceEvents": true, "IsMultiRegionTrail": true, "HomeRegion": "us-east-1" "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-org-trail", "LogFileValidationEnabled": false, "HasCustomEventSelectors": false, "SnsTopicName": "my-topic", "IsOrganizationTrail": true } ] }
运行 get-trail 命令检索特定跟踪的设置信息。以下示例返回名为 my-trail 的跟踪的设置信息。
aws cloudtrail get-trail - -namemy-trail
如果成功,该命令返回类似以下内容的输出。
{ "Trail": { "Name": "my-trail", "S3BucketName": "my-bucket", "S3KeyPrefix": "my-prefix", "IncludeGlobalServiceEvents": true, "IsMultiRegionTrail": true, "HomeRegion": "us-east-2" "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": false, "HasCustomEventSelectors": false, "SnsTopicName": "my-topic", "IsOrganizationTrail": false, } }
运行 get-trail-status 命令检索跟踪的状态。您必须从创建该命令的 Amazon 区域(主区域)中运行它,或者您必须添加 --region 参数指定该区域。
注意
如果跟踪是组织跟踪,并且您是 Amazon Organizations 组织中的成员账户,则必须提供该跟踪的完整 ARN,而不仅仅是名称。
aws cloudtrail get-trail-status --namemy-trail
如果命令成功,则将显示类似于以下内容的输出。
{ "LatestDeliveryTime": 1441139757.497, "LatestDeliveryAttemptTime": "2015-09-01T20:35:57Z", "LatestNotificationAttemptSucceeded": "2015-09-01T20:35:57Z", "LatestDeliveryAttemptSucceeded": "2015-09-01T20:35:57Z", "IsLogging": true, "TimeLoggingStarted": "2015-09-01T00:54:02Z", "StartLoggingTime": 1441068842.76, "LatestDigestDeliveryTime": 1441140723.629, "LatestNotificationAttemptTime": "2015-09-01T20:35:57Z", "TimeLoggingStopped": "" }
除了前面的 JSON 代码中显示的字段外,在出现 Amazon SNS 或 Simple Storage Service(Amazon S3)错误的情况下,状态还包含以下字段:
-
LatestNotificationError. 在主题订阅失败的情况下,包含 Amazon SNS 发出的错误。 -
LatestDeliveryError。 包含 Amazon S3 在CloudTrail无法将日志文件传送到存储桶时发出的错误。
配置 CloudTrail Insights 事件选择器
通过运行 put-insight-selectors 并指定 ApiCallRateInsight 和/或 ApiErrorRateInsight 作为 InsightType 属性的值,对跟踪记录启用 Insights 事件。要查看跟踪的见解事件选择器设置,请运行 get-insight-selectors 命令。您必须从创建该跟踪的 Amazon 区域(主区域)中运行此命令,或者您必须对此命令添加 --region 参数以指定该区域。
注意
要记录的 Insights 事件,跟踪必须记录write管理事件。ApiCallRateInsight要记录的 Insights 事件ApiErrorRateInsight,跟踪必须记录read或write管理事件。
记录见解事件的示例跟踪
以下示例使用put-insight-selectors为名为 TrailName3 的跟踪创建 Insights 事件选择器。这样可以收集 TrailName3 条线索的 Insights 事件。Insights 事件选择器会同时记录 ApiErrorRateInsight 和 ApiCallRateInsight Insights 事件类型。
aws cloudtrail put-insight-selectors --trail-nameTrailName3--insight-selectors '[{"InsightType": "ApiCallRateInsight"},{"InsightType": "ApiErrorRateInsight"}]'
该示例返回为跟踪配置的见解事件选择器。
{ "InsightSelectors": [ { "InsightType": "ApiErrorRateInsight" }, { "InsightType": "ApiCallRateInsight" } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName3" }
示例:关闭见解事件集合
以下示例使用put-insight-selectors移除名为 TrailName3 的跟踪的 Insights 事件选择器。清除 Insights 选择器的 JSON 字符串会禁用 TrailName3 条线索的 Insights 事件收集。
aws cloudtrail put-insight-selectors --trail-nameTrailName3--insight-selectors '[]'
该示例返回为跟踪配置的现在为空的见解事件选择器。
{ "InsightSelectors": [ ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName3" }
配置事件选择器
要查看跟踪的事件选择器设置,请运行 get-event-selectors 命令。您必须从创建该命令的 Amazon 区域(主区域)中运行它,或者您必须使用 --region 参数指定该区域。
aws cloudtrail get-event-selectors --trail-nameTrailName
注意
