本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
自动SCEP使用连接器 EventBridge
您可以使用 Amazon EventBridge 实现 Amazon 服务自动化,并自动响应系统事件,例如应用程序可用性问题或资源更改。来自 Amazon 服务的事件几乎实时 EventBridge 地传送到。您可以编写简单的规则来指明您感兴趣的事件,以及当事件与规则匹配时要采取的自动操作。 EventBridge 至少发布一次。有关更多信息,请参阅中的创建对事件做出反应的规则 EventBridge。
CloudWatch 使用将事件转化为操作 EventBridge。使用 EventBridge,您可以使用事件来触发目标。有关更多信息,请参阅什么是亚马逊 EventBridge?
SCEP事件类型的连接器
证书颁发成功
EventBridge 当我们为响应PkiOperationPost
请求而颁发证书时,Connector for 会向SCEP发送一个Certificate Issuance Succeeded
事件。
以下是该事件的示例数据。
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Issuance Succeeded",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "success",
"requestType": "PkiOperationPost",
"certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
}
}
证书颁发失败
EventBridge 当我们无法为响应PkiOperationPost
请求颁发证书时,Connector for 会向SCEP发送一个Certificate Issuance Failed
事件。
以下是该事件的示例数据。
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Issuance Failed",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "failure",
"requestType": "PkiOperationPost",
"reason": "The certificate authority is not active."
}
}
证书颁发机构证书检索成功
EventBridge 当我们收到GetCACert
请求并成功检索连接器的私有 CA 证书时,Connector for 会SCEP向发送一个Certificate Authority Certificate Retrieval Succeeded
事件。
以下是该事件的示例数据。
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Authority Certificate Retrieval Succeeded",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "success",
"requestType": "GetCACert"
}
}
证书颁发机构证书检索失败
EventBridge 当我们收到GetCACert
请求但无法检索连接器的私有 CA 证书时,Connector for 会向SCEP发送一个Certificate Authority Certificate Retrieval Failed
事件。该事件包括失败的原因。
以下是该事件的示例数据。
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Authority Certificate Retrieval Failed",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "failure",
"requestType": "GetCACert",
"reason": "The certificate authority certificate validity must be at least one year from today."
}
}
证书颁发机构证书检索成功
EventBridge 当我们收到GetCACert
请求并成功检索连接器的私有 CA 证书时,Connector for 会SCEP向发送一个Certificate Authority Certificate Retrieval Succeeded
事件。
以下是该事件的示例数据。
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Authority Certificate Retrieval Succeeded",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "success",
"requestType": "GetCACert"
}
}
证书颁发机构功能检索成功
EventBridge 当我们收到SCEPGetCACaps
请求并成功检索 CA 的能力时,Connector 会SCEP向发送一个Certificate Authority Capabilities Retrieval Succeeded
事件。
以下是该事件的示例数据。
证书颁发机构功能检索失败
EventBridge 当我们收到SCEPGetCACaps
请求但无法检索 CA 的功能时,Connector 会SCEP向发送Certificate Authority Capabilities Retrieval Failed
事件。我们在事件中注明失败的原因。
以下是该事件的示例数据。
{
"resources":
[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector11223344-1234-1122-2233-112233445566"
],
"detailType":"Certificate Authority Capabilities Retrieval Failed",
"detail": {
"result":"failure",
"requestType":"GetCACaps",
"reason":"The request was denied due to request throttling."
},
"source":"aws.pca-connector-scep","accountId":"111122223333"
}
已调用不支持的操作
已调用不支持的操作
EventBridge 如果SCEP发送到连接器端点的操作不受支持或未知,连接器将向发送Unsupported Operation Invoked
事件。
{
"version": "0",
"id": "event_ID",
"detail-type": "Unsupported Operation Invoked",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {}
}
创建 EventBridge 规则
在中 EventBridge,您可以创建响应所记录的事件的规则 CloudTrail。要创建包含 Connector 为其记录的所有事件的规则SCEP,请将源设置为aws.pca-connector-scep
。有关规则的更多信息,请参阅在 Amazon 中创建规则 EventBridge。