支持的事件数据存储的 SQL 架构
以下各节提供了每种事件数据存储类型支持的 SQL 架构。
主题
CloudTrail 事件记录字段支持的架构
下面是 CloudTrail 管理、数据和网络活动事件记录字段的有效 SQL 架构。有关 CloudTrail 事件记录字段的更多信息,请参阅 CloudTrail 记录管理事件、数据事件和网络活动事件的内容。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "useridentity", "Type": "struct<type:string,principalid:string,arn:string,accountid:string,accesskeyid:string, username:string,sessioncontext:struct<attributes:struct<creationdate:timestamp, mfaauthenticated:string>,sessionissuer:struct<type:string,principalid:string,arn:string, accountid:string,username:string>,webidfederationdata:struct<federatedprovider:string, attributes:map<string,string>>,sourceidentity:string,ec2roledelivery:string, ec2issuedinvpc:string>,onbehalfof:struct<userid:string,identitystorearn:string>, inscopeof:struct<sourcearn:string,sourceaccount:string,issuertype:string, credentiaisissuedto:string>,invokedby:string,identityprovider:string>" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "eventsource", "Type": "string" }, { "Name": "eventname", "Type": "string" }, { "Name": "awsregion", "Type": "string" }, { "Name": "sourceipaddress", "Type": "string" }, { "Name": "useragent", "Type": "string" }, { "Name": "errorcode", "Type": "string" }, { "Name": "errormessage", "Type": "string" }, { "Name": "requestparameters", "Type": "map<string,string>" }, { "Name": "responseelements", "Type": "map<string,string>" }, { "Name": "additionaleventdata", "Type": "map<string,string>" }, { "Name": "requestid", "Type": "string" }, { "Name": "eventid", "Type": "string" }, { "Name": "readonly", "Type": "boolean" }, { "Name": "resources", "Type": "array<struct<accountid:string,type:string,arn:string,arnprefix:string>>" }, { "Name": "eventtype", "Type": "string" }, { "Name": "apiversion", "Type": "string" }, { "Name": "managementevent", "Type": "boolean" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "sharedeventid", "Type": "string" }, { "Name": "annotation", "Type": "string" }, { "Name": "vpcendpointid", "Type": "string" }, { "Name": "vpcendpointaccountid", "Type": "string" }, { "Name": "serviceeventdetails", "Type": "map<string,string>" }, { "Name": "addendum", "Type": "map<string,string>" }, { "Name": "edgedevicedetails", "Type": "map<string,string>" }, { "Name": "insightdetails", "Type": "map<string,string>" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "tlsdetails", "Type": "struct<tlsversion:string,ciphersuite:string,clientprovidedhostheader:string>" }, { "Name": "sessioncredentialfromconsole", "Type": "string" }, { "Name": "eventjson", "Type": "string" } { "Name": "eventjsonchecksum", "Type": "string" } ]
CloudTrail Insights 事件记录字段支持的架构
以下是 Insights 事件记录字段的有效 SQL 架构。对于 Insights 事件,eventcategory 的值为 Insight,eventtype 的值为 AwsCloudTrailInsight。有关这些字段的描述,请参阅 面向事件数据存储的 Insights 事件的 CloudTrail 记录内容。
注意
insightContext 的 attributions 字段中的 insightvalue、insightaverage、baselinevalue 和 baselineaverage 字段将于 2025 年 6 月 23 日开始弃用。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "eventtype", "Type": "string" }, "Name": "eventid", "Type": "string" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "awsregion", "Type": "string" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "sharedeventid", "Type": "string" }, { "Name": "addendum", "Type": "map<string,string>" }, { "Name": "insightsource", "Type": "string" }, { "Name": "insightstate", "Type": "string" }, { "Name": "insighteventsource", "Type": "string" }, { "Name": "insighteventname", "Type": "string" }, { "Name": "insighterrorcode", "Type": "string" }, { "Name": "insighttype", "Type": "string" }, { "Name": "insightContext", "Type": "struct<baselineaverage:double,insightaverage:double, baselineduration:integer,insightduration:integer, attributions:struct<attribute:string,insightvalue:string, insightaverage:double,baselinevalue:string,baselineaverage:double, insight:struct<value:string,average:double>, baseline:struct<value:string,average:double>>>" } ]
Amazon Config 配置项目记录字段支持的架构
以下是配置项目记录字段的有效 SQL 架构。对于配置项目,eventcategory 的值为 ConfigurationItem,eventtype 的值为 AwsConfigurationItem。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "eventtype", "Type": "string" }, "Name": "eventid", "Type": "string" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "awsregion", "Type": "string" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "addendum", "Type": "map<string,string>" }, { "Name": "eventdata", "Type": "struct<configurationitemversion:string,configurationitemcapturetime: string,configurationitemstatus:string,configurationitemstateid:string,accountid:string, resourcetype:string,resourceid:string,resourcename:string,arn:string,awsregion:string, availabilityzone:string,resourcecreationtime:string,configuration:map<string,string>, supplementaryconfiguration:map<string,string>,relatedevents:string, relationships:struct<name:string,resourcetype:string,resourceid:string, resourcename:string>,tags:map<string,string>>" } ]
Amazon Audit Manager 证据记录字段支持的架构
以下是 Audit Manager 证据记录字段的有效 SQL 架构。对于 Audit Manager 证据记录字段,eventcategory 的值为 Evidence,eventtype 的值为 AwsAuditManagerEvidence。有关使用 Audit Manager 在 CloudTrail Lake 中聚合证据的更多信息,请参阅《Amazon Audit Manager 用户指南》中的 Evidence finder(证据查找器)。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "eventtype", "Type": "string" }, "Name": "eventid", "Type": "string" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "awsregion", "Type": "string" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "addendum", "Type": "map<string,string>" }, { "Name": "eventdata", "Type": "struct<attributes:map<string,string>,awsaccountid:string,awsorganization:string, compliancecheck:string,datasource:string,eventname:string,eventsource:string, evidenceawsaccountid:string,evidencebytype:string,iamid:string,evidenceid:string, time:timestamp,assessmentid:string,controlsetid:string,controlid:string, controlname:string,controldomainname:string,frameworkname:string,frameworkid:string, service:string,servicecategory:string,resourcearn:string,resourcetype:string, evidencefolderid:string,description:string,manualevidences3resourcepath:string, evidencefoldername:string,resourcecompliancecheck:string>" } ]
非 Amazon 事件字段支持的架构
以下是非 Amazon 事件的有效 SQL 架构。对于非 Amazon 事件,eventcategory 的值为 ActivityAuditLog,eventtype 的值为 ActivityLog。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "eventtype", "Type": "string" }, "Name": "eventid", "Type": "string" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "awsregion", "Type": "string" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "addendum", "Type": "struct<reason:string,updatedfields:string,originalUID:string,originaleventid:string>" }, { "Name": "metadata", "Type": "struct<ingestiontime:string,channelarn:string>" }, { "Name": "eventdata", "Type": "struct<version:string,useridentity:struct<type:string, principalid:string,details:map<string,string>>,useragent:string,eventsource:string, eventname:string,eventtime:string,uid:string,requestparameters:map<string,string>>, responseelements":map<string,string>>,errorcode:string,errormssage:string,sourceipaddress:string, recipientaccountid:string,additionaleventdata":map<string,string>>" } ]