如果跟踪是组织跟踪,并且您是 Amazon Organizations 组织中的成员账户,则必须提供该跟踪的完整 ARN,而不仅仅是名称。
以下示例返回跟踪的事件选择器的默认设置。
{ "EventSelectors": [ { "ExcludeManagementEventSources": [], "IncludeManagementEvents": true, "DataResources": [], "ReadWriteType": "All" } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName" }
要创建事件选择器,请运行 put-event-selectors 命令。如果您想在跟踪中记录 Insights 事件,请确保事件选择器启用记录您想要配置跟踪的 Insights 类型。有关记录 Insights 事件的更多信息,请参阅记录跟踪记录的见解事件。
当事件在您的账户中发生时,CloudTrail 将评估您的跟踪配置。如果事件匹配跟踪的任何事件选择器,则跟踪将处理并记录事件。您可以为一个跟踪配置最多 5 个事件选择器和最多 250 个数据资源。有关更多信息,请参阅记录数据事件:
主题
带有特定事件选择器的示例跟踪
以下示例为名TrailName为的跟踪创建事件选择器,该跟踪包括只读和只写管理事件、两个 Amazon S3 存储段/前缀组合的数据事件以及名为的单个函数的数据事件。Amazon Lambda hello-world-python-function
aws cloudtrail put-event-selectors --trail-nameTrailName--event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::mybucket/prefix","arn:aws:s3:::mybucket2/prefix2"]},{"Type": "AWS::Lambda::Function","Values": ["arn:aws:lambda:us-west-2:999999999999:function:hello-world-python-function"]}]}]'
以下示例返回为跟踪配置的事件选择器。
{ "EventSelectors": [ { "ExcludeManagementEventSources": [], "IncludeManagementEvents": true, "DataResources": [ { "Values": [ "arn:aws:s3:::mybucket/prefix", "arn:aws:s3:::mybucket2/prefix2" ], "Type": "AWS::S3::Object" }, { "Values": [ "arn:aws:lambda:us-west-2:123456789012:function:hello-world-python-function" ], "Type": "AWS::Lambda::Function" }, ], "ReadWriteType": "All" } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName" }
记录所有管理和数据事件的示例跟踪
以下示例为名为 TrailName2 的跟踪创建了一个事件选择器,该跟踪包括所有事件,包括只读和只写管理事件,以及账户中所有 Amazon S3 存储桶、Amazon Lambda函数和 Amazon DynamoDB 表的所有数据事件。Amazon由于此示例使用基本事件选择器,因此无法配置 Amazon Outposts 上的 S3 事件、Ethereum 节点上的 Amazon Managed Blockchain JSON-RPC 调用或者其他高级事件选择器资源类型的日志记录。您必须使用高级事件选择器来记录这些资源的数据事件。有关更多信息,请参阅配置高级事件选择器:
注意
如果跟踪仅应用于一个区域,则只记录该区域的事件,即使事件选择器参数指定所有 Simple Storage Service(Amazon S3)存储桶和 Lambda 函数。事件选择器仅应用于在其中创建跟踪的区域。
aws cloudtrail put-event-selectors --trail-nameTrailName2--event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::"]},{"Type": "AWS::Lambda::Function","Values": ["arn:aws:lambda"]},{"Type": "AWS::DynamoDB::Table","Values": ["arn:aws:dynamodb"]}]}]'
以下示例返回为跟踪配置的事件选择器。
{ "EventSelectors": [ { "ExcludeManagementEventSources": [], "IncludeManagementEvents": true, "DataResources": [ { "Values": [ "arn:aws:s3:::" ], "Type": "AWS::S3::Object" }, { "Values": [ "arn:aws:lambda" ], "Type": "AWS::Lambda::Function" }, { "Values": [ "arn:aws:dynamodb" ], "Type": "AWS::DynamoDB::Table" } ], "ReadWriteType": "All" } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName2" }
不记录 Amazon Key Management Service 事件的示例跟踪
以下示例为名TrailName为的跟踪创建事件选择器,该跟踪包含只读和只写管理事件,但排除 Amazon Key Management Service (Amazon KMS) 事件。由于 Amazon KMS 事件被视为管理事件,并且可能存在大量此类事件,因此,如果您有多个跟踪捕获管理事件,它们可能会对您的 CloudTrail 账单产生重大影响。在此示例中,用户已选择排除每个跟踪中的 Amazon KMS 事件,但一个跟踪除外。要排除事件源,请将 ExcludeManagementEventSources 添加到事件选择器,然后在字符串值中指定事件源。
如果选择不记录管理事件,则不会记录 Amazon KMS 事件,并且您无法更改 Amazon KMS 事件日志记录设置。
要再次开始将 Amazon KMS 事件记录到跟踪,请传递一个空数组作为 ExcludeManagementEventSources 的值。
