# Log Connector for SCEP API calls using Amazon CloudTrail
Connector for Simple Certificate Enrollment Protocol (SCEP) is integrated with Amazon CloudTrail, a service that provides a record of actions taken by a user, role, client, or an Amazon service. CloudTrail captures all API calls for Connector for SCEP as events. The calls captured include calls from the Connector for SCEP console and code calls to the Connector for SCEP API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Connector for SCEP. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to Connector for SCEP, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, see the [Amazon CloudTrail User Guide](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).
## Connector for SCEP information in CloudTrail
CloudTrail is enabled on your Amazon Web Services account when you create the account. When activity occurs in Connector for SCEP, that activity is recorded in a CloudTrail event along with other Amazon service events in **Event history**. You can view, search, and download recent events in your Amazon Web Services account. For more information, see [Viewing events with CloudTrail Event history](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your Amazon Web Services account, including events for Connector for SCEP, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Amazon Web Services Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html)
+ [Receiving CloudTrail log files from multiple regions](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All Connector for SCEP actions are logged by CloudTrail and are documented in the [Connector for SCEP API reference](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/Welcome.html). For example, calls to the `CreateConnector`, `GetConnector` and `CreateChallenge` actions generate entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or Amazon Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another Amazon service.
+ Whether the request was made by a SCEP client device.
For more information, see the [CloudTrail userIdentity element](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## Connector for SCEP management events
Connector for SCEP integrates with CloudTrail to record API actions made by a user, a role, or an Amazon service in Connector for SCEP. You can use CloudTrail to monitor Connector for SCEP API requests in real time and store logs in Amazon Simple Storage Service, Amazon CloudWatch Logs, and Amazon CloudWatch Events. Connector for SCEP supports logging the following actions as events in CloudTrail log files:
+ [CreateChallenge](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_CreateChallenge.html)
+ [CreateConnector](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_CreateConnector.html)
+ [GetConnector](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_GetConnector.html)
+ [GetChallengeMetadata](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_GetChallengeMetadata.html)
+ [GetChallengePassword](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_GetChallengePassword.html)
+ [DeleteConnector](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_DeleteConnector.html)
+ [DeleteChallenge](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_DeleteChallenge.html)
## Connector for SCEP data events in CloudTrail
[Data events](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) provide information about the resource operations performed on or in a resource for example, when your client sends a SCEP `GetCACaps` message to a connector endpoint. These are also known as data plane operations. Data events are often high-volume activities. By default, CloudTrail doesn’t log any data events, and the CloudTrail **Event history** doesn't record them.
Additional charges apply for data events. For more information about CloudTrail pricing, see [Amazon CloudTrail Pricing](https://www.amazonaws.cn/cloudtrail/pricing/).
You can log data events for the `AWS::PCAConnectorSCEP::Connector` resource type by using the CloudTrail console, Amazon CLI, or CloudTrail API operations. For more information about how to log data events, see [Logging data events with the Amazon Web Services Management Console](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console) and [Logging data events with the Amazon Command Line Interface](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-with-the-AWS-CLI) in the *Amazon CloudTrail User Guide*.
The following table lists the Connector for SCEP resource type for which you can log data events. The **Data event type (console)** column shows the value to choose from the **Data event type** list on the CloudTrail console. The **resources.type value** column shows the `resources.type` value, which you would specify when configuring advanced event selectors using the Amazon CLI or CloudTrail APIs. The **Data APIs logged to CloudTrail** column shows the API calls logged to CloudTrail for the resource type.
| Data event type (console) | resources.type value | Data APIs logged to CloudTrail |
| --- | --- | --- |
| Connector | AWS::PCAConnectorSCEP::Connector | [See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/privateca/latest/userguide/logging-using-cloudtrail-c4scep.html) |
You can configure advanced event selectors to filter on the `eventName`, `readOnly`, and `resources.ARN` fields to log only those events that are important to you. The following example is the JSON view of a data event configuration that logs events for a specific function only. For more information about these fields, see [https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html](https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) in the *Amazon CloudTrail API Reference*.
