访问 AWS 运行状况 API - AWS Health
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

访问 AWS 运行状况 API

AWS 运行状况 是一种 RESTful Web 服务,它使用 HTTPS 进行传输,使用 JSON 作为消息序列化格式。您的应用程序代码可以直接向 AWS 运行状况 API 发送请求。当您直接使用 REST API 时,您必须编写所需的代码来对您的请求进行签名和身份验证。有关 AWS 运行状况 操作和参数的更多信息,请参阅 AWS Health API 参考

注意

您必须拥有来自 AWS Support 的业务或企业支持计划才能使用 AWS 运行状况 API。如果您从没有商业或企业支持计划的 AWS 运行状况 账户调用 AWS API,则会收到 SubscriptionRequiredException 错误。

您可以使用 AWS SDKs 包装 AWS 运行状况 REST API 调用,这可简化您的应用程序开发。您指定 AWS 凭证,这些库负责为您进行身份验证和请求签名。

AWS 运行状况 还在 Personal Health Dashboard 中提供了一个 AWS 管理控制台,可用于查看和搜索事件和受影响的实体。请参阅 AWS Personal Health Dashboard入门

Endpoints

API 遵循AWS 运行状况多区域应用程序架构并在主动/被动配置中具有两个区域终端节点。为了支持主动/被动 DNS 故障转移,AWS 运行状况 提供了单个全局终端节点。您可以在全局终端节点上执行 DNS 查找,以确定活动的终端节点以及相应的签名 AWS 区域。这有助于您了解要在代码中使用的终端节点,以便从 AWS 运行状况 获取最新信息。

向全球终端节点发出请求时,您必须指定针对目标区域终端节点的 AWS 访问凭证,并为您的区域配置签名。否则,您的身份验证可能会失败。有关更多信息,请参阅签署 AWS 运行状况 API 请求

下表表示默认配置。

描述 签名区域 终端节点 协议
处于活动状态

cn-northwest-1

health.cn-northwest-1.amazonaws.com.cn

HTTPS
被动

cn-north-1

health.cn-north-1.amazonaws.com.cn

HTTPS
服务全球

cn-northwest-1

注意

这是当前活动的终端节点的签名区域。

global.health.amazonaws.com.cn

HTTPS

要确定某个终端节点是否为活动终端节点,请对全局终端节点 CNAME 进行 DNS 查找,然后从解析的名称中提取 AWS 区域。

例 :全局终端节点上的 DNS 查找

以下命令在 global.health.amazonaws.com.cn 终端节点上完成 DNS 查找。然后,该命令返回 cn-northwest-1 区域终端节点。此输出将告诉您哪个终端节点应该用于 AWS 运行状况。

dig global.health.amazonaws.com.cn | grep CNAME global.health.amazonaws.com.cn. 10 IN CNAME health.cn-northwest-1.amazonaws.com.cn
提示

主动和被动终端节点都会返回 AWS 运行状况 数据。但是,最新的 AWS 运行状况 数据只能从活动的终端节点获得。来自被动终端节点的数据最终将与活动终端节点一致。我们建议您在活动终端节点发生更改时重新启动所有工作流程。

使用高可用性终端节点演示

在以下代码示例中,AWS 运行状况 使用针对全局终端节点的 DNS 查找以确定活动的区域终端节点和签名区域。然后,如果活动的终端节点发生更改,则代码会重新启动工作流程。

使用 Java 演示

Prerequisite

您必须安装 Gradle

使用 Java 示例

  1. 下载 AWS 运行状况 高可用性终端节点演示GitHub。

  2. 导航到演示项目 high-availability-endpoint/java 目录。

  3. 在命令行窗口中,输入以下命令。

    gradle build
  4. 输入以下命令以指定您的 AWS 凭证。

    export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" export AWS_SESSION_TOKEN="your-aws-token"
  5. 输入以下命令以运行演示。