aws cloudtrail put-event-selectors --trail-nameTrailName--event-selectors '[{"ReadWriteType": "All","ExcludeManagementEventSources": ["kms.amazonaws.com"],"IncludeManagementEvents": true]}]'
以下示例返回为跟踪配置的事件选择器。
{ "EventSelectors": [ { "ExcludeManagementEventSources": [ "kms.amazonaws.com" ], "IncludeManagementEvents": true, "DataResources": [], "ReadWriteType": "All" } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName" }
要再次开始将 Amazon KMS 事件记录到跟踪,请传递一个空数组作为 ExcludeManagementEventSources 的值,如以下命令中所示。
aws cloudtrail put-event-selectors --trail-nameTrailName--event-selectors '[{"ReadWriteType": "All","ExcludeManagementEventSources": [],"IncludeManagementEvents": true]}]'
记录相关的低量 Amazon Key Management Service 事件的示例跟踪
以下示例为名为的跟踪创建事件选择器,TrailName该跟踪包含只写管理事件和事件。Amazon KMS由于 Amazon KMS 事件被视为管理事件,并且可能存在大量此类事件,因此,如果您有多个跟踪捕获管理事件,它们可能会对您的 CloudTrail 账单产生重大影响。本示例中的用户选择了包含 Amazon KMS Write(写入)事件,其中将包含 Disable、Delete 和 ScheduleKey,但不再包含 Encrypt、Decrypt 和 GenerateDataKey 等高量操作 [这些操作现在被视为 Read(读取)事件]。
aws cloudtrail put-event-selectors --trail-nameTrailName--event-selectors '[{"ReadWriteType": "WriteOnly","ExcludeManagementEventSources": [],"IncludeManagementEvents": true]}]'
以下示例返回为跟踪配置的事件选择器。这会记录只写管理事件,包括 Amazon KMS 事件。
{ "EventSelectors": [ { "ExcludeManagementEventSources": [], "IncludeManagementEvents": true, "DataResources": [], "ReadWriteType": "WriteOnly" } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName" }
配置高级事件选择器
要使用高级事件选择器而非基本事件选择器来包含或排除数据事件,请在跟踪记录的详细信息页面上使用高级事件选择器。与基本事件选择器相比,高级事件选择器允许您记录更多资源类型的数据事件。基本选择器记录 S3 对象活动,Amazon Lambda 函数执行活动和 DynamoDB 表。
在高级事件选择器中,构建一个表达式来收集特定 S3 存储桶、Amazon Lambda函数、La CloudTrail ke 频道PutAuditEvents调用、DynamoDB 表、前哨站上的 Amazon S3、以太坊节点上的亚马逊托管区块链 JSON-RPC 调用、S3 对象 Lambda 接入点、EBS 快照上的 Amazon EBS 直接 API、S3 接入点、DynamoDB 流、Lake Formation 创建的Amazon Glue表、Amazon FinSpace环境、亚马逊指标实验试用组件、亚马逊功能存储、亚马逊 Kendra 上的数据事件 SageMaker SageMakerrescore 执行计划、Amazon Cognito 身份池、亚马逊GuardDuty探测器、亚马逊 EMR 预写日志工作空间、亚马逊CodeWhisperer个人资料、亚马逊验证权限策略存储、Amazon Systems Manager控制渠道和亚马逊托管区块链网络。
有关高级事件选择器的更多信息,请参阅配置高级事件选择器。
要查看某个跟踪的高级事件选择器设置,请运行下面的 get-event-selectors 命令。您必须从创建该跟踪的 Amazon 区域(主区域)中运行此命令,或者您必须添加 --region 参数以指定该区域。
aws cloudtrail get-event-selectors --trail-nameTrailName
注意
如果跟踪是组织跟踪,并且您在 Amazon Organizations 使用组织中的成员账户登录,则必须提供该跟踪的完整 ARN,而不仅仅是名称。
以下示例返回跟踪的高级事件选择器的默认设置。默认情况下,不为跟踪配置高级事件选择器。
{ "AdvancedEventSelectors": [], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName" }
要创建事件选择器,请运行 put-event-selectors 命令。当您的账户中发生数据事件时,CloudTrail会评估您的跟踪配置。如果事件匹配跟踪的任何高级事件选择器,则跟踪将处理并记录事件。您可以在跟踪上配置多达 500 个条件,包括为跟踪上的所有高级事件选择器指定的所有值。有关更多信息,请参阅记录数据事件:
主题
带有特定高级事件选择器的示例跟踪
以下示例为名TrailName为的跟踪创建自定义高级事件选择器,该跟踪包括读取和写入管理事件(通过省略readOnly选择器),以及除名为的存储段PutObjectsample_bucket_name和名为的函数DeleteObject的数据事件之外的所有 Amazon S3 存储段/前缀组合的数据事件。Amazon Lambda MyLambdaFunction由于这些都是自定义高级事件选择器,因此每组选择器都有一个描述性名称。请注意,尾随斜杠是 S3 存储桶的 ARN 值的一部分。
