本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
CloudTrail 日志文件示例
CloudTrail 监控您账户的事件。如果您创建跟踪,它会将这些事件作为日志文件传送到您的 Simple Storage Service(Amazon S3)存储桶。如果您在 L CloudTrail ake 中创建事件数据存储,则会将事件记录到您的事件数据存储中。事件数据存储不使用 S3 存储桶。
CloudTrail 日志文件名格式
CloudTrail 对传输至 Amazon S3 存储桶的日志文件对象使用以下文件名格式:
AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat
-
YYYY、MM、DD、HH和mm为日志文件传输时间中表示年、月、日、小时和分钟的数字。小时为 24 小时格式。Z表示时间采用 UTC 格式。注意
在特定时间传输的日志文件可包含在该时间前的任何时刻编写的记录。
-
日志文件名称的 16 字符
UniqueString部分用于防止覆盖文件。它没有意义,日志处理软件应忽略它。 -
FileNameFormat为文件的编码。目前,这是json.gz(一个采用压缩 gzip 格式的 JSON 文本文件)。
示例 CloudTrail 日志文件名
111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz
日志文件示例
一个日志文件包含一条或多条记录。以下是日志代码段的示例,其中显示开始日志文件创建的操作记录。
Amazon EC2 日志示例
Amazon Elastic Compute Cloud (Amazon EC2) 在中提供大小可调的计算容量Amazon Web Services 云。您可以启动虚拟服务器,配置安全性和联网,并管理存储。Amazon EC2 还可快速扩展或缩减以处理需求变化或使用高峰,从而减少对预测服务器流量的需求。有关更多信息,请参阅适用于 Linux 实例的 Amazon EC2 用户指南。
以下示例显示,一位名为 Alice 的 IAM 用户Amazon CLI对实例 Amazon EC2ec2-start-instances 执行命令,从而使用调用了 Amazon EC2 StancesStartInstances 操作i-ebeaf9e2。
{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accessKeyId": "EXAMPLE_KEY_ID", "accountId": "123456789012", "userName": "Alice" }, "eventTime": "2014-03-06T21:22:54Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-east-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": {"instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]}}, "responseElements": {"instancesSet": {"items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }]}} }]}
以下示例显示,一位名为 Alice 的 IAM 用户使用了 ec2-stop-instances,从而使用 Amazon CLI 调用了 Amazon EC2 StopInstances 操作。
{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-06T21:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "us-east-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]}, "force": false }, "responseElements": {"instancesSet": {"items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } }]}} }]}
以下示例显示,Amazon EC2 控制台后端调用了 CreateKeyPair 操作以响应由名为 IAM 用户 Alice 发起的请求。请注意,responseElements包含key pair 的哈希值,并且Amazon删除了密钥材料。
{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": {"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-03-06T15:15:06Z" }} }, "eventTime": "2014-03-06T17:10:34Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateKeyPair", "awsRegion": "us-east-2", "sourceIPAddress": "72.21.198.64", "userAgent": "EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx", "requestParameters": {"keyName": "mykeypair"}, "responseElements": { "keyName": "mykeypair", "keyFingerprint": "30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21", "keyMaterial": "\u003csensitiveDataRemoved\u003e" } }]}
IAM 日志示例
Amazon Identity and Access Management (IAM) 是一种 Web 服务,可以帮助您安全地控制对 Amazon 资源的访问。借助 IAM,您可以集中管理控制用户可访问哪些 Amazon 资源的权限。可以使用 IAM 来控制谁通过了身份验证(准许登录)并获得授权(拥有权限)来使用资源。有关更多信息,请参阅 IAM 用户指南。
以下示例显示,IAM 用户 Alice 使用 Amazon CLI 调用了 CreateUser 操作,以创建名为 Bob 的新用户。
{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-24T21:11:59Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-2", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7", "requestParameters": {"userName": "Bob"}, "responseElements": {"user": { "createDate": "Mar 24, 2014 9:11:59 PM", "userName": "Bob", "arn": "arn:aws:iam::123456789012:user/Bob", "path": "/", "userId": "EXAMPLEUSERID" }} }]}
以下示例显示,IAM 用户 Alice 使用 Amazon Web Services Management Console 调用了 AddUserToGroup 操作,以将 Bob 添加到管理员组。
