使用 SCEP 自动连接器 EventBridge - Amazon Private Certificate Authority
SCEP 事件类型的连接器创建 EventBridge 规则
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 SCEP 自动连接器 EventBridge

您可以使用 Amazon EventBridge 实现 Amazon 服务自动化,并自动响应系统事件,例如应用程序可用性问题或资源更改。来自 Amazon 服务的事件几乎实时 EventBridge 地传送到。您可以编写简单的规则来指明您感兴趣的事件,以及当事件与规则匹配时要采取的自动操作。 EventBridge 至少发布一次。有关更多信息,请参阅中的创建对事件做出反应的规则 EventBridge

CloudWatch 使用将事件转化为操作 EventBridge。使用 EventBridge,您可以使用事件来触发目标。有关更多信息,请参阅什么是亚马逊 EventBridge?

SCEP 事件类型的连接器

证书颁发成功

EventBridge 当我们为响应PkiOperationPost请求而颁发证书时,SCEP 连接器会向发送一个Certificate Issuance Succeeded事件。

以下是该事件的示例数据。

{
   "version": "0",
   "id": "event_ID",
   "detail-type": "Certificate Issuance Succeeded",
   "source": "aws.pca-connector-scep",
   "account": "account",
   "time": "2024-09-12T19:14:56Z",
   "region": "region",
   "resources":[
       "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
       "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
   ],
   "detail": {
       "result": "success",
       "requestType": "PkiOperationPost",
       "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
   }
}

证书颁发失败

EventBridge 当我们无法根据PkiOperationPost请求颁发证书时,SCEP 连接器会向发送一个Certificate Issuance Failed事件。

以下是该事件的示例数据。

{
   "version": "0",
   "id": "event_ID",
   "detail-type": "Certificate Issuance Failed",
   "source": "aws.pca-connector-scep",
   "account": "account",
   "time": "2024-09-12T19:14:56Z",
   "region": "region",
   "resources":[
       "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
       "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
   ],
   "detail": {
       "result": "failure",
       "requestType": "PkiOperationPost",
       "reason": "The certificate authority is not active."
   }
}

证书颁发机构证书检索成功

EventBridge 当我们收到GetCACert请求并成功检索连接器的私有 CA 证书时,SCEP 连接器会向发送一个Certificate Authority Certificate Retrieval Succeeded事件。

以下是该事件的示例数据。

{
   "version": "0",
   "id": "event_ID",
   "detail-type": "Certificate Authority Certificate Retrieval Succeeded",
   "source": "aws.pca-connector-scep",
   "account": "account",
   "time": "2024-09-12T19:14:56Z",
   "region": "region",
   "resources":[
       "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
       "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
   ],
   "detail": {
       "result": "success",
       "requestType": "GetCACert"
   }
}

证书颁发机构证书检索失败

EventBridge 当我们收到GetCACert请求但无法检索连接器的私有 CA 证书时,SCEP 连接器会向发送一个Certificate Authority Certificate Retrieval Failed事件。该事件包括失败的原因。

以下是该事件的示例数据。

{
   "version": "0",
   "id": "event_ID",
   "detail-type": "Certificate Authority Certificate Retrieval Failed",
   "source": "aws.pca-connector-scep",
   "account": "account",
   "time": "2024-09-12T19:14:56Z",
   "region": "region",
   "resources":[
       "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
       "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
   ],
   "detail": {
       "result": "failure",
       "requestType": "GetCACert",
       "reason": "The certificate authority certificate validity must be at least one year from today."
   }
}

证书颁发机构证书检索成功

EventBridge 当我们收到GetCACert请求并成功检索连接器的私有 CA 证书时,SCEP 连接器会向发送一个Certificate Authority Certificate Retrieval Succeeded事件。

以下是该事件的示例数据。

{
   "version": "0",
   "id": "event_ID",
   "detail-type": "Certificate Authority Certificate Retrieval Succeeded",
   "source": "aws.pca-connector-scep",
   "account": "account",
   "time": "2024-09-12T19:14:56Z",
   "region": "region",
   "resources":[
       "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
       "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
   ],
   "detail": {
       "result": "success",
       "requestType": "GetCACert"
   }
}

证书颁发机构功能检索成功

EventBridge 当我们收到 SCEP GetCACaps 请求并成功检索 CA 的功能时,SCEP 连接器会向发送一个Certificate Authority Capabilities Retrieval Succeeded事件。

以下是该事件的示例数据。

证书颁发机构功能检索失败

EventBridge 当我们收到 SCEP GetCACaps 请求但无法检索 CA 的功能时,SCEP 连接器会向发送一个Certificate Authority Capabilities Retrieval Failed事件。我们在事件中注明失败的原因。

以下是该事件的示例数据。

{                                 
 "resources":
     [
     "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
     "arn:aws:pca-connector-scep:us-east-1:111122223333:connector11223344-1234-1122-2233-112233445566"
     ],
 "detailType":"Certificate Authority Capabilities Retrieval Failed",
 "detail": {
     "result":"failure",
     "requestType":"GetCACaps",
     "reason":"The request was denied due to request throttling."
 },
 "source":"aws.pca-connector-scep","accountId":"111122223333"
 }

已调用不支持的操作

已调用不支持的操作

EventBridge 如果发送到连接器端点的操作不受支持或未知,SCEP 连接器会向发送Unsupported Operation Invoked事件。

{
   "version": "0",
   "id": "event_ID",
   "detail-type": "Unsupported Operation Invoked",
   "source": "aws.pca-connector-scep",
   "account": "account",
   "time": "2024-09-12T19:14:56Z",
   "region": "region",
   "resources":[
       "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
       "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
   ],
   "detail": {}
}

创建 EventBridge 规则

在中 EventBridge,您可以创建响应所记录的事件的规则 CloudTrail。要创建包含连接器为 SCEP 记录的所有事件的规则,请将源设置为。aws.pca-connector-scep有关规则的更多信息,请参阅在 Amazon 中创建规则 EventBridge