aws cloudtrail put-event-selectors --trail-nameTrailName--advanced-event-selectors '[ { "Name": "Log readOnly and writeOnly management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] } ] }, { "Name": "Log PutObject and DeleteObject events for all but one bucket", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["PutObject","DeleteObject"] }, { "Field": "resources.ARN", "NotEquals": ["arn:aws:s3:::sample_bucket_name/"] } ] }, { "Name": "Log data plane actions on MyLambdaFunction", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::Lambda::Function"] }, { "Field": "resources.ARN", "Equals": ["arn:aws:lambda:us-east-2:111122223333:function/MyLambdaFunction"] } ] } ]'
以下示例返回为跟踪配置的高级事件选择器。
{ "AdvancedEventSelectors": [ { "Name": "Log readOnly and writeOnly management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ], "StartsWith": [], "EndsWith": [], "NotEquals": [], "NotStartsWith": [], "NotEndsWith": [] } ] }, { "Name": "Log PutObject and DeleteObject events for all but one bucket", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ], "StartsWith": [], "EndsWith": [], "NotEquals": [], "NotStartsWith": [], "NotEndsWith": [] }, { "Field": "resources.type", "Equals": [ "AWS::S3::Object" ], "StartsWith": [], "EndsWith": [], "NotEquals": [], "NotStartsWith": [], "NotEndsWith": [] }, { "Field": "resources.ARN", "Equals": [], "StartsWith": [], "EndsWith": [], "NotEquals": [ "arn:aws:s3:::sample_bucket_name/" ], "NotStartsWith": [], "NotEndsWith": [] }, ] }, { "Name": "Log data plane actions on MyLambdaFunction", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ], "StartsWith": [], "EndsWith": [], "NotEquals": [], "NotStartsWith": [], "NotEndsWith": [] }, { "Field": "resources.type", "Equals": [ "AWS::Lambda::Function" ], "StartsWith": [], "EndsWith": [], "NotEquals": [], "NotStartsWith": [], "NotEndsWith": [] }, { "Field": "eventName", "Equals": [ "Invoke" ], "StartsWith": [], "EndsWith": [], "NotEquals": [], "NotStartsWith": [], "NotEndsWith": [] }, { "Field": "resources.ARN", "Equals": [ "arn:aws:lambda:us-east-2:111122223333:function/MyLambdaFunction" ], "StartsWith": [], "EndsWith": [], "NotEquals": [], "NotStartsWith": [], "NotEndsWith": [] } ] } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName" }
使用自定义高级事件选择器记录所有管理事件和数据事件的示例跟踪
以下示例为名为 TrailName2 的跟踪创建高级事件选择器,该跟踪包括所有事件,包括只读和只写管理事件,以及所有 S3 存储桶、Amazon Lambda函数、La CloudTrail ke 通道PutAuditEvents调用、DynamoDB 表、前哨站上的 Amazon S3、以太坊节点上的亚马逊托管区块链 JSON-RPC 调用、S3 对象 Lambda 接入点、EBS 快照上的 Amazon EBS 直接 API、S3 接入点、DynamoDB 流的所有数据事件湖泊形成,环境 Amazon Glue Amazon FinSpace、亚马逊SageMaker指标实验试用组件、亚马逊SageMaker功能商店、亚马逊 Kendra rescore 执行计划、亚马逊 Cognito 身份池、亚马逊GuardDuty探测器、亚马逊 EMR 预写日志工作空间、亚马逊CodeWhisperer个人资料、亚马逊验证权限策略存储、Amazon Systems Manager控制渠道和亚马逊托管区块链网络。
注意
如果跟踪仅应用于一个区域,则只记录该区域的事件,即使事件选择器参数指定所有 Amazon S3 存储桶和 Lambda 函数。在单区域跟踪中,事件选择器仅适用于创建跟踪的区域。
aws cloudtrail put-event-selectors --trail-nameTrailName2\ --advanced-event-selectors ' [ { "Name": "Log readOnly and writeOnly management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] } ] }, { "Name": "Log all events for all Amazon S3 buckets", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] } ] }, { "Name": "Log all events for Lambda functions", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::Lambda::Function"] } ] }, { "Name": "Log