{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": {"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-03-25T18:45:11Z" }} }, "eventTime": "2014-03-25T21:08:14Z", "eventSource": "iam.amazonaws.com", "eventName": "AddUserToGroup", "awsRegion": "us-east-2", "sourceIPAddress": "127.0.0.1", "userAgent": "AWSConsole", "requestParameters": { "userName": "Bob", "groupName": "admin" }, "responseElements": null }]}
以下示例显示,IAM 用户 Alice 使用 Amazon CLI 调用了 CreateRole 操作,以创建新的 IAM 角色。
{ "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-25T20:17:37Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateRole", "awsRegion": "us-east-2", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7", "requestParameters": { "assumeRolePolicyDocument": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\", \n\"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::210987654321:root\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}", "roleName": "TestRole" }, "responseElements": { "role": { "assumeRolePolicyDocument": "%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20%20%22Statement%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22Sid%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%22Principal%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22AWS%22%3A%20%22arn%3Aaws%3Aiam%3A%3A803981987763%3Aroot%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22Action%22%3A%20%22sts%3AAssumeRole%22%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D", "roleName": "TestRole", "roleId": "AROAIUU2EOWSWPGX2UJUO", "arn": "arn:aws:iam::123456789012:role/TestRole", "createDate": "Mar 25, 2014 8:17:37 PM", "path": "/" } } }] }
示例错误代码及留言记录
以下示例显示,IAM 用户 Alice 使用 Amazon CLI 调用了 UpdateTrail 操作来更新名为 myTrail2 的跟踪,但未找到跟踪名称。日志在 errorCode 和 errorMessage 中显示了此错误。
{"Records": [{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2016-07-14T19:15:45Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "UpdateTrail", "awsRegion": "us-east-2", "sourceIPAddress": "205.251.233.182", "userAgent": "aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22", "errorCode": "TrailNotFoundException", "errorMessage": "Unknown trail: myTrail2 for the user: 123456789012", "requestParameters": {"name": "myTrail2"}, "responseElements": null, "requestID": "5d40662a-49f7-11e6-97e4-d9cb6ff7d6a3", "eventID": "b7d4398e-b2f0-4faa-9c76-e2d316a8d67f", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }]}
CloudTrail 见解事件日志示例
以下示例显示的是 CloudTrail Insights 事件日志。实际上,Insights 事件是一对事件,它们标记异常的写管理 API 活动或错误响应活动周期的开始和结束。state 字段显示是在异常活动期间的开始还是结束时记录事件。事件名称UpdateInstanceInformation,与 API 的名称相同,该Amazon Systems Manager API CloudTrail 分析了管理事件以确定发生了异常活动。尽管开始事件和结束事件具有唯一的 eventID 值,但它们也有一个由该对使用的 sharedEventID 值。见解事件显示 baseline、正常活动模式、insight 或触发开始见解事件的平均异常活动;在结束事件中,还显示见解事件持续时间内平均异常活动的 insight 值。有关 CloudTrail Insights 的更多信息,请参阅记录跟踪记录的见解事件。
{ "Records": [ { "eventVersion": "1.07", "eventTime": "2019-11-14T00:51:00Z", "awsRegion": "us-east-1", "eventID": "EXAMPLE8-9621-4d00-b913-beca2EXAMPLE", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "EXAMPLE2-1729-42f1-b735-5d8c0EXAMPLE", "insightDetails": { "state": "Start", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 85.4202380952 }, "insight": { "average": 664 } } } }, "eventCategory": "Insight" }, { "eventVersion": "1.07", "eventTime": "2019-11-14T00:52:00Z", "awsRegion": "us-east-1", "eventID": "EXAMPLEc-28be-486c-8928-49ce6EXAMPLE", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "EXAMPLE2-1729-42f1-b735-5d8c0EXAMPLE", "insightDetails": { "state": "End", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 85.4202380952 }, "insight": { "average": 664 }, "insightDuration": 1 } } }, "eventCategory": "Insight" } ] }