```
[
{
"name": "connector-scep-events",
"fieldSelectors": [
{
"field": "eventCategory",
"equals": [
"Data"
]
},
{
"field": "resources.type",
"equals": [
"AWS::PCAConnectorSCEP::Connector"
]
},
{
"field": "resources.ARN",
"equals": [
"{{arn:aws:pca-connector-scep:US West (N. California):111122223333:connector/11223344-1122-2233-3344-cae95a00d2a7}}"
]
}
]
}
]
```
## Example entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
**Example 1: Management event, `CreateConnector`**
The following example shows a CloudTrail log entry that demonstrates the `CreateConnector` action.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AABB1122CCDD4455HHJJ1:11cc33nn2a97724dc48a89071111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AABB1122CCDD4455HHJJ1",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "my-user-name"
},
"attributes": {
"creationDate": "2024-08-16T17:46:41Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-08-16T17:48:07Z",
"eventSource": "pca-connector-scep.amazonaws.com",
"eventName": "CreateConnector",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.0",
"userAgent": "Python/3.11.8 Darwin/22.6.0 exe/x86_64",
"requestParameters": {
"ClientToken": "11223344-2222-3333-4444-666555444555",
"CertificateAuthorityArn": "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": {
"ConnectorArn": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
**Example 2: Management event, `CreateChallenge`**
The following example shows a CloudTrail log entry that demonstrates the `CreateChallenge` action.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AABB1122CCDD4455HHJJ1:11cc33nn2a97724dc48a89071111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AABB1122CCDD4455HHJJ1",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "user-name"
},
"attributes": {
"creationDate": "2024-08-16T17:46:41Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-08-16T17:47:52Z",
"eventSource": "pca-connector-scep.amazonaws.com",
"eventName": "CreateChallenge",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.0",
"userAgent": "Python/3.11.8 Darwin/22.6.0 exe/x86_64",
"requestParameters": {
"ConnectorArn": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ClientToken": "11223344-2222-3333-4444-666555444555"
},
"responseElements": {
"Challenge": {
"Arn": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/9cac40bc-acba-412e-9a24-f255ef2fe79a/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"ConnectorArn": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"CreatedAt": 1723830472.942,
"Password": "***",
"UpdatedAt": 1723830472.942
}
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
**Example 3: Management event, `GetChallengePassword`**
The following example shows a CloudTrail log entry that demonstrates the `GetChallengePassword` action.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AABB1122CCDD4455HHJJ1:11cc33nn2a97724dc48a89071111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AABB1122CCDD4455HHJJ1",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "905418114790",
"userName": "111122223333"
},
"attributes": {
"creationDate": "2024-08-16T17:55:01Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "signin.amazonaws.com"
},
"eventTime": "2024-08-16T17:55:54Z",
"eventSource": "pca-connector-scep.amazonaws.com",
"eventName": "GetChallengePassword",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.0",
"userAgent": "Python/3.11.8 Darwin/22.6.0 exe/x86_64",
"requestParameters": {
"ChallengeArn": "arn:aws:pca-connector-scep:us-east-1:111122223333:challenge/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
**Example 4: Data event, `PkiOperationPost`**
The following example shows a CloudTrail log entry that demonstrates a failed `PkiOperationPost` call. The log includes an error code and error message with an explanation of the failure.
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "FederatedUser",
"principalId": "111122223333",
"accountId": "111122223333"
},
"eventTime": "2024-08-16T17:40:09Z",
"eventSource": "pca-connector-scep.amazonaws.com",
"eventName": "PkiOperationPost",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.0",
"userAgent": "Python/3.11.8 Darwin/22.6.0 exe/x86_64",
"errorCode": "BadRequestException",
"errorMessage": "The certificate authority is not in a valid state for issuing certificates (Service: AcmPca, Status Code: 400, Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE55555)",
"requestParameters": null,
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::PCAConnectorSCEP::Connector",
"ARN": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "905418114790",
"eventCategory": "Data",
"tlsDetails": {
"clientProvidedHostHeader": "111122223333-a1b2c3d4-5678-90ab-cdef-EXAMPLE33333.enroll.pca-connector-scep.us-east-1.api.aws"
}
}
```