all events for DynamoDB tables", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::DynamoDB::Table"] } ] }, { "Name": "Log all CloudTrail PutAuditEvents activity on a CloudTrail Lake channel, "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::CloudTrail::Channel"] } ] }, { "Name": "Log all events for Amazon S3 on Outposts", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3Outposts::Object"] } ] }, { "Name": "Log all JSON-RPC calls for Ethereum nodes in Amazon Managed Blockchain", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::ManagedBlockchain::Node"] } ] }, { "Name": "Log all events for Amazon S3 Object Lambda access points", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3ObjectLambda::AccessPoint"] } ] }, { "Name": "Log all Amazon EBS direct API calls on snapshots", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::EC2::Snapshot"] } ] }, { "Name": "Log all events for Amazon S3 access points", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::AccessPoint"] } ] }, { "Name": "Log all events for DynamoDB streams", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::DynamoDB::Stream"] } ] }, { "Name": "Log all events for Amazon Glue tables created by Lake Formation", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::Glue::Table"] } ] }, { "Name": "Log all events for FinSpace environments", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::FinSpace::Environment"] } ] }, { "Name": "Log all events for SageMaker metrics experiment trial components", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::SageMaker::ExperimentTrialComponent"] } ] }, { "Name": "Log all events for SageMaker feature stores", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::SageMaker::FeatureGroup"] } ] }, { "Name": "Log all events for Amazon Kendra Intelligent Ranking rescore execution plans", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::KendraRanking::ExecutionPlan"] } ] }, { "Name": "Log all events for Amazon Cognito identity pools", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::Cognito::IdentityPool"] } ] }, { "Name": "Log all events for an Amazon GuardDuty detector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::GuardDuty::Detector"] } ] }, { ""Name": "Log all events for Amazon EMR write-ahead log workspaces", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::EMRWAL::Workspace"] } ] }, { "Name": "Log all events for Amazon CodeWhisperer profiles", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::CodeWhisperer::Profile"] } ] }, { "Name": "Log all events for Amazon Verified Permissions policy stores", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::VerifiedPermissions::PolicyStore"] } ] }, { "Name": "Log all events for Amazon Systems Manager control channels", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::SSMMessages::ControlChannel"] } ] }, { "Name": "Log all events for Amazon Managed Blockchain networks", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::ManagedBlockchain::Network"] } ] } ]'
以下示例返回为跟踪配置的高级事件选择器。
