本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用 SCEP API 调用的日志连接器 Amazon CloudTrail
简单证书注册协议 (SCEP) 连接器与 Amazon CloudTrail一项服务集成,该服务提供用户、角色、客户机或 Amazon 服务所执行操作的记录。 CloudTrail 捕获所有 SCEP 连接器的 API 调用作为事件。捕获的调用包括来自连接器用于 SCEP 控制台的调用和对连接器进行 SCEP API 操作的代码调用。如果您创建跟踪,则可以允许将 CloudTrail 事件持续传输到 Amazon S3 存储桶,包括适用于 SCEP 的 Connector 的事件。如果您未配置跟踪,您仍然可以在 CloudTrail 控制台的 “事件**历史记录” 中查看最新的事件**。使用收集的信息 CloudTrail,您可以确定向 Connector 发出 SCEP 的请求、发出请求的 IP 地址、谁发出了请求、何时发出请求以及其他详细信息。
要了解更多信息 CloudTrail,请参阅[Amazon CloudTrail 用户指南](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。
## 用于存放 SCEP 信息的连接器 CloudTrail
CloudTrail 在您创建账户 Amazon Web Services 账户 时已在您的账户上启用。当 Connector for SCEP 中发生活动时,该活动会与其他 Amazon 服务 CloudTrail 事件一起记录在**事件历史**记录中。您可以在中查看、搜索和下载最近发生的事件 Amazon Web Services 账户。有关更多信息,请参阅[使用事件历史记录查看 CloudTrail 事件](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。
要持续记录您的事件 Amazon Web Services 账户,包括适用于 SCEP 的 Connector 的事件,请创建跟踪。*跟踪*允许 CloudTrail 将日志文件传输到 Amazon S3 存储桶。默认情况下,在控制台中创建跟踪记录时,此跟踪记录应用于所有 Amazon Web Services 区域。跟踪记录 Amazon 分区中所有区域的事件,并将日志文件传送到您指定的 Amazon S3 存储桶。此外,您可以配置其他 Amazon 服务,以进一步分析和处理 CloudTrail 日志中收集的事件数据。有关更多信息,请参阅下列内容:
+ [创建跟踪记录概述](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail 支持的服务和集成](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html)
+ [配置 Amazon SNS 通知 CloudTrail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html)
+ [接收来自多个区域的 CloudTrail 日志文件](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html)和[接收来自多个账户的 CloudTrail 日志文件](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
所有用于 SCEP 的连接器操作都由记录 CloudTrail 并记录在《[适用于 SCEP 的连接器 API](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/Welcome.html) 参考手册》中。例如,调用`GetConnector`和`CreateChallenge`操作会在 CloudTrail 日志文件中生成条目。`CreateConnector`
每个事件或日志条目都包含有关生成请求的人员信息。身份信息有助于您确定以下内容:
+ 请求是使用根证书还是 Amazon Identity and Access Management (IAM) 用户凭证发出。
+ 请求是使用角色还是联合用户的临时安全凭证发出的。
+ 请求是否由其他 Amazon 服务发出。
+ 请求是否由 SCEP 客户端设备发出。
有关更多信息,请参阅 [CloudTrail userIdentity 元素](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)。
## SCEP 管理事件的连接器
SCEP 连接器与 CloudTrail 集成,用于记录用户、角色或 Amazon 服务在 SCEP 连接器中执行的 API 操作。您可以使用 CloudTrail 实时监控 Connector 的 SCEP API 请求,并将日志存储在亚马逊简单存储服务、亚马逊 CloudWatch 日志和亚马逊 CloudWatch 事件中。SCEP 连接器支持将以下操作作为事件记录在 CloudTrail 日志文件中:
+ [CreateChallenge](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_CreateChallenge.html)
+ [CreateConnector](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_CreateConnector.html)
+ [GetConnector](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_GetConnector.html)
+ [GetChallengeMetadata](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_GetChallengeMetadata.html)
+ [GetChallengePassword](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_GetChallengePassword.html)
+ [DeleteConnector](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_DeleteConnector.html)
+ [DeleteChallenge](https://docs.amazonaws.cn/pca-connector-scep/latest/APIReference/API_DeleteChallenge.html)
## 用于 SCEP 数据事件的连接器 CloudTrail
[数据事件](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events)提供有关在资源上或资源中执行的资源操作的信息,例如,当您的客户端向连接器端点发送 SCEP `GetCACaps` 消息时。这些也称为数据面板操作。数据事件通常是高容量活动。默认情况下, CloudTrail 不记录任何数据事件, CloudTrail **事件历史**记录也不记录这些事件。
记录数据事件将收取额外费用。有关 CloudTrail 定价的更多信息,请参阅[Amazon CloudTrail 定价](https://www.amazonaws.cn/cloudtrail/pricing/)。
您可以使用 CloudTrail 控制台或 CloudTrail API 操作记录`AWS::PCAConnectorSCEP::Connector`资源类型的数据事件。 Amazon CLI有关如何记录数据事件的更多信息,请参阅《Amazon CloudTrail 用户指南》**中的[使用 Amazon Web Services 管理控制台记录数据事件](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console)和[使用 Amazon Command Line Interface记录数据事件](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-with-the-AWS-CLI)。
下表列出了您可以记录数据事件的 SCEP 连接器资源类型。**数据事件类型(控制台)**列显示要从控制 CloudTrail 台上的**数据事件类型**列表中选择的值。res **ources.type 值**列显示该`resources.type`值,您将在使用或 API 配置高级事件选择器时指定该值。 Amazon CLI CloudTrail “**记录到的数据 API CloudTrail**” 列显示了 CloudTrail 针对该资源类型记录的 API 调用。
| 数据事件类型(控制台) | resources.type 值 | 数据 API 已登录到 CloudTrail |
| --- | --- | --- |
| 连接器 | AWS::PCAConnectorSCEP::Connector | [See the AWS documentation website for more details](http://docs.amazonaws.cn/privateca/latest/userguide/logging-using-cloudtrail-c4scep.html) |
您可以将高级事件选择器配置为在 `eventName`、`readOnly` 和 `resources.ARN` 字段上进行筛选,从而仅记录那些对您很重要的事件。以下示例是数据事件配置的 JSON 视图,该视图仅记录特定函数的事件。有关这些字段的更多信息,请参阅《Amazon CloudTrail API 参考》**中的 [https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html](https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html)。
```
[
{
"name": "connector-scep-events",
"fieldSelectors": [
{