    gradle run

    例 :AWS 运行状况 事件输出

    该代码示例返回您的 AWS 运行状况 账户中最近七天的 AWS 事件。在以下示例中,输出包含 AWS 运行状况 服务的 AWS Config 事件。

    > Task :run
    [main] INFO aws.health.high.availability.endpoint.demo.HighAvailabilityV2Workflow - EventDetails(Event=Event(Arn=arn:aws:health:global::event/CONFIG/AWS_CONFIG_OPERATIONAL_NOTIFICATION/AWS_CONFIG_OPERATIONAL_NOTIFICATION_88a43e8a-e419-4ca7-9baa-56bcde4dba3, 
    Service=CONFIG, EventTypeCode=AWS_CONFIG_OPERATIONAL_NOTIFICATION, EventTypeCategory=accountNotification, Region=global, StartTime=2020-09-11T02:55:49.899Z, LastUpdatedTime=2020-09-11T03:46:31.764Z, 
    StatusCode=open, EventScopeCode=ACCOUNT_SPECIFIC), EventDescription=EventDescription(LatestDescription=As part of our ongoing efforts to optimize costs associated with recording changes related to certain ephemeral workloads, 
    AWS Config is scheduled to release an update to relationships modeled within ConfigurationItems (CI) for 7 EC2 resource types on August 1, 2021. 
    Examples of ephemeral workloads include changes to Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon Elastic MapReduce jobs, and Amazon EC2 Autoscaling. 
    This update will optimize CI models for EC2 Instance, SecurityGroup, Network Interface, Subnet, VPC, VPN Gateway, and Customer Gateway resource types to record direct relationships and deprecate indirect relationships.
     
    A direct relationship is defined as a one-way relationship (A->B) between a resource (A) and another resource (B), and is typically derived from the Describe API response of resource (A). 
    An indirect relationship, on the other hand, is a relationship that AWS Config infers (B->A), in order to create a bidirectional relationship. 
    For example, EC2 instance -> Security Group is a direct relationship, since security groups are returned as part of the describe API response for an EC2 instance. 
    But Security Group -> EC2 instance is an indirect relationship, since EC2 instances are not returned when describing an EC2 Security group.
     
    Until now, AWS Config has recorded both direct and indirect relationships. With the launch of Advanced queries in March 2019, indirect relationships can easily be answered by running Structured Query Language (SQL) queries such as:
     
    SELECT
     resourceId,
     resourceType
    WHERE
     resourceType ='AWS::EC2::Instance'
    AND
     relationships.resourceId = 'sg-234213'
     
    By deprecating indirect relationships, we can optimize the information contained within a Configuration Item while reducing AWS Config costs related to relationship changes. 
    This is especially useful in case of ephemeral workloads where there is a high volume of configuration changes for EC2 resource types.
     
    Which resource relationships are being removed?
     
    Resource Type: Related Resource Type
    1 AWS::EC2::CustomerGateway: AWS::VPN::Connection
    2 AWS::EC2::Instance: AWS::EC2::EIP, AWS::EC2::RouteTable
    3 AWS::EC2::NetworkInterface: AWS::EC2::EIP, AWS::EC2::RouteTable
    4 AWS::EC2::SecurityGroup: AWS::EC2::Instance, AWS::EC2::NetworkInterface
    5 AWS::EC2::Subnet: AWS::EC2::Instance, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable
    6 AWS::EC2::VPC: AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::Subnet, AWS::EC2::VPNGateway, AWS::EC2::SecurityGroup
    7 AWS::EC2::VPNGateway: AWS::EC2::RouteTable, AWS::EC2::VPNConnection
     
    Alternate mechanism to retrieve this relationship information:
    The SelectResourceConfig API accepts a SQL SELECT command, performs the corresponding search, and returns resource configurations matching the properties. You can use this API to retrieve the same relationship information. 
    For example, to retrieve the list of all EC2 Instances related to a particular VPC vpc-1234abc, you can use the following query:
     
    SELECT
     resourceId,
     resourceType
    WHERE
     resourceType ='AWS::EC2::Instance'
    AND
     relationships.resourceId = 'vpc-1234abc'
     
    If you have any questions regarding this deprecation plan, please contact AWS Support [1]. Additional sample queries to retrieve the relationship information for the resources listed above is provided in [2].
     
    [1] https://aws.amazon.com/support
    [2] https://docs.aws.amazon.com/config/latest/developerguide/examplerelationshipqueries.html), EventMetadata={})

Java 资源

  • 有关更多信息,请参阅 HealthClient 中的接口 AWS SDK for Java API Reference 和源代码

  • 有关此演示中用于 DNS 查找的库的更多信息,请参阅 中的 dnsjavaGitHub。

使用 Python 演示

Prerequisite

您必须安装 Python 3

使用 Python 示例

  1. 下载 AWS 运行状况 高可用性终端节点演示GitHub。

  2. 导航到演示项目 high-availability-endpoint/python 目录。

  3. 在命令行窗口中,输入以下命令。

    pip3 install virtualenv virtualenv -p python3 v-aws-health-env
    注意

    对于 Python 3.3 及更高版本,您可以使用内置的 venv 模块来创建虚拟环境,而不是安装 virtualenv。 有关更多信息,请参阅 Python 网站上的 venv - Creation of virtual environments

    python3 -m venv v-aws-health-env
  4. 输入以下命令以激活虚拟环境。

    source v-aws-health-env/bin/activate
  5. 输入以下命令以安装依赖项。

    pip install -r requirements.txt
  6. 输入以下命令以指定您的 AWS 凭证。

    export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" export AWS_SESSION_TOKEN="your-aws-token"
  7. 输入以下命令以运行演示。