{ "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName2", "AdvancedEventSelectors": [ { "Name": "Log readOnly and writeOnly management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] }, { "Name": "Log all events for all Amazon S3 buckets", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3::Object" ] } ] }, { "Name": "Log all events for Lambda functions", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::Lambda::Function" ] } ] }, { "Name": "Log all events for DynamoDB tables", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::DynamoDB::Table" ] } ] }, { "Name": "Log all CloudTrail PutAuditEvents activity on a CloudTrail Lake channel", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::CloudTrail::Channel" ] } ] }, { "Name": "Log all events for Amazon S3 on Outposts", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3Outposts::Object" ] } ] }, { "Name": "Log all JSON-RPC calls for Ethereum nodes in Amazon Managed Blockchain", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::ManagedBlockchain::Node" ] } ] }, { "Name": "Log all events for Amazon S3 Object Lambda access points", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3ObjectLambda::AccessPoint" ] } ] }, { "Name": "Log all Amazon EBS direct API calls on snapshots", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::EC2::Snapshot" ] } ] }, { "Name": "Log all events for Amazon S3 access points", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3::AccessPoint" ] } ] }, { "Name": "Log all events for DynamoDB streams", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::DynamoDB::Stream" ] } ] }, { "Name": "Log all events for Amazon Glue tables created by Lake Formation", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::Glue::Table" ] } ] }, { "Name": "Log all events for FinSpace environments", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::FinSpace::Environment" ] } ] }, { "Name": "Log all events for SageMaker metrics experiment trial components", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::SageMaker::ExperimentTrialComponent" ] } ] }, { "Name": "Log all events for SageMaker feature stores", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::SageMaker::FeatureGroup" ] } ] }, { "Name": "Log all events for Amazon Kendra Intelligent Ranking rescore execution plans", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::KendraRanking::ExecutionPlan" ] } ] }, { "Name": "Log all events for Amazon Cognito identity pools", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::Cognito::IdentityPool" ] } ] }, { "Name": "Log all events for an Amazon GuardDuty detector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::GuardDuty::Detector" ] } ] }, { "Name": "Log all events for Amazon EMR write-ahead log workspaces", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::EMRWAL::Workspace" ] } ] }, { "Name": "Log all events for Amazon CodeWhisperer profiles", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::CodeWhisperer::Profile" ] } ] }, { "Name": "Log all events for