CloudTrail 日志事件参考 - Amazon CloudTrail
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

CloudTrail 日志事件参考

CloudTrail 日志是一种 JSON 格式的记录。日志包含有关您账户中的资源请求的信息,如谁发出请求、所使用的服务、执行的操作以及操作的参数。事件数据包含在 Records 数组中。

以下示例显示了单一的事件日志记录,其中,名为 Mary_Major 的 IAM 用户从 CloudTrail 控制台调用了 CloudTrail StartLogging API 以启动日志记录过程。

{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDAJDPLRKLG7UEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Mary_Major", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Mary_Major", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-06-18T22:28:31Z" } }, "invokedBy": "signin.amazonaws.com" }, "eventTime": "2019-06-19T00:18:31Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StartLogging", "awsRegion": "us-east-2", "sourceIPAddress": "203.0.113.64", "userAgent": "signin.amazonaws.com", "requestParameters": { "name": "arn:aws:cloudtrail:us-east-2:123456789012:trail/My-First-Trail" }, "responseElements": null, "requestID": "ddf5140f-EXAMPLE", "eventID": "7116c6a1-EXAMPLE", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }, ... additional entries ...

记录两种事件以显示 CloudTrail Insights 中的异常活动:启动事件和结束事件。下面的示例显示了一个启动见解事件的单个日志记录,该事件是在不寻常地多次调用 Application Auto Scaling API CompleteLifecycleAction 时发生的。对于见解事件,eventCategory 的值为 InsightinsightDetails 块标识事件状态、源、名称、见解类型和上下文,包括统计信息和归因。有关 insightDetails 块的更多信息,请参阅 CloudTrail 见解 insightDetails 元素

{ "eventVersion": "1.07", "eventTime": "2020-07-21T20:56:00Z", "awsRegion": "us-east-1", "eventID": "abcd00b0-ccfe-422d-961c-98a2198a408x", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "838185438692", "sharedEventID": "7bb000gg-22b3-4c03-94af-c74tj0c8m7c0", "insightDetails": { "state": "Start", "eventSource": "autoscaling.amazonaws.com", "eventName": "CompleteLifecycleAction", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 0.0000882145 }, "insight": { "average": 0.6 }, "insightDuration": 5, "baselineDuration": 11336 }, "attributions": [ { "attribute": "userIdentityArn", "insight": [ { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole1", "average": 0.2 }, { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole2", "average": 0.2 }, { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole3", "average": 0.2 } ], "baseline": [ { "value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole1", "average": 0.0000882145 } ] }, { "attribute": "userAgent", "insight": [ { "value": "codedeploy.amazonaws.com", "average": 0.6 } ], "baseline": [ { "value": "codedeploy.amazonaws.com", "average": 0.0000882145 } ] }, { "attribute": "errorCode", "insight": [ { "value": "null", "average": 0.6 } ], "baseline": [ { "value": "null", "average": 0.0000882145 } ] } ] } }, "eventCategory": "Insight" }

以下主题列出 CloudTrail 为每个 Amazon API 调用和登录事件捕获的数据字段。