Utilizzare PutBucketLogging con un o AWS SDK CLI - Esempi di codice dell'AWS SDK

Ci sono altri AWS SDK esempi disponibili nel repository AWS Doc SDK Examples GitHub .

Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.

Utilizzare PutBucketLogging con un o AWS SDK CLI

I seguenti esempi di codice mostrano come utilizzarePutBucketLogging.

.NET
AWS SDK for .NET
Nota

C'è altro da fare GitHub. Trova l'esempio completo e scopri di più sulla configurazione e l'esecuzione nel Repository di esempi di codice AWS.

using System; using System.IO; using System.Threading.Tasks; using Amazon.S3; using Amazon.S3.Model; using Microsoft.Extensions.Configuration; /// <summary> /// This example shows how to enable logging on an Amazon Simple Storage /// Service (Amazon S3) bucket. You need to have two Amazon S3 buckets for /// this example. The first is the bucket for which you wish to enable /// logging, and the second is the location where you want to store the /// logs. /// </summary> public class ServerAccessLogging { private static IConfiguration _configuration = null!; public static async Task Main() { LoadConfig(); string bucketName = _configuration["BucketName"]; string logBucketName = _configuration["LogBucketName"]; string logObjectKeyPrefix = _configuration["LogObjectKeyPrefix"]; string accountId = _configuration["AccountId"]; // If the AWS Region defined for your default user is different // from the Region where your Amazon S3 bucket is located, // pass the Region name to the Amazon S3 client object's constructor. // For example: RegionEndpoint.USWest2 or RegionEndpoint.USEast2. IAmazonS3 client = new AmazonS3Client(); try { // Update bucket policy for target bucket to allow delivery of logs to it. await SetBucketPolicyToAllowLogDelivery( client, bucketName, logBucketName, logObjectKeyPrefix, accountId); // Enable logging on the source bucket. await EnableLoggingAsync( client, bucketName, logBucketName, logObjectKeyPrefix); } catch (AmazonS3Exception e) { Console.WriteLine($"Error: {e.Message}"); } } /// <summary> /// This method grants appropriate permissions for logging to the /// Amazon S3 bucket where the logs will be stored. /// </summary> /// <param name="client">The initialized Amazon S3 client which will be used /// to apply the bucket policy.</param> /// <param name="sourceBucketName">The name of the source bucket.</param> /// <param name="logBucketName">The name of the bucket where logging /// information will be stored.</param> /// <param name="logPrefix">The logging prefix where the logs should be delivered.</param> /// <param name="accountId">The account id of the account where the source bucket exists.</param> /// <returns>Async task.</returns> public static async Task SetBucketPolicyToAllowLogDelivery( IAmazonS3 client, string sourceBucketName, string logBucketName, string logPrefix, string accountId) { var resourceArn = @"""arn:aws:s3:::" + logBucketName + "/" + logPrefix + @"*"""; var newPolicy = @"{ ""Statement"":[{ ""Sid"": ""S3ServerAccessLogsPolicy"", ""Effect"": ""Allow"", ""Principal"": { ""Service"": ""logging.s3.amazonaws.com"" }, ""Action"": [""s3:PutObject""], ""Resource"": [" + resourceArn + @"], ""Condition"": { ""ArnLike"": { ""aws:SourceArn"": ""arn:aws:s3:::" + sourceBucketName + @""" }, ""StringEquals"": { ""aws:SourceAccount"": """ + accountId + @""" } } }] }"; Console.WriteLine($"The policy to apply to bucket {logBucketName} to enable logging:"); Console.WriteLine(newPolicy); PutBucketPolicyRequest putRequest = new PutBucketPolicyRequest { BucketName = logBucketName, Policy = newPolicy, }; await client.PutBucketPolicyAsync(putRequest); Console.WriteLine("Policy applied."); } /// <summary> /// This method enables logging for an Amazon S3 bucket. Logs will be stored /// in the bucket you selected for logging. Selected prefix /// will be prepended to each log object. /// </summary> /// <param name="client">The initialized Amazon S3 client which will be used /// to configure and apply logging to the selected Amazon S3 bucket.</param> /// <param name="bucketName">The name of the Amazon S3 bucket for which you /// wish to enable logging.</param> /// <param name="logBucketName">The name of the Amazon S3 bucket where logging /// information will be stored.</param> /// <param name="logObjectKeyPrefix">The prefix to prepend to each /// object key.</param> /// <returns>Async task.</returns> public static async Task EnableLoggingAsync( IAmazonS3 client, string bucketName, string logBucketName, string logObjectKeyPrefix) { Console.WriteLine($"Enabling logging for bucket {bucketName}."); var loggingConfig = new S3BucketLoggingConfig { TargetBucketName = logBucketName, TargetPrefix = logObjectKeyPrefix, }; var putBucketLoggingRequest = new PutBucketLoggingRequest { BucketName = bucketName, LoggingConfig = loggingConfig, }; await client.PutBucketLoggingAsync(putBucketLoggingRequest); Console.WriteLine($"Logging enabled."); } /// <summary> /// Loads configuration from settings files. /// </summary> public static void LoadConfig() { _configuration = new ConfigurationBuilder() .SetBasePath(Directory.GetCurrentDirectory()) .AddJsonFile("settings.json") // Load settings from .json file. .AddJsonFile("settings.local.json", true) // Optionally, load local settings. .Build(); } }
CLI
AWS CLI