    python3 main.py

    例 :AWS 运行状况 事件输出

    该代码示例返回您的 AWS 运行状况 账户中最近七天的 AWS 事件。以下输出返回 AWS 运行状况 安全通知的 AWS 事件。

    INFO:botocore.credentials:Found credentials in environment variables.
    INFO:root:Details: {'arn': 'arn:aws:health:global::event/SECURITY/AWS_SECURITY_NOTIFICATION/AWS_SECURITY_NOTIFICATION_0e35e47e-2247-47c4-a9a5-876544042721', 
    'service': 'SECURITY', 'eventTypeCode': 'AWS_SECURITY_NOTIFICATION', 'eventTypeCategory': 'accountNotification', 'region': 'global', 'startTime': datetime.datetime(2020, 8, 19, 23, 30, 42, 476000, 
    tzinfo=tzlocal()), 'lastUpdatedTime': datetime.datetime(2020, 8, 20, 20, 44, 9, 547000, tzinfo=tzlocal()), 'statusCode': 'open', 'eventScopeCode': 'PUBLIC'}, description: 
    {'latestDescription': 'This is the second notice regarding TLS requirements on FIPS endpoints.\n\nWe are in the process of updating all AWS Federal Information Processing Standard (FIPS) endpoints across all AWS regions 
    to Transport Layer Security (TLS) version 1.2 by March 31, 2021 . In order to avoid an interruption in service, we encourage you to act now, by ensuring that you connect to AWS FIPS endpoints at a TLS version of 1.2. 
    If your client applications fail to support TLS 1.2 it will result in connection failures when TLS versions below 1.2 are no longer supported.\n\nBetween now and March 31, 2021 AWS will remove TLS 1.0 and TLS 1.1 support from each FIPS endpoint where no connections below TLS 1.2 are detected over a 30-day period. 
    After March 31, 2021 we may deploy this change to all AWS FIPS endpoints, even if there continue to be customer connections detected at TLS versions below 1.2. \n\nWe will provide additional updates and reminders on the AWS Security Blog, with a ‘TLS’ tag [1]. If you need further guidance or assistance, please contact AWS Support [2] or your Technical Account Manager (TAM). 
    Additional information is below.\n\nHow can I identify clients that are connecting with TLS 1.0/1.1?\nFor customers using S3 [3], Cloudfront [4] or Application Load Balancer [5] you can use your access logs to view the TLS connection information for these services, and identify client connections that are not at TLS 1.2. If you are using the AWS Developer Tools on your clients, 
    you can find information on how to properly configure your client’s TLS versions by visiting Tools to Build on AWS [7] or our associated AWS Security Blog has a link for each unique code language [7].\n\nWhat is Transport Layer Security (TLS)?\nTransport Layer Security (TLS Protocols) are cryptographic protocols designed to provide secure communication across a computer network 
    [6].\n\nWhat are AWS FIPS endpoints? \nAll AWS services offer Transport Layer Security (TLS) 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer FIPS 140-2 endpoints [9] for customers that require use of FIPS validated cryptographic libraries. \n\n[1] https://aws.amazon.com/blogs/security/tag/tls/\n[2] https://aws.amazon.com/support\n[3] 
    https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html\n[4] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html\n[5] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html\n[6] https://aws.amazon.com/tools\n[7] https://aws.amazon.com/blogs/security/tls-1-2-to-become-the-minimum-for-all-aws-fips-endpoints\n[8] 
    https://en.wikipedia.org/wiki/Transport_Layer_Security\n[9] https://aws.amazon.com/compliance/fips'}
  8. 完成后,输入以下命令以停用虚拟机。

    deactivate

Python 资源

签署 AWS 运行状况 API 请求

当您使用 AWS SDKs 或 AWS Command Line Interface (AWS CLI) 向 AWS 发出请求时,这些工具会自动使用您在配置工具时指定的访问密钥为您签署请求。例如,如果您将 AWS SDK for Java 用于以前的高可用性终端节点演示,则无需自行对请求签名。

Java 代码示例

有关如何将 AWS 运行状况 API 与 AWS SDK for Java 结合使用的更多示例,请参阅以下示例代码

发出请求时,强烈建议您不要使用 AWS 根账户凭证来常规访问 AWS 运行状况。您可以使用 IAM 用户的凭证。有关更多信息,请参阅 中的AWS隐藏您的 账户根用户访问密钥。IAM 用户指南

如果您不使用 AWS SDKs 或 AWS CLI,则必须自行对请求签名。我们建议您使用 AWS 签名版本 4。有关更多信息,请参阅 https://docs.amazonaws.cn/general/latest/gr/signing_aws_api_requests.html 中的AWS General Reference签署 AWS API 请求