访问 Amazon Health API - Amazon Health
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

访问 Amazon Health API

Amazon Health是一种 RESTful Web 服务,它使用 HTTPS 进行传输,并采用 JSON 作为消息序列化格式。您的应用程序代码可以直接向 Amazon Health API 发送请求。在直接使用 REST API 时,您必须编写必要的代码来对您的请求签名以及验证您的请求。有关的更多信息Amazon Health操作和参数,请参阅Amazon HealthAPI 参考.

注意

您必须拥有商业、Enterprise On-Ramp 或企业 Support 计划Amazon Web Services Support要使用的Amazon HealthAPI。如果你打电话给Amazon Health使用 APIAmazon账户没有商业、Enterprise On-Ramp 或企业 Support 计划,您会收到SubscriptionRequiredException错误消息。

您可以使用Amazon软件开发工具包来封装Amazon HealthREST API 调用,可以简化应用程序开发。你指定你的Amazon凭证后,这些库会处理身份验证和请求登录事务。

Amazon Health还提供了Amazon Health中的控制面板Amazon Web Services Management Console您可以使用它查看和搜索事件和受影响的实体。请参阅 开始使用Amazon Health控制面板 — 您的账户状况

端点

这些区域有:Amazon HealthAPI 遵循多区域应用程序架构并在主动-被动配置中有两个区域终端节点。要支持主动-被动 DNS 故障转移,Amazon Health提供单一的全局终端节点。您可以在全局终端节点上执行 DNS 查找以确定活动终端节点和相应的签名Amazon区域。这有助于您了解代码中要使用哪个终端节点,以便您可以从中获取最新信息Amazon Health.

向全局终端节点发出请求时,必须指定Amazon访问您目标的区域终端节点的凭据并为您的区域配置签名。否则,您的验证可能会失败。有关更多信息,请参阅 签署 Amazon Health API 请求

下表列出了默认配置。

说明 签名区域 Endpoint 协议
处于活动状态

cn-northwest-1

健康.cn-西北-1.amazonaws.com.cn

HTTPS
被动

cn-north-1

health .cn-北-north1.amazonaws.com.cn

HTTPS
服务全球

cn-northwest-1

注意

这是当前活动终端节点的签名区域。

全球 .health .amazonaws.com.cn

HTTPS

确定终端节点是否为活跃端节点,对全局端节点别名记录,然后提取Amazon已解析名称中的区域。

例 :在全局终端节点上查找 DNS

以下命令完成对全球 .health .amazonaws.com.cn终端节点。然后,该命令将返回cn-northwest-1区域终端节点。此输出告诉你应该使用哪个终端节点Amazon Health.

dig global.health.amazonaws.com.cn | grep CNAME global.health.amazonaws.com.cn. 10 IN CNAME health.cn-northwest-1.amazonaws.com.cn
提示

主动端点和被动端点都返回Amazon HealthDATA。但是,最新的Amazon Health数据只能从活动终端节点获得。来自被动端点的数据最终将与主动端点保持一致。我们建议您在活动终端节点更改时重新启动任何工作流。

使用高可用性端点演示

在以下代码示例中,Amazon Health使用针对全局终端节点的 DNS 查找来确定活动的区域终端节点和签名区域。然后,如果活动终端节点发生变化,代码将重新启动工作流。

使用 Java 演示

先决条件

你必须安装Gradle.

使用 Java 示例

  1. 下载Amazon Health终端节点演示从GitHub.

  2. 导航到演示项目high-availability-endpoint/java目录。

  3. 在命令行窗口中,输入以下命令。

    gradle build
  4. 输入以下命令以指定Amazon凭证。

    export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" export AWS_SESSION_TOKEN="your-aws-token"
  5. 输入以下命令以运行演示。

    gradle run

    例 :Amazon Health事件输出

    代码示例返回最近的Amazon Health您的过去七天内的事件Amazonaccount. 在以下示例中,输出包括Amazon Health适用于的事件Amazon Config服务。

