Amazon Web Services Management Console 登录事件 - Amazon CloudTrail
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Web Services Management Console 登录事件

CloudTrail 记录尝试登录 Amazon Web Services Management Console、 Amazon 讨论论坛和 Su Amazon pport Center。所有IAM用户和根用户登录事件以及所有联合用户登录事件都会在 CloudTrail 日志文件中生成记录。有关查找和查看日志的信息,请参阅 查找 CloudTrail 日志文件下载您的 CloudTrail 日志文件

您可以使用Amazon 用户通知服务设置传递渠道以获取有关 Amazon CloudTrail 事件的通知。当事件与指定的规则匹配时,会收到通知。可以通过多个渠道接收事件通知,包括电子邮件、Amazon Chatbot聊天通知或Amazon Console Mobile Application推送通知。您还可以在控制台通知中心查看通知。 用户通知服务 支持聚合,这可以减少在具体事件期间收到的通知数量。

注意

ConsoleLogin 事件中记录的区域因用户类型以及您使用全球还是区域端点登录而异。

  • 如果您以 root 用户身份登录,则将事件 CloudTrail 记录在 us-east-1 中。

  • 如果您使用IAM用户登录并使用全局终端节点,则按如下方式 CloudTrail 记录ConsoleLogin事件的区域:

    • 如果浏览器中存在账户别名 cookie,则会在以下区域之一 CloudTrail 记录ConsoleLogin事件:us-east-2、eu-north-1 或 ap-southeast-2。这是因为控制台代理根据用户登录位置的延迟来重定向用户。

    • 如果浏览器中没有账户别名 cookie,则在 us-east-1 中 CloudTrail 记录该ConsoleLogin事件。这是因为控制台代理重定向回全局登录。

  • 如果您使用IAM用户登录并使用区域终端节点,则会在该终端节点的相应区域中 CloudTrail 记录ConsoleLogin事件。有关 Amazon 登录 终端节点的更多信息,请参阅Amazon 登录 终端节点和配额

IAM用户的事件记录示例

以下示例显示了适用于多种 IAM 用户登录方案的事件记录。

IAM用户,在没有的情况下成功登录 MFA

以下记录显示,名为的用户在 Amazon Web Services Management Console 未使用多重身份验证 (MFA) 的情况下Anaya成功登录了。

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::999999999999:user/Anaya", "accountId": "999999999999", "userName": "Anaya" }, "eventTime": "2023-07-19T21:44:40Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplee9aba7f8", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "e1bf1000-86a4-4a78-81d7-EXAMPLE83102", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "999999999999", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } }

IAM用户,使用成功登录 MFA

以下记录显示名为的IAM用户 Amazon Web Services Management Console 使用多重身份验证 (MFA) Anaya 成功登录。

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::999999999999:user/Anaya", "accountId": "999999999999", "userName": "Anaya" }, "eventTime": "2023-07-19T22:01:30Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplebde32f3c9", "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::999999999999:mfa/mfa-device", "MFAUsed": "Yes" }, "eventID": "e1f76697-5beb-46e8-9cfc-EXAMPLEbde31", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "999999999999", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } }

IAM用户,登录失败

以下记录显示名Paulo为的IAM用户尝试登录失败。

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "accountId": "123456789012", "accessKeyId": "", "userName": "Paulo" }, "eventTime": "2023-07-19T22:01:20Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "errorMessage": "Failed authentication", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplebde32f3c9", "MobileVersion": "No", "MFAUsed": "Yes" }, "eventID": "66c97220-2b7d-43b6-a7a0-EXAMPLEbae9c", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } }

IAM用户,登录过程检查MFA(单一MFA设备类型)

下图显示登录过程检查了IAM用户在登录期间是否需要多因素身份验证 (MFA)。在本示例中,mfaType值为U2F MFA,表示IAM用户启用了单个MFA设备或多个相同类型的MFA设备(U2F MFA)。

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "accountId": "123456789012", "accessKeyId": "", "userName": "Alice" }, "eventTime": "2023-07-19T22:01:26Z", "eventSource": "signin.amazonaws.com", "eventName": "CheckMfa", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "CheckMfa": "Success" }, "additionalEventData": { "MfaType": "Virtual MFA" }, "eventID": "7d8a0746-b2e7-44f5-9917-EXAMPLEfb77c", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } }

IAM用户,登录过程会检查MFA(多种MFA设备类型)

下图显示登录过程检查了IAM用户在登录期间是否需要多因素身份验证 (MFA)。在本示例中,mfaType值为Multiple MFA Devices,表示IAM用户启用了多种MFA设备类型。

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "accountId": "123456789012", "accessKeyId": "", "userName": "Mary" }, "eventTime": "2023-07-19T23:10:09Z", "eventSource": "signin.amazonaws.com", "eventName": "CheckMfa", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "CheckMfa": "Success" }, "additionalEventData": { "MfaType": "Multiple MFA Devices" }, "eventID": "19bd1a1c-76b1-4806-9d8f-EXAMPLE02a96", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" } }

