本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
记录网络活动事件
注意
网络活动事件处于预览版 CloudTrail ,可能会发生变化。
CloudTrail 网络活动事件使VPC端点所有者能够记录使用其VPC端点从私有VPC到的 Amazon API呼叫 Amazon Web Services 服务。网络活动事件可让您了解在网络中执行的资源操作VPC。例如,记录网络活动事件可以帮助VPC端点所有者检测组织外部的凭据何时尝试访问其VPC端点。
您可以记录以下服务的网络活动事件:
-
Amazon CloudTrail
-
Amazon EC2
-
Amazon KMS
-
Amazon Secrets Manager
您可以配置跟踪和事件数据存储来记录网络活动事件。
默认情况下,跟踪和事件数据存储不记录网络活动事件。网络活动事件将收取额外费用。有关更多信息,请参阅Amazon CloudTrail 定价
目录
网络活动事件的高级事件选择器字段
您可以通过指定要记录活动的事件源来配置高级事件选择器以记录网络活动事件。您可以使用 Amazon SDKs、 Amazon CLI或 CloudTrail 控制台配置高级事件选择器。
记录网络活动事件需要以下高级事件选择器字段:
-
eventCategory
– 要记录网络活动事件,值必须为NetworkActivity
。eventCategory
只能使用Equals
运算符。 -
eventSource
– 要记录网络活动事件的事件源。eventSource
只能使用Equals
运算符。如果要记录多个事件源的网络活动事件,则必须为每个事件源创建单独的字段选择器。有效值包括:
-
cloudtrail.amazonaws.com
-
ec2.amazonaws.com
-
kms.amazonaws.com
-
secretsmanager.amazonaws.com
-
以下高级事件选择器字段是可选的:
-
eventName
– 要筛选的请求操作。例如,CreateKey
或ListKeys
。eventName
可以使用任何运算符。 -
errorCode
– 要筛选的请求错误代码。目前,唯一有效errorCode
是VpceAccessDenied
。您只能将Equals
运算符与errorCode
配合使用。 -
vpcEndpointId
— 标识操作所经过的VPC端点。您可以将任何运算符与vpcEndpointId
配合使用。
默认情况下,在您创建跟踪或事件数据存储时,未记录网络活动事件。要记录 CloudTrail 网络活动事件,必须明确配置要为其收集活动的每个事件源。
记录网络活动事件将收取额外费用。有关 CloudTrail 定价,请参阅Amazon CloudTrail 定价
使用记录网络活动事件 Amazon Web Services Management Console
您可以使用控制台更新现有跟踪以记录网络活动事件。
更新现有跟踪以记录网络活动事件
使用以下过程更新现有跟踪以记录网络活动事件。
注意
记录网络活动事件将收取额外费用。有关 CloudTrail 定价,请参阅 Amazon CloudTrail
定价
登录 Amazon Web Services Management Console 并打开 CloudTrail 控制台,网址为https://console.aws.amazon.com/cloudtrail/
。 -
在 CloudTrail 控制台的左侧导航窗格中,打开 T rail s 页面,然后选择一个跟踪名称。
-
在网络活动事件中,选择编辑。
要记录网络活动事件,请采取以下步骤:
-
从网络活动事件源中,选择网络活动事件的来源。
-
在 Log selector template(日志选择器模板)中,选择一个模板。您可以选择记录所有网络活动事件、记录所有网络活动访问被拒绝的事件,或者选择自定义来构建自定义日志选择器以筛选多个字段(例如
eventName
和vpcEndpointId
)。 -
(可选)输入用于标识选择器的名称。选择器名称在高级事件选择器中列为名称,如果您展开视图,则可以JSON查看。
-
在高级事件选择器中,通过为字段、运算符和值选择值来构建表达式。如果您使用的是预定义日志模板,则可跳过此步骤。
-
要排除或包括网络活动事件,您可以从控制台中的以下字段中进行选择。
-
eventName
– 您可以将任何运算符与eventName
配合使用。您可以使用它来包含或排除任何事件(如CreateKey
)。 -
errorCode
– 您可以使用它来筛选错误代码。目前,唯一支持的errorCode
是VpceAccessDenied
。 -
vpcEndpointId
— 标识操作所经过的VPC端点。您可以将任何运算符与vpcEndpointId
配合使用。
-
-
对于每个字段,请选择 + 条件以根据需要添加任意数量的条件,所有条件总共可有最多 500 个指定值。
-
根据需要,选择 + Field(+ 字段)以添加其他字段。为了避免错误,请不要为字段设置冲突或重复的值。
-
-
要添加您想要记录网络活动事件的另一个事件源,请选择添加网络活动事件选择器。
-
(可选)展开JSON视图,将您的高级事件选择器视为一个JSON方块。
-
-
选择保存更改以保存您的更改。
使用记录网络活动事件 Amazon Command Line Interface
您可以使用 Amazon CLI配置跟踪或事件数据存储以记录网络活动事件。
示例:记录跟踪的网络活动事件
您可以使用 Amazon CLI配置跟踪以记录网络活动事件。运行 put-event-selectors
要查看您的跟踪是否正在记录网络活动事件,请运行 get-event-selectors
主题
示例:记录 CloudTrail 操作的网络活动事件
以下示例说明如何将跟踪配置为 CloudTrail API包含所有网络活动事件,例如CreateTrail
和CreateEventDataStore
呼叫。eventSource
字段的值是 cloudtrail.amazonaws.com
。
aws cloudtrail put-event-selectors / --trail-name
TrailName
/ --regionregion
/ --advanced-event-selectors '[ { "Name": "Audit all CloudTrail API calls through VPC endpoints", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["cloudtrail.amazonaws.com
"] } ] } ]'
该命令将返回以下示例输出。
{ "TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName", "AdvancedEventSelectors": [ { "Name": "Audit all CloudTrail API calls through VPC endpoints", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "
cloudtrail.amazonaws.com
" ] } ] } ] }
示例:记录以下VpceAccessDenied
项的事件 Amazon KMS
以下示例演示了如何配置跟踪以包含 Amazon KMS的 VpceAccessDenied
事件。此示例将 errorCode
字段设置为等于 VpceAccessDenied
事件,将 eventSource
字段设置为等于 kms.amazonaws.com
。
aws cloudtrail put-event-selectors \ --region
region
/ --trail-nameTrailName
/ --advanced-event-selectors '[ { "Name": "Audit AccessDenied Amazon KMS events through VPC endpoints", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["kms.amazonaws.com"] }, { "Field": "errorCode", "Equals": ["VpceAccessDenied"] } ] } ]'
该命令将返回以下示例输出。
{ "TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName", "AdvancedEventSelectors": [ { "Name": "Audit AccessDenied Amazon KMS events through VPC endpoints", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "kms.amazonaws.com" ] }, { "Field": "errorCode", "Equals": [ "VpceAccessDenied" ] } ] } ] }
示例:通过特定VPC端点记录EC2VpceAccessDenied
事件
以下示例说明如何将您的跟踪配置为包含针对特定VPC终端节点的 Amazon VpceAccessDenied
EC2 事件。此示例将errorCode
字段设置为VpceAccessDenied
事件,将eventSource
字段设置为ec2.amazonaws.com
vpcEndpointId
等于感兴趣的VPC端点。
aws cloudtrail put-event-selectors \ --region
region
/ --trail-nameTrailName
/ --advanced-event-selectors '[ { "Name": "Audit AccessDenied EC2 events over a specific VPC endpoint", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["ec2.amazonaws.com"] }, { "Field": "errorCode", "Equals": ["VpceAccessDenied"] }, { "Field": "vpcEndpointId", "Equals": ["vpce-example8c1b6b9b7"] } ] } ]'
该命令将返回以下示例输出。
{ "TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName", "AdvancedEventSelectors": [ { "Name": "Audit AccessDenied EC2 events over a specific VPC endpoint", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "ec2.amazonaws.com" ] }, { "Field": "errorCode", "Equals": [ "VpceAccessDenied" ] }, { "Field": "vpcEndpointId", "Equals": [ "vpce-example8c1b6b9b7" ] } ] } ] }
示例:记录多个事件源的所有管理事件和网络活动事件
以下示例将跟踪配置为记录 CloudTrail、Amazon EC2 和事件源的管理事件和所有网络活动 Amazon Secrets Manager 事件。 Amazon KMS
aws cloudtrail put-event-selectors \ --region
region
/ --trail-nameTrailName
/ --advanced-event-selectors '[ { "Name": "Log all management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] } ] }, { "Name": "Log all network activity events for CloudTrail APIs", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["cloudtrail.amazonaws.com"] } ] }, { "Name": "Log all network activity events for EC2", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["ec2.amazonaws.com"] } ] }, { "Name": "Log all network activity events for KMS", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"]}, { "Field": "eventSource", "Equals": ["kms.amazonaws.com"] } ] }, { "Name": "Log all network activity events for Secrets Manager", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["secretsmanager.amazonaws.com"] } ] } ]'
该命令将返回以下示例输出。