    > Task :run [main] INFO aws.health.high.availability.endpoint.demo.HighAvailabilityV2Workflow - EventDetails(Event=Event(Arn=arn:aws:health:global::event/CONFIG/AWS_CONFIG_OPERATIONAL_NOTIFICATION/AWS_CONFIG_OPERATIONAL_NOTIFICATION_88a43e8a-e419-4ca7-9baa-56bcde4dba3, Service=CONFIG, EventTypeCode=AWS_CONFIG_OPERATIONAL_NOTIFICATION, EventTypeCategory=accountNotification, Region=global, StartTime=2020-09-11T02:55:49.899Z, LastUpdatedTime=2020-09-11T03:46:31.764Z, StatusCode=open, EventScopeCode=ACCOUNT_SPECIFIC), EventDescription=EventDescription(LatestDescription=As part of our ongoing efforts to optimize costs associated with recording changes related to certain ephemeral workloads, Amazon Config is scheduled to release an update to relationships modeled within ConfigurationItems (CI) for 7 EC2 resource types on August 1, 2021. Examples of ephemeral workloads include changes to Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon Elastic MapReduce jobs, and Amazon EC2 Autoscaling. This update will optimize CI models for EC2 Instance, SecurityGroup, Network Interface, Subnet, VPC, VPN Gateway, and Customer Gateway resource types to record direct relationships and deprecate indirect relationships. A direct relationship is defined as a one-way relationship (A->B) between a resource (A) and another resource (B), and is typically derived from the Describe API response of resource (A). An indirect relationship, on the other hand, is a relationship that Amazon Config infers (B->A), in order to create a bidirectional relationship. For example, EC2 instance -> Security Group is a direct relationship, since security groups are returned as part of the describe API response for an EC2 instance. But Security Group -> EC2 instance is an indirect relationship, since EC2 instances are not returned when describing an EC2 Security group. Until now, Amazon Config has recorded both direct and indirect relationships. With the launch of Advanced queries in March 2019, indirect relationships can easily be answered by running Structured Query Language (SQL) queries such as: SELECT resourceId, resourceType WHERE resourceType ='AWS::EC2::Instance' AND relationships.resourceId = 'sg-234213' By deprecating indirect relationships, we can optimize the information contained within a Configuration Item while reducing Amazon Config costs related to relationship changes. This is especially useful in case of ephemeral workloads where there is a high volume of configuration changes for EC2 resource types. Which resource relationships are being removed? Resource Type: Related Resource Type 1 AWS::EC2::CustomerGateway: AWS::VPN::Connection 2 AWS::EC2::Instance: AWS::EC2::EIP, AWS::EC2::RouteTable 3 AWS::EC2::NetworkInterface: AWS::EC2::EIP, AWS::EC2::RouteTable 4 AWS::EC2::SecurityGroup: AWS::EC2::Instance, AWS::EC2::NetworkInterface 5 AWS::EC2::Subnet: AWS::EC2::Instance, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable 6 AWS::EC2::VPC: AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::Subnet, AWS::EC2::VPNGateway, AWS::EC2::SecurityGroup 7 AWS::EC2::VPNGateway: AWS::EC2::RouteTable, AWS::EC2::VPNConnection Alternate mechanism to retrieve this relationship information: The SelectResourceConfig API accepts a SQL SELECT command, performs the corresponding search, and returns resource configurations matching the properties. You can use this API to retrieve the same relationship information. For example, to retrieve the list of all EC2 Instances related to a particular VPC vpc-1234abc, you can use the following query: SELECT resourceId, resourceType WHERE resourceType ='AWS::EC2::Instance' AND relationships.resourceId = 'vpc-1234abc' If you have any questions regarding this deprecation plan, please contact Amazon Web Services Support [1]. Additional sample queries to retrieve the relationship information for the resources listed above is provided in [2]. [1] https://aws.amazon.com/support [2] https://docs.aws.amazon.com/config/latest/developerguide/examplerelationshipqueries.html), EventMetadata={})

Java 资源

  • 有关更多信息,请参阅 。接口HealthClient中的Amazon SDK for JavaAPI 参考源代码.

  • 有关此演示中用于 DNS 查找的库的更多信息,请参阅dnsjava在GitHub.

使用 Python 演示

先决条件

你必须安装Python 3.

使用 Python 示例

  1. 下载Amazon Health终端节点演示从GitHub.

  2. 导航到演示项目high-availability-endpoint/python目录。

  3. 在命令行窗口中,输入以下命令。

    pip3 install virtualenv virtualenv -p python3 v-aws-health-env
    注意

    对于 Python 3.3 及更高版本,你可以使用内置venv模块来创建虚拟环境,而不是安装virtualenv. 有关更多信息,请参阅 。venv-创建虚拟环境在 Python 网站上。

    python3 -m venv v-aws-health-env
  4. 输入以下命令激活虚拟环境。

    source v-aws-health-env/bin/activate
  5. 输入以下命令以安装依赖项。

    pip install -r requirements.txt
  6. 输入以下命令以指定Amazon凭证。

    export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" export AWS_SESSION_TOKEN="your-aws-token"
  7. 输入以下命令以运行演示。

    python3 main.py

    例 :Amazon Health事件输出

    代码示例返回最近的Amazon Health您的过去七天内的事件Amazonaccount. 以下输出返回Amazon Health适用于的事件Amazon安全通知功能。

