本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Web Services Management Console 登录事件
重要
自 2021 年 11 月 22 日起,Amazon CloudTrail将使 Amazon CloudFront 事件仅在已处理事件的区域中可用,即中国(宁夏)区域 cn-northwest-1。对于监控全球服务事件的跟踪,请务必将中国(北京)区域 cn-north-1 的单区域跟踪转换为多区域跟踪,以包括中国(宁夏)区域 cn-northwest-1 的事件。在引用CloudFront事件时,还应记得将引用中国(北京)区域 cn-north-1 的 lookup-events API 调用的区域更新为中国(宁夏)区域 cn-northwest-1。有关使用 CLI 来更新或创建全球服务事件的跟踪记录以及更新查找事件的更多信息,请参阅使用查看CloudTrail事件 Amazon CLI和使用 update-trail。
CloudTrail记录尝试登录Amazon Web Services Management Console、Amazon论坛和 Su Amazon pport 中心的操作。所有 IAM 用户和根用户登录事件,以及所有联合身份用户登录事件,将生成CloudTrail日志文件中的记录。 Amazon Web Services Management Console登录事件是全局服务事件。有关获取和查看日志的信息,请参阅 获取并查看您的 CloudTrail 日志文件。
IAM 用户的示例记录
以下示例显示了适用于多种 IAM 用户登录方案的事件记录。
主题
IAM 用户,未使用 MFA 而成功登录
以下记录显示名为 Anaya 的用户Amazon Web Services Management Console未使用多重验证(MFA)而成功登录到。
{ "Records":[ { "eventVersion":"1.05", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::111122223333:user/anaya", "accountId":"111122223333", "userName":"anaya" }, "eventTime":"2022-11-10T16:24:34Z", "eventSource":"signin.amazonaws.com", "eventName":"ConsoleLogin", "awsRegion":"us-east-2", "sourceIPAddress":"192.0.2.0", "userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0", "requestParameters":null, "responseElements":{ "ConsoleLogin":"Success" }, "additionalEventData":{ "MobileVersion":"No", "LoginTo":"https://console.aws.amazon.com/sns", "MFAUsed":"No" }, "eventID":"3fcfb182-98f8-4744-bd45-10a395ab61cb", "eventType": "AwsConsoleSignIn" } ] }
IAM 用户,使用 MFA 成功登录
以下记录显示名为 Anaya 的 IAM 用户Amazon Web Services Management Console使用多重验证(MFA)成功登录到。
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:user/anaya", "accountId": "111122223333", "userName": "anaya" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD", "MFAUsed": "Yes" }, "eventID": "fed06f42-cb12-4764-8c69-121063dc79b9", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
IAM 用户,登录失败
以下记录显示一个 IAM 用户的不成功登录尝试。
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "accountId": "111122223333", "accessKeyId": "", "userName": "anaya" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "errorMessage": "Failed authentication", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAUsed": "Yes" }, "eventID": "d38ce1b3-4575-4cb8-a632-611b8243bfc3", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
IAM 用户,针对 MFA 的登录流程检查(单一 MFA 设备类型)
以下显示登录过程检查 IAM 用户在登录过程中是否需要多重验证 (MFA)。在此示例中,mfaType值为U2F MFA,表示 IAM 用户启用了单个 MFA 设备或多个相同类型的 MFA 设备()U2F MFA。
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "accountId": "111122223333", "accessKeyId": "", "userName": "anaya" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "CheckMfa", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "requestParameters": null, "responseElements": { "CheckMfa": "Success" }, "additionalEventData": { "MfaType": "U2F MFA" }, "eventID": "f8ef8fc5-e3e8-4ee1-9d52-2f412ddf17e3", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
IAM 用户,针对 MFA 的登录流程检查(多种 MFA 设备类型)
以下显示登录过程检查 IAM 用户在登录过程中是否需要多重验证 (MFA)。在此示例中,mfaType 值为 Multiple MFA Devices,表示 IAM 用户启用了多种 MFA 设备类型。
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "accountId": "111122223333", "accessKeyId": "", "userName": "anaya" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "CheckMfa", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "requestParameters": null, "responseElements": { "CheckMfa": "Success" }, "additionalEventData": { "MfaType": "Multiple MFA Devices" }, "eventID": "f8ef8fc5-e3e8-4ee1-9d52-2f412ddf17e3", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
根用户的示例事件记录
以下示例显示了适用于多种 root 用户登录方案的事件记录。
根用户,未使用 MFA 而成功登录
以下信息显示根用户未使用多重身份验证(MFA)而成功登录的事件。
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "deb1e1f9-c99b-4612-8e9f-21f93b5d79c0", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
根用户,使用 MFA 成功登录
以下信息显示根用户使用多重身份验证(MFA)成功登录的事件。
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::111122223333:mfa/root-account-mfa-device", "MFAUsed": "YES" }, "eventID": "deb1e1f9-c99b-4612-8e9f-21f93b5d79c0", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
根用户,登录失败
下面显示的是未使用 MFA 的根用户登录失败事件。
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36", "errorMessage": "Failed authentication", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "a4fbbe77-91a0-4238-804a-64314184edb6", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }
根用户,MFA 已更改
下面显示的是根用户更改多重身份验证 (MFA) 设置的示例事件。
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "EXAMPLE", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-10-13T21:05:40Z" } } }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "iam.amazonaws.com", "eventName": "EnableMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Coral/Netty4", "requestParameters": { "userName": "AWS ROOT USER", "serialNumber": "arn:aws:iam::111122223333:mfa/root-account-mfa-device" }, "responseElements": null, "requestID": "EXAMPLE4-2cf7-4a44-af00-f61f0EXAMPLE", "eventID": "EXAMPLEb-7dae-48cb-895f-20e86EXAMPLE", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
根用户,密码已更改
下面显示的是根用户更改密码的示例事件。
{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:root", "accountId": "111122223333", "accessKeyId": "" }, "eventTime": "2022-11-10T16:24:34Z", "eventSource": "signin.amazonaws.com", "eventName": "PasswordUpdated", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0", "requestParameters": null, "responseElements": { "PasswordUpdated": "Success" }, "eventID": "EXAMPLEd-244c-4044-abbf-21c64EXAMPLE", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111122223333" }