{ "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TrailName", "AdvancedEventSelectors": [ { "Name": "Log all management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] }, { "Name": "Log all network activity events for CloudTrail APIs", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "cloudtrail.amazonaws.com" ] } ] }, { "Name": "Log all network activity events for EC2", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "ec2.amazonaws.com" ] } ] }, { "Name": "Log all network activity events for KMS", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "kms.amazonaws.com" ] } ] }, { "Name": "Log all network activity events for Secrets Manager", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "secretsmanager.amazonaws.com" ] } ] } ] }
示例:记录事件数据存储的网络活动事件
您可以使用 Amazon CLI配置事件数据存储以包含网络活动事件。使用 create-event-data-store
update-event-data-store
要查看事件数据存储是否包含网络活动事件,请运行 get-event-data-store
aws cloudtrail get-event-data-store --event-data-store
EventDataStoreARN
主题
示例:记录 CloudTrail 操作的所有网络活动事件
以下示例说明如何创建包含与 CloudTrail 操作相关的所有网络活动事件(例如对CreateTrail
和的调用)的事件数据存储CreateEventDataStore
。eventSource
字段的值设置为 cloudtrail.amazonaws.com
。
aws cloudtrail create-event-data-store \ --name "
EventDataStoreName
" \ --advanced-event-selectors '[ { "Name": "Audit all CloudTrail API calls over VPC endpoint", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["cloudtrail.amazonaws.com"] } ] } ]'
该命令将返回以下示例输出。
{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE492-301f-4053-ac5e-EXAMPLE441aa", "Name": "EventDataStoreName", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Audit all CloudTrail API calls over VPC endpoint", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "cloudtrail.amazonaws.com" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "RetentionPeriod": 366, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2024-05-20T21:00:17.673000+00:00", "UpdatedTimestamp": "2024-05-20T21:00:17.820000+00:00" }
示例:记录以下VpceAccessDenied
项的事件 Amazon KMS
以下示例说明如何创建事件数据存储以包含其中的VpceAccessDenied
事件 Amazon KMS。此示例将 errorCode
字段设置为等于 VpceAccessDenied
事件,将 eventSource
字段设置为等于 kms.amazonaws.com
。
aws cloudtrail create-event-data-store \ --name
EventDataStoreName
\ --advanced-event-selectors '[ { "Name": "Audit AccessDenied Amazon KMS events over VPC endpoints", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["kms.amazonaws.com"] }, { "Field": "errorCode", "Equals": ["VpceAccessDenied"] } ] } ]'
该命令将返回以下示例输出。
{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890", "Name": "EventDataStoreName", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Audit AccessDenied Amazon KMS events over VPC endpoints", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "kms.amazonaws.com" ] }, { "Field": "errorCode", "Equals": [ "VpceAccessDenied" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "RetentionPeriod": 366, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2024-05-20T21:00:17.673000+00:00", "UpdatedTimestamp": "2024-05-20T21:00:17.820000+00:00" }
示例:通过特定VPC端点记录EC2VpceAccessDenied
事件
以下示例说明如何创建事件数据存储以包含特定VPC终端节点EC2的 Amazon VpceAccessDenied
事件。此示例将errorCode
字段设置为VpceAccessDenied
事件,将eventSource
字段设置为ec2.amazonaws.com
vpcEndpointId
等于感兴趣的VPC端点。
aws cloudtrail create-event-data-store \ --name
EventDataStoreName
\ --advanced-event-selectors '[ { "Name": "Audit AccessDenied EC2 events over a specific VPC endpoint", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["ec2.amazonaws.com"] }, { "Field": "errorCode", "Equals": ["VpceAccessDenied"] }, { "Field": "vpcEndpointId", "Equals": ["vpce-example8c1b6b9b7"] } ] } ]'