Amazon Verified Permissions policy stores", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::VerifiedPermissions::PolicyStore" ] } ] }, { "Name": "Log all events for Amazon Systems Manager control channels", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::SSMMessages::ControlChannel" ] } ] }, { "Name": "Log all events for Amazon Managed Blockchain networks", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::ManagedBlockchain::Network" ] } ] } ] }
使用自定义高级事件选择器记录 Amazon Outposts 数据事件上的 Simple Storage Service(Amazon S3)的示例跟踪
以下示例说明如何配置您的跟踪以包含您的 Outpost 中的 Amazon Outposts 对象上的所有 Simple Storage Service(Amazon S3)的所有数据事件。在此版本中,S3 在 Amazon Outposts 事件上支持的 resources.type 字段的值为 AWS::S3Outposts::Object。
aws cloudtrail put-event-selectors --trail-nameTrailName--regionregion\ --advanced-event-selectors \ '[ { "Name": "OutpostsEventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3Outposts::Object"] } ] } ]'
该命令将返回以下示例输出。
{ "AdvancedEventSelectors": [ { "Name": "OutpostsEventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3Outposts::Object" ] } ] } ], "TrailARN": "arn:aws:cloudtrail:region:123456789012:trail/TrailName" }
使用高级事件选择器排除 Amazon Key Management Service 事件的示例跟踪
以下示例为名TrailName为的跟踪创建高级事件选择器,该跟踪包含只读和只写管理事件(通过省略readOnly选择器),但排除 Amazon Key Management Service (Amazon KMS) 事件。由于 Amazon KMS 事件被视为管理事件,并且可能存在大量此类事件,因此,如果您有多个跟踪捕获管理事件,它们可能会对您的 CloudTrail 账单产生重大影响。在此版本中,您可以从 kms.amazonaws.com 中排除事件。
如果选择不记录管理事件,则不会记录 Amazon KMS 事件,并且您无法更改 Amazon KMS 事件日志记录设置。
要再次开始将 Amazon KMS 事件记录到跟踪,请删除 eventSource 选择器,然后再次运行命令。
aws cloudtrail put-event-selectors --trail-nameTrailName\ --advanced-event-selectors ' [ { "Name": "Log all management events except KMS events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] }, { "Field": "eventSource", "NotEquals": ["kms.amazonaws.com"] } ] } ]'
以下示例返回为跟踪配置的高级事件选择器。
{ "AdvancedEventSelectors": [ { "Name": "Log all management events except KMS events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ], "StartsWith": [], "EndsWith": [], "NotEquals": [], "NotStartsWith": [], "NotEndsWith": [] }, { "Field": "eventSource", "Equals": [], "StartsWith": [], "EndsWith": [], "NotEquals": [ "kms.amazonaws.com" ], "NotStartsWith": [], "NotEndsWith": [] } ] } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName" }
要再次开始将排除的事件记录到跟踪,请删除 eventSource 选择器,如以下命令中所示。
aws cloudtrail put-event-selectors --trail-nameTrailName\ --advanced-event-selectors ' [ { "Name": "Log all management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] } ] } ]'
停止和启动跟踪的日志记录
以下命令启动和停止 CloudTrail 日志记录。
aws cloudtrail start-logging --nameawscloudtrail-example
aws cloudtrail stop-logging --nameawscloudtrail-example
注意
在删除存储桶之前,运行 stop-logging 命令以停止向存储桶传送事件。如果不停止日志记录,CloudTrail 将在有限时段内尝试将日志文件传送到具有相同名称的存储桶。
如果停止日志记录或删除跟踪,将对该跟踪禁用 CloudTrail 见解。
删除跟踪
可使用以下命令删除跟踪。您只能从创建跟踪的区域(主区域)中删除跟踪。
aws cloudtrail delete-trail --nameawscloudtrail-example
在删除跟踪时,请不要删除 Simple Storage Service(Amazon S3)存储桶或与该存储桶关联的 Amazon SNS 主题。可使用 Amazon Web Services Management Console、Amazon CLI 或服务 API 单独删除这些资源。