"field": "eventCategory",
"equals": [
"Data"
]
},
{
"field": "resources.type",
"equals": [
"AWS::PCAConnectorSCEP::Connector"
]
},
{
"field": "resources.ARN",
"equals": [
"{{arn:aws:pca-connector-scep:US West (N. California):111122223333:connector/11223344-1122-2233-3344-cae95a00d2a7}}"
]
}
]
}
]
```
## 示例条目
跟踪是一种配置,允许将事件作为日志文件传输到您指定的 Amazon S3 存储桶。 CloudTrail 日志文件包含一个或多个日志条目。事件代表来自任何来源的单个请求,包括有关请求的操作、操作的日期和时间、请求参数等的信息。 CloudTrail 日志文件不是公共 API 调用的有序堆栈跟踪,因此它们不会按任何特定的顺序出现。
**示例 1:管理事件,`CreateConnector`**
以下示例显示了演示该`CreateConnector`操作的 CloudTrail 日志条目。
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AABB1122CCDD4455HHJJ1:11cc33nn2a97724dc48a89071111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AABB1122CCDD4455HHJJ1",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "my-user-name"
},
"attributes": {
"creationDate": "2024-08-16T17:46:41Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-08-16T17:48:07Z",
"eventSource": "pca-connector-scep.amazonaws.com",
"eventName": "CreateConnector",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.0",
"userAgent": "Python/3.11.8 Darwin/22.6.0 exe/x86_64",
"requestParameters": {
"ClientToken": "11223344-2222-3333-4444-666555444555",
"CertificateAuthorityArn": "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": {
"ConnectorArn": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
**示例 2:管理事件,`CreateChallenge`**
以下示例显示了演示该`CreateChallenge`操作的 CloudTrail 日志条目。
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AABB1122CCDD4455HHJJ1:11cc33nn2a97724dc48a89071111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AABB1122CCDD4455HHJJ1",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "user-name"
},
"attributes": {
"creationDate": "2024-08-16T17:46:41Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-08-16T17:47:52Z",
"eventSource": "pca-connector-scep.amazonaws.com",
"eventName": "CreateChallenge",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.0",
"userAgent": "Python/3.11.8 Darwin/22.6.0 exe/x86_64",
"requestParameters": {
"ConnectorArn": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ClientToken": "11223344-2222-3333-4444-666555444555"
},
"responseElements": {
"Challenge": {
"Arn": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/9cac40bc-acba-412e-9a24-f255ef2fe79a/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"ConnectorArn": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"CreatedAt": 1723830472.942,
"Password": "***",
"UpdatedAt": 1723830472.942
}
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
**示例 3:管理事件,`GetChallengePassword`**
以下示例显示了演示该`GetChallengePassword`操作的 CloudTrail 日志条目。
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AABB1122CCDD4455HHJJ1:11cc33nn2a97724dc48a89071111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AABB1122CCDD4455HHJJ1",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "905418114790",
"userName": "111122223333"
},
"attributes": {
"creationDate": "2024-08-16T17:55:01Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "signin.amazonaws.com"
},
"eventTime": "2024-08-16T17:55:54Z",
"eventSource": "pca-connector-scep.amazonaws.com",
"eventName": "GetChallengePassword",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.0",
"userAgent": "Python/3.11.8 Darwin/22.6.0 exe/x86_64",
"requestParameters": {
"ChallengeArn": "arn:aws:pca-connector-scep:us-east-1:111122223333:challenge/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
**示例 4:数据事件,`PkiOperationPost`**
以下示例显示了演示失败`PkiOperationPost`呼叫的 CloudTrail 日志条目。该日志包括错误代码和错误消息,并说明了失败。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "FederatedUser",
"principalId": "111122223333",
"accountId": "111122223333"
},
"eventTime": "2024-08-16T17:40:09Z",
"eventSource": "pca-connector-scep.amazonaws.com",
"eventName": "PkiOperationPost",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.0",
"userAgent": "Python/3.11.8 Darwin/22.6.0 exe/x86_64",
"errorCode": "BadRequestException",
"errorMessage": "The certificate authority is not in a valid state for issuing certificates (Service: AcmPca, Status Code: 400, Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE55555)",
"requestParameters": null,
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::PCAConnectorSCEP::Connector",
"ARN": "arn:aws:pca-connector-scep:us-east-1:111122223333:connector/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "905418114790",
"eventCategory": "Data",
"tlsDetails": {
"clientProvidedHostHeader": "111122223333-a1b2c3d4-5678-90ab-cdef-EXAMPLE33333.enroll.pca-connector-scep.us-east-1.api.aws"
}
}
```