    INFO:botocore.credentials:Found credentials in environment variables.
    INFO:root:Details: {'arn': 'arn:aws:health:global::event/SECURITY/AWS_SECURITY_NOTIFICATION/AWS_SECURITY_NOTIFICATION_0e35e47e-2247-47c4-a9a5-876544042721', 
    'service': 'SECURITY', 'eventTypeCode': 'AWS_SECURITY_NOTIFICATION', 'eventTypeCategory': 'accountNotification', 'region': 'global', 'startTime': datetime.datetime(2020, 8, 19, 23, 30, 42, 476000, 
    tzinfo=tzlocal()), 'lastUpdatedTime': datetime.datetime(2020, 8, 20, 20, 44, 9, 547000, tzinfo=tzlocal()), 'statusCode': 'open', 'eventScopeCode': 'PUBLIC'}, description: 
    {'latestDescription': 'This is the second notice regarding TLS requirements on FIPS endpoints.\n\nWe
    are in the process of updating all Amazon Federal Information Processing Standard (FIPS) endpoints across all Amazon regions 
    to Transport Layer Security (TLS) version 1.2 by March 31, 2021 . In order to avoid an interruption in service, we encourage you to act now, by ensuring that you connect to Amazon FIPS endpoints at a TLS version of 1.2. 
    If your client applications fail to support TLS 1.2 it will result in connection failures when TLS versions below 1.2 are no longer supported.\n\nBetween now and March 31, 2021 Amazon will remove TLS 1.0 and TLS 1.1 support from each FIPS endpoint where no connections below TLS 1.2 are detected over a 30-day period. 
    After March 31, 2021 we may deploy this change to all Amazon FIPS endpoints, even if there continue
    to be customer connections detected at TLS versions below 1.2. \n\nWe will provide additional updates and reminders on the Amazon Security Blog, with a ‘TLS’ tag [1]. If you need further guidance or assistance, please contact Amazon Web Services Support [2] or your Technical Account Manager (TAM). 
    Additional information is below.\n\nHow can I identify clients that are connecting with TLS
    1.0/1.1?\nFor customers using S3 [3], Cloudfront [4] or Application Load Balancer [5] you can use
    your access logs to view the TLS connection information for these services, and identify client
    connections that are not at TLS 1.2. If you are using the Amazon Developer Tools on your clients, 
    you can find information on how to properly configure your client’s TLS versions by visiting Tools to Build on Amazon [7] or our associated Amazon Security Blog has a link for each unique code language [7].\n\nWhat is Transport Layer Security (TLS)?\nTransport Layer Security (TLS Protocols) are cryptographic protocols designed to provide secure communication across a computer network 
    [6].\n\nWhat are Amazon FIPS endpoints? \nAll Amazon services offer Transport Layer Security (TLS) 1.2 encrypted endpoints that can be used for all API calls. Some Amazon services also offer FIPS 140-2 endpoints [9] for customers that require use of FIPS validated cryptographic libraries. \n\n[1] https://aws.amazon.com/blogs/security/tag/tls/\n[2] https://aws.amazon.com/support\n[3] 
    https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html\n[4] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html\n[5] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html\n[6] https://aws.amazon.com/tools\n[7] https://aws.amazon.com/blogs/security/tls-1-2-to-become-the-minimum-for-all-aws-fips-endpoints\n[8] 
    https://en.wikipedia.org/wiki/Transport_Layer_Security\n[9] https://aws.amazon.com/compliance/fips'}
  8. 完成后,请输入以下命令停用虚拟机。

    deactivate

Python 资源

签署 Amazon Health API 请求

当您使用Amazon开发工具包或Amazon Command Line Interface(Amazon CLI) 向Amazon,这些工具会自动使用您在配置工具时指定的访问密钥为您签署这些请求。例如,如果您使用Amazon SDK for Java对于以前的高可用性终端节点演示,您不需要亲自对请求签名。

Java 代码示例

有关如何使用的更多示例Amazon Health使用 APIAmazon SDK for Java,请参阅示例代码.

当您提出请求时,我们强烈建议您不要使用Amazon用于定期访问的根账户凭据Amazon Health. 您可以使用 IAM 用户的凭证。有关更多信息,请参阅 。锁定您的Amazon账户根用户访问密钥中的IAM 用户指南.

如果您不使用Amazon开发工具包或Amazon CLI,那么你必须亲自签署你的请求。建议使用Amazon签名版本 4。有关更多信息,请参阅《Amazon一般参考》中的签署 Amazon API 请求