该命令将返回以下示例输出。
{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890", "Name": "EventDataStoreName", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Audit AccessDenied EC2 events over a specific VPC endpoint", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "ec2.amazonaws.com" ] }, { "Field": "errorCode", "Equals": [ "VpceAccessDenied" ] }, { "Field": "vpcEndpointId", "Equals": [ "vpce-example8c1b6b9b7" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "RetentionPeriod": 366, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2024-05-20T21:00:17.673000+00:00", "UpdatedTimestamp": "2024-05-20T21:00:17.820000+00:00" }
示例:记录多个事件源的所有管理事件和网络活动事件
以下示例将当前仅记录管理事件的事件数据存储更新为同时记录多个事件源的网络活动事件。要更新事件数据存储以添加新的事件选择器,请运行get-event-data-store
命令以返回当前的高级事件选择器。然后,运行update-event-data-store
命令并传入--advanced-event-selectors
包含当前选择器以及所有新选择器的。要记录多个事件源的网络活动事件,请为要记录的每个事件源添加一个选择器。
aws cloudtrail update-event-data-store \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \ --advanced-event-selectors '[ { "Name": "Log all management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] } ] }, { "Name": "Log all network activity events for CloudTrail APIs", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["cloudtrail.amazonaws.com"] } ] }, { "Name": "Log all network activity events for EC2", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["ec2.amazonaws.com"] } ] }, { "Name": "Log all network activity events for KMS", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"]}, { "Field": "eventSource", "Equals": ["kms.amazonaws.com"] } ] }, { "Name": "Log all network activity events for Secrets Manager", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["secretsmanager.amazonaws.com"] } ] } ]'
该命令将返回以下示例输出。
{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890", "Name": "EventDataStoreName", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Log all management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] }, { "Name": "Log all network activity events for CloudTrail APIs", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "cloudtrail.amazonaws.com" ] } ] }, { "Name": "Log all network activity events for EC2", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "ec2.amazonaws.com" ] } ] }, { "Name": "Log all network activity events for KMS", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "kms.amazonaws.com" ] } ] }, { "Name": "Log all network activity events for Secrets Manager", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "secretsmanager.amazonaws.com" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "RetentionPeriod": 366, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2024-11-20T21:00:17.673000+00:00", "UpdatedTimestamp": "2024-11-20T21:00:17.820000+00:00" }
使用记录事件 Amazon SDKs
运行该GetEventSelectors操作以查看您的跟踪是否正在记录网络活动事件。您可以通过运行PutEventSelectors操作将跟踪配置为记录网络活动事件。有关更多信息,请参阅《Amazon CloudTrail API参考》。
运行该GetEventDataStore操作以查看您的事件数据存储是否正在记录网络活动事件。通过运行CreateEventDataStore或UpdateEventDataStore操作并指定高级事件选择器,您可以将事件数据存储配置为包含网络活动事件。有关更多信息,请参阅使用创建、更新和管理事件数据存储 Amazon CLI和参Amazon CloudTrail API考。