Esempio 1: per impostare la registrazione delle policy relative ai bucket

L'put-bucket-loggingesempio seguente imposta la politica di registrazione per. MyBucket Innanzitutto, concedi al servizio di registrazione l'autorizzazione principale nella tua policy del bucket utilizzando il comando. put-bucket-policy

aws s3api put-bucket-policy \ --bucket MyBucket \ --policy file://policy.json

Contenuto di policy.json.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3ServerAccessLogsPolicy", "Effect": "Allow", "Principal": {"Service": "logging.s3.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::MyBucket/Logs/*", "Condition": { "ArnLike": {"aws:SourceARN": "arn:aws:s3:::SOURCE-BUCKET-NAME"}, "StringEquals": {"aws:SourceAccount": "SOURCE-AWS-ACCOUNT-ID"} } } ] }

Per applicare la politica di registrazione, usa. put-bucket-logging

aws s3api put-bucket-logging \ --bucket MyBucket \ --bucket-logging-status file://logging.json

Contenuto di logging.json.

{ "LoggingEnabled": { "TargetBucket": "MyBucket", "TargetPrefix": "Logs/" } }

Il put-bucket-policy comando è necessario per concedere s3:PutObject le autorizzazioni al responsabile del servizio di registrazione.

Per ulteriori informazioni, consulta Amazon S3 Server Access Logging nella Amazon S3 User Guide.

Esempio 2: impostare una policy sui bucket per registrare l'accesso a un solo utente

L'put-bucket-loggingesempio seguente imposta la politica di registrazione per. MyBucket L' AWS utente bob@example.com avrà il pieno controllo sui file di registro e nessun altro potrà accedervi. Innanzitutto, concedi l'autorizzazione a S3 conput-bucket-acl.

aws s3api put-bucket-acl \ --bucket MyBucket \ --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery \ --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

Quindi applica la politica di registrazione utilizzando. put-bucket-logging

aws s3api put-bucket-logging \ --bucket MyBucket \ --bucket-logging-status file://logging.json

Contenuto di logging.json.

{ "LoggingEnabled": { "TargetBucket": "MyBucket", "TargetPrefix": "MyBucketLogs/", "TargetGrants": [ { "Grantee": { "Type": "AmazonCustomerByEmail", "EmailAddress": "bob@example.com" }, "Permission": "FULL_CONTROL" } ] } }

il put-bucket-acl comando è necessario per concedere al sistema di consegna dei log di S3 le autorizzazioni necessarie (autorizzazioni di scrittura e lettura acp).

Per ulteriori informazioni, consulta Amazon S3 Server Access Logging nella Amazon S3 Developer Guide.