# 在 Amazon CloudTrail 中跟踪特权任务 IAM 的 Amazon Organizations 管理账户或委派管理员账户可以使用短期根访问权限对成员账户执行一些根用户任务。短期特权会话为您提供临时凭证,您可以限定这些凭证的范围,以对组织中的成员账户[执行特权操作](id_root-user-privileged-task.md)。您可以使用以下步骤来标识管理账户或委派管理员在 [https://docs.amazonaws.cn/STS/latest/APIReference/API_AssumeRoot.html](https://docs.amazonaws.cn/STS/latest/APIReference/API_AssumeRoot.html) 会话期间采取的操作。 **注意** 全局端点不支持 `sts:AssumeRoot`。CloudTrail 记录为端点指定的区域中的 `ConsoleLogin` 事件。 **要在 CloudTrail 日志中跟踪特权会话执行的操作** 1. 在您的 CloudTrail 日志中查找 `AssumeRoot` 事件。当您的管理账户或 IAM 的委派管理员从 `sts:AssumeRoot` 中获得一组短期证书时,即会生成此事件。 在以下示例中,AssumeRoot 的 CloudTrail 事件日志记录在 `eventName` 字段中。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AIDACKCEVSQ6C2EXAMPLE:JohnRole1", "arn": "arn:aws:sts::111111111111:assumed-role/John/JohnRole1", "accountId": "111111111111", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111111111111:role/John", "accountId": "111111111111", "userName": "Admin2" }, "webIdFederationData": {}, "attributes": { "creationDate": "2024-10-25T20:45:28Z", "mfaAuthenticated": "false" }, "assumedRoot": "true" } }, "eventTime": "2024-10-25T20:52:11Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoot", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "requestParameters": { "targetPrincipal": "222222222222", "taskPolicyArn": { "arn": "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy" } }, "responseElements": { "credentials": { "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionToken": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "expiration": "Oct 25, 2024, 9:07:11 PM" } } } ``` 有关访问您的 CloudTrail 日志的步骤,请参阅《Amazon CloudTrail 用户指南》**中的 [Getting and viewing your CloudTrail log files](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。 1. 在 CloudTrail 事件日志中,找到指定所采取的成员账户操作的 `targetPrincipal`,以及 `AssumeRoot` 会话的唯一 `accessKeyId`。 在以下示例中,`targetPrincipal` 是 222222222222,`accessKeyId` 是 ASIAIOSFODNN7EXAMPLE。 ``` "eventTime": "2024-10-25T20:52:11Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoot", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "requestParameters": { "targetPrincipal": "222222222222", "taskPolicyArn": { "arn": "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy" } }, "responseElements": { "credentials": { "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionToken": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "expiration": "Oct 25, 2024, 9:07:11 PM" } } ``` 1. 在目标主体的 CloudTrail 日志中,搜索与 `AssumeRoot` 事件中的 `accessKeyId` 值相对应的访问密钥 ID。使用 `eventName` 字段值确定 `AssumeRoot` 会话期间所执行的特权任务。单个会话中可能有多个特权任务在执行。`AssumeRoot` 的最大会话持续时间为 900 秒(15 分钟)。 在以下示例中,管理账户或委派管理员删除了 Amazon S3 存储桶的基于资源的策略。 ``` { "eventVersion": "1.10", "userIdentity": { "type": "Root", "principalId": "222222222222", "arn": "arn:aws:iam::222222222222:root", "accountId": "222222222222", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "creationDate": "2024-10-25T20:52:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-10-25T20:53:47Z", "eventSource": "s3.amazonaws.com", "eventName": "DeleteBucketPolicy", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.1", "requestParameters": { "bucketName": "resource-policy-John", "Host": "resource-policy-John.s3.amazonaws.com", "policy": "" }, "responseElements": null, "requestID": "1234567890abcdef0", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "readOnly": false, "resources": [ { "accountId": "222222222222", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::resource-policy-John" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "222222222222", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "resource-policy-John.s3.amazonaws.com" } } ```