根用户的示例事件记录

以下示例显示了适用于多种 root 用户登录方案的事件记录。当您使用 root 用户登录时,将ConsoleLogin事件 CloudTrail 记录在 us-east-1 中。

root 用户,在没有的情况下成功登录 MFA

下图显示了未使用多重身份验证 () MFA 的 root 用户的成功登录事件。

{ "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "111122223333", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2023-07-12T13:35:31Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&nc2=h_ct&src=header-signin&state=hashArgsFromTB_ap-southeast-2_example80afacd389", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "4217cc13-7328-4820-a90c-EXAMPLE8002e6", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" } }

root 用户,使用成功登录 MFA

下图显示了使用多重身份验证 () MFA 的 root 用户成功登录事件。

{ "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "444455556666", "arn": "arn:aws:iam::444455556666:root", "accountId": "444455556666", "accessKeyId": "" }, "eventTime": "2023-07-13T03:04:43Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://ap-southeast-1.console.aws.amazon.com/ec2/home?region=ap-southeast-1&state=hashArgs%23Instances%3Av%3D3%3B%24case%3Dtags%3Atrue%255C%2Cclient%3Afalse%3B%24regex%3Dtags%3Afalse%255C%2Cclient%3Afalse&isauthcode=true", "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::444455556666:mfa/root-account-mfa-device", "MFAUsed": "Yes" }, "eventID": "e0176723-ea76-4275-83a3-EXAMPLEf03fb", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "444455556666", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" } }

根用户,登录失败

以下显示了未使用MFA的 root 用户登录失败事件。

{ "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "" }, "eventTime": "2023-07-16T04:33:40Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36", "errorMessage": "Failed authentication", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "additionalEventData": { "LoginTo": "https://us-east-1.console.aws.amazon.com/billing/home?region=us-east-1&state=hashArgs%23%2Faccount&isauthcode=true", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "f28d4329-5050-480b-8de0-EXAMPLE07329", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" } }

root 用户,MFA已更改

以下显示了 root 用户更改多重身份验证 (MFA) 设置的事件示例。

{ "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "111122223333", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "EXAMPLE4XX3IEV4PFQTH", "userName": "Amazon ROOT USER", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-15T03:51:12Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-15T04:37:08Z", "eventSource": "iam.amazonaws.com", "eventName": "EnableMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36", "requestParameters": { "userName": "Amazon ROOT USER", "serialNumber": "arn:aws:iam::111122223333:mfa/root-account-mfa-device" }, "responseElements": null, "requestID": "9b45cd4c-a598-41e7-9170-EXAMPLE535f0", "eventID": "b4f18d55-d36f-49a0-afcb-EXAMPLEc026b", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management", "sessionCredentialFromConsole": "true" }

根用户,密码已更改

下面显示的是根用户更改密码的示例事件。

{ "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "444455556666", "arn": "arn:aws:iam::444455556666:root", "accountId": "444455556666", "accessKeyId": "EXAMPLEAOTKEG44KPW5P", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2022-11-25T13:01:14Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-11-25T13:01:14Z", "eventSource": "iam.amazonaws.com", "eventName": "ChangePassword", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36", "requestParameters": null, "responseElements": null, "requestID": "c64254c2-e4ff-49c0-900e-EXAMPLE9e6d2", "eventID": "d059176c-4f4d-4a9e-b8d7-EXAMPLE2b7b3", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "444455556666", "eventCategory": "Management" }

联合用户的事件记录示例

以下示例显示了联合用户的事件记录。联邦用户将获得临时安全证书,以通过AssumeRole请求访问 Amazon 资源。

以下示例显示了联合身份验证加密请求的事件。userIdentity 元素的 accessKeyId 字段中会提供原始访问密钥 ID。如果加密请求中传递了所请求的 sessionDuration,则 responseElements 中的 accessKeyId 字段会包含新的访问密钥 ID,否则会包含原始访问密钥 ID 的值。

注意

在此示例中,mfaAuthenticated值为falseMFAUsedNo是因为请求是由联合用户发出的。只有当IAM用户或根用户使用发出请求时,这些字段才会设置为 true MFA。

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEUU4MH7OYK5ZCOA:JohnDoe", "arn": "arn:aws:sts::123456789012:assumed-role/roleName/JohnDoe", "accountId": "123456789012", "accessKeyId": "originalAccessKeyID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEUU4MH7OYK5ZCOA", "arn": "arn:aws:iam::123456789012:role/roleName", "accountId": "123456789012", "userName": "roleName" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-25T21:30:39Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-09-25T21:30:39Z", "eventSource": "signin.amazonaws.com", "eventName": "GetSigninToken", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Java/1.8.0_382", "requestParameters": null, "responseElements": { "credentials": { "accessKeyId": "accessKeyID" }, "GetSigninToken": "Success" }, "additionalEventData": { "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "1d66615b-a417-40da-a38e-EXAMPLE8c89b", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } }

下图显示了联合身份用户的成功登录事件;未使用多重身份验证 () MFA。

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEPHCNW7ZCASLJOH:JohnDoe", "arn": "arn:aws:sts::123456789012:assumed-role/RoleName/JohnDoe", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEPHCNW7ZCASLJOH", "arn": "arn:aws:iam::123456789012:role/RoleName", "accountId": "123456789012", "userName": "RoleName" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-22T16:15:47Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-09-22T16:15:47Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "b73f1ec6-c064-4cd3-ba83-EXAMPLE441d7", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } }