# 使用 AWS CloudTrail 记录 Amazon CloudFront API 调用
CloudFront 可与 [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) 集成,后者是一项可提供用户、角色或 AWS 服务所执行操作记录的服务。CloudTrail 将对 CloudFront 的所有 API 调用作为事件捕获。捕获的调用包括来自 CloudFront 控制台的调用和对 CloudFront API 操作的代码调用。借助 CloudTrail 收集的信息,您可以确定向 CloudFront 发出的请求、发出请求的 IP 地址、请求的发出时间及其他详细信息。
每个事件或日志条目都包含有关生成请求的人员信息。身份信息有助于您确定以下内容:
+ 请求是使用根用户凭证还是用户凭证发出的。
+ 请求是否代表 IAM Identity Center 用户发出。
+ 请求是使用角色还是联合用户的临时安全凭证发出的。
+ 请求是否由其他 AWS 服务 发出。
当您创建账户并可以自动访问 CloudTrail **事件历史记录**时,CloudTrail 在您的 AWS 账户 中处于活动状态。CloudTrail **事件历史记录**提供对 AWS 区域 中过去 90 天的已记录管理事件的可查看、可搜索、可下载和不可变记录。有关更多信息,请参阅《AWS CloudTrail 用户指南》的[使用 CloudTrail 事件历史记录](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)**。查看**事件历史记录**不会收取 CloudTrail 费用。
要持续记录您的 AWS 账户 过去 90 天的事件,请创建跟踪或 [CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) 事件数据存储。
**CloudTrail 跟踪**
通过*跟踪记录*,CloudTrail 可将日志文件传送至 Amazon S3 存储桶。使用 AWS 管理控制台 创建的所有跟踪均具有多区域属性。您可以通过使用 AWS CLI 创建单区域或多区域跟踪。建议创建多区域跟踪,因为您可记录您账户中的所有 AWS 区域 的活动。如果您创建单区域跟踪,则只能查看跟踪的 AWS 区域 中记录的事件。有关跟踪的更多信息,请参阅《AWS CloudTrail 用户指南》**中的[为您的 AWS 账户 创建跟踪](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)和[为组织创建跟踪](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)。
通过创建跟踪,您可以从 CloudTrail 免费向您的 Amazon S3 存储桶传送一份正在进行的管理事件的副本,但会收取 Amazon S3 存储费用。有关 CloudTrail 定价的更多信息,请参阅 [AWS CloudTrail 定价](https://aws.amazon.com/cloudtrail/pricing/)。有关 Amazon S3 定价的信息,请参阅 [Amazon S3 定价](https://aws.amazon.com/s3/pricing/)。
**CloudTrail Lake 事件数据存储**
*CloudTrail Lake* 允许您对事件运行基于 SQL 的查询。CloudTrail Lake 可将基于行的 JSON 格式的现有事件转换为 [Apache ORC](https://orc.apache.org/) 格式。ORC 是一种针对快速检索数据进行优化的列式存储格式。事件将被聚合到*事件数据存储*中,它是基于您通过应用[高级事件选择器](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-concepts.html#adv-event-selectors)选择的条件的不可变的事件集合。应用于事件数据存储的选择器用于控制哪些事件持续存在并可供您查询。有关 CloudTrail Lake 的更多信息,请参阅《AWS CloudTrail 用户指南》**中的[使用 AWS CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html)。
CloudTrail Lake 事件数据存储和查询会产生费用。创建事件数据存储时,您可以选择要用于事件数据存储的[定价选项](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html#cloudtrail-lake-manage-costs-pricing-option)。定价选项决定了摄取和存储事件的成本,以及事件数据存储的默认和最长保留期。有关 CloudTrail 定价的更多信息,请参阅 [AWS CloudTrail 定价](https://aws.amazon.com/cloudtrail/pricing/)。
**注意**
CloudFront 是一项全球性服务。CloudTrail 可记录美国东部(弗吉尼亚州北部)区域的 CloudFront 事件。有关更多信息,请参阅《AWS CloudTrail 用户指南》**中的[全球服务事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events)。
如果您通过 AWS Security Token Service 使用临时安全凭证,则对区域端点(如 `us-west-2`)的调用将在 CloudTrail 中记录到相应的区域。
有关 CloudFront 端点的更多信息,请参阅《AWS 一般参考》**中的 [CloudFront 端点和配额](https://docs.aws.amazon.com/general/latest/gr/cf_region.html)。
## CloudTrail 中的 CloudFront 数据事件
[数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events)可提供对资源或在资源中所执行资源操作(例如,读取或写入 CloudFront 分配)的相关信息。这些也称为数据面板操作。数据事件通常是高容量活动。默认情况下,CloudTrail 不记录数据事件。CloudTrail **事件历史记录**不记录数据事件。
记录数据事件将收取额外费用。有关 CloudTrail 定价的更多信息,请参阅 [AWS CloudTrail 定价](https://aws.amazon.com/cloudtrail/pricing/)。
您可以使用 CloudTrail 控制台、AWS CLI 或 CloudTrail API 操作记录 CloudFront 资源类型的数据事件。有关如何记录数据事件的更多信息,请参阅《AWS CloudTrail 用户指南》**中的[使用 AWS 管理控制台 记录数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console)和[使用 AWS Command Line Interface 记录数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-with-the-AWS-CLI)。
下表列出了您可以为其记录数据事件的 CloudFront 资源类型。**数据事件类型(控制台)**列显示可从 CloudTrail 控制台上的**数据事件类型**列表中选择的值。**resources.type 值**列显示了您在使用 AWS CLI 或 CloudTrail API 配置高级事件选择器时需要指定的 `resources.type` 值。**记录到 CloudTrail 的数据 API** 列显示了针对该资源类型记录到 CloudTrail 的 API 调用。
| 数据事件类型(控制台) | resources.type 值 | 记录至 CloudTrail 的数据 API |
| --- | --- | --- |
| CloudFront KeyValueStore | AWS::CloudFront::KeyValueStore | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/AmazonCloudFront/latest/DeveloperGuide/logging_using_cloudtrail.html) |
您可以将高级事件选择器配置为在 `eventName`、`readOnly` 和 `resources.ARN` 字段上进行筛选,从而仅记录那些对您很重要的事件。有关这些字段的更多信息,请参阅《AWS CloudTrail API 参考》**中的 [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html)。
## CloudTrail 中的 CloudFront 管理事件
[管理事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events)提供对您的 AWS 账户内资源所执行管理操作的相关信息。这些也称为控制面板操作。默认情况下,CloudTrail 会记录管理事件。
Amazon CloudFront 将所有 CloudFront 控制面板操作记录为管理事件。要查看 CloudFront 记录到 CloudTrail 中的 Amazon CloudFront 控制面板操作列表,请参阅 [Amazon CloudFront API 参考](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_Operations_Amazon_CloudFront.html)。
## CloudFront 事件示例
一个事件表示一个来自任何源的请求,包括有关所请求的 API 操作、操作的日期和时间、请求参数等方面的信息。CloudTrail 日志文件不是公用 API 调用的有序堆栈跟踪,因此事件不会按任何特定顺序显示。
**Contents**
+ [示例:UpdateDistribution](#example-cloudfront-service-cloudtrail-log)
+ [示例:UpdateKeys](#example-cloudfront-kvs-cloudtrail-log)
### 示例:UpdateDistribution
下面的示例显示了一个 CloudTrail 事件,该事件说明了 [UpdateDistribution](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html) 操作。
对于对 CloudFront API 的调用,`eventSource` 是 `cloudfront.amazonaws.com`。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:role-session-name",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/role-session-name",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2024-02-02T19:23:50Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-02-02T19:26:01Z",
"eventSource": "cloudfront.amazonaws.com",
"eventName": "UpdateDistribution",
"awsRegion": "us-east-1",
"sourceIPAddress": "52.94.133.137",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36",
"requestParameters": {
"distributionConfig": {
"defaultRootObject": "",
"aliases": {
"quantity": 3,
"items": [
"alejandro_rosalez.awsps.myinstance.com",
"cross-testing.alejandro_rosalez.awsps.myinstance.com",
"*.alejandro_rosalez.awsps.myinstance.com"
]
},
"cacheBehaviors": {
"quantity": 0,
"items": []
},
"httpVersion": "http2and3",
"originGroups": {
"quantity": 0,
"items": []
},
"viewerCertificate": {
"minimumProtocolVersion": "TLSv1.2_2021",
"cloudFrontDefaultCertificate": false,
"aCMCertificateArn": "arn:aws:acm:us-east-1:111122223333:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"sSLSupportMethod": "sni-only"
},
"webACLId": "arn:aws:wafv2:us-east-1:111122223333:global/webacl/testing-acl/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"customErrorResponses": {
"quantity": 0,
"items": []
},
"logging": {
"includeCookies": false,
"prefix": "",
"enabled": false,
"bucket": ""
},
"priceClass": "PriceClass_All",
"restrictions": {
"geoRestriction": {
"restrictionType": "none",
"quantity": 0,
"items": []
}
},
"isIPV6Enabled": true,
"callerReference": "1578329170895",
"continuousDeploymentPolicyId": "",
"enabled": true,
"defaultCacheBehavior": {
"targetOriginId": "d111111abcdef8",
"minTTL": 0,
"compress": false,
"maxTTL": 31536000,
"functionAssociations": {
"quantity": 0,
"items": []
},
"trustedKeyGroups": {
"quantity": 0,
"items": [],
"enabled": false
},
"smoothStreaming": false,
"fieldLevelEncryptionId": "",
"defaultTTL": 86400,
"lambdaFunctionAssociations": {
"quantity": 0,
"items": []
},
"viewerProtocolPolicy": "redirect-to-https",
"forwardedValues": {
"cookies": {"forward": "none"},
"queryStringCacheKeys": {
"quantity": 0,
"items": []
},
"queryString": false,
"headers": {
"quantity": 1,
"items": ["*"]
}
},
"trustedSigners": {
"items": [],
"enabled": false,
"quantity": 0
},
"allowedMethods": {
"quantity": 2,
"items": [
"HEAD",
"GET"
],
"cachedMethods": {
"quantity": 2,
"items": [
"HEAD",
"GET"
]
}
}
},
"staging": false,
"origins": {
"quantity": 1,
"items": [
{
"originPath": "",
"connectionTimeout": 10,
"customOriginConfig": {
"originReadTimeout": 30,
"hTTPSPort": 443,
"originProtocolPolicy": "https-only",
"originKeepaliveTimeout": 5,
"hTTPPort": 80,
"originSslProtocols": {
"quantity": 3,
"items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
}
},
"id": "d111111abcdef8",
"domainName": "d111111abcdef8.cloudfront.net",
"connectionAttempts": 3,
"customHeaders": {
"quantity": 0,
"items": []
},
"originShield": {"enabled": false},
"originAccessControlId": ""
}
]
},
"comment": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"id": "EDFDVBD6EXAMPLE",
"ifMatch": "E1RTLUR9YES76O"
},
"responseElements": {
"distribution": {
"activeTrustedSigners": {
"quantity": 0,
"enabled": false
},
"id": "EDFDVBD6EXAMPLE",
"domainName": "d111111abcdef8.cloudfront.net",
"distributionConfig": {
"defaultRootObject": "",
"aliases": {
"quantity": 3,
"items": [
"alejandro_rosalez.awsps.myinstance.com",
"cross-testing.alejandro_rosalez.awsps.myinstance.com",
"*.alejandro_rosalez.awsps.myinstance.com"
]
},
"cacheBehaviors": {"quantity": 0},
"httpVersion": "http2and3",
"originGroups": {"quantity": 0},
"viewerCertificate": {
"minimumProtocolVersion": "TLSv1.2_2021",
"cloudFrontDefaultCertificate": false,
"aCMCertificateArn": "arn:aws:acm:us-east-1:111122223333:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"sSLSupportMethod": "sni-only",
"certificateSource": "acm",
"certificate": "arn:aws:acm:us-east-1:111122223333:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"webACLId": "arn:aws:wafv2:us-east-1:111122223333:global/webacl/testing-acl/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"customErrorResponses": {"quantity": 0},
"logging": {
"includeCookies": false,
"prefix": "",
"enabled": false,
"bucket": ""
},
"priceClass": "PriceClass_All",
"restrictions": {
"geoRestriction": {
"restrictionType": "none",
"quantity": 0
}
},
"isIPV6Enabled": true,
"callerReference": "1578329170895",
"continuousDeploymentPolicyId": "",
"enabled": true,
"defaultCacheBehavior": {
"targetOriginId": "d111111abcdef8",
"minTTL": 0,
"compress": false,
"maxTTL": 31536000,
"functionAssociations": {"quantity": 0},
"trustedKeyGroups": {
"quantity": 0,
"enabled": false
},
"smoothStreaming": false,
"fieldLevelEncryptionId": "",
"defaultTTL": 86400,
"lambdaFunctionAssociations": {"quantity": 0},
"viewerProtocolPolicy": "redirect-to-https",
"forwardedValues": {
"cookies": {"forward": "none"},
"queryStringCacheKeys": {"quantity": 0},
"queryString": false,
"headers": {
"quantity": 1,
"items": ["*"]
}
},
"trustedSigners": {
"enabled": false,
"quantity": 0
},
"allowedMethods": {
"quantity": 2,
"items": [
"HEAD",
"GET"
],
"cachedMethods": {
"quantity": 2,
"items": [
"HEAD",
"GET"
]
}
}
},
"staging": false,
"origins": {
"quantity": 1,
"items": [
{
"originPath": "",
"connectionTimeout": 10,
"customOriginConfig": {
"originReadTimeout": 30,
"hTTPSPort": 443,
"originProtocolPolicy": "https-only",
"originKeepaliveTimeout": 5,
"hTTPPort": 80,
"originSslProtocols": {
"quantity": 3,
"items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
}
},
"id": "d111111abcdef8",
"domainName": "d111111abcdef8.cloudfront.net",
"connectionAttempts": 3,
"customHeaders": {"quantity": 0},
"originShield": {"enabled": false},
"originAccessControlId": ""
}
]
},
"comment": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"aliasICPRecordals": [
{
"cNAME": "alejandro_rosalez.awsps.myinstance.com",
"iCPRecordalStatus": "APPROVED"
},
{
"cNAME": "cross-testing.alejandro_rosalez.awsps.myinstance.com",
"iCPRecordalStatus": "APPROVED"
},
{
"cNAME": "*.alejandro_rosalez.awsps.myinstance.com",
"iCPRecordalStatus": "APPROVED"
}
],
"aRN": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE",
"status": "InProgress",
"lastModifiedTime": "Feb 2, 2024 7:26:01 PM",
"activeTrustedKeyGroups": {
"enabled": false,
"quantity": 0
},
"inProgressInvalidationBatches": 0
},
"eTag": "E1YHBLAB2BJY1G"
},
"requestID": "4e6b66f9-d548-11e3-a8a9-73e33example",
"eventID": "5ab02562-0fc5-43d0-b7b6-90293example",
"readOnly": false,
"eventType": "AwsApiCall",
"apiVersion": "2020_05_31",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "cloudfront.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
```
### 示例:UpdateKeys
下面的示例显示了一个 CloudTrail 事件,该事件说明了 [UpdateKeys](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_UpdateKeys.html) 操作。
对于对 CloudFront KeyValueStore API 的调用,`eventSource` 是 `edgekeyvaluestore.amazonaws.com`,而不是 `cloudfront.amazonaws.com`。
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:role-session-name",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/role-session-name",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2023-11-01T23:41:14Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-11-01T23:41:28Z",
"eventSource": "edgekeyvaluestore.amazonaws.com",
"eventName": "UpdateKeys",
"awsRegion": "us-east-1",
"sourceIPAddress": "3.235.183.252",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,
"requestParameters": {
"kvsARN": "arn:aws:cloudfront::111122223333:key-value-store/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ifMatch": "KV3O6B1CX531EBP",
"deletes": [
{"key": "key1"}
]
},
"responseElements": {
"itemCount": 0,
"totalSizeInBytes": 0,
"eTag": "KVDC9VEVZ71ZGO"
},
"requestID": "5ccf104c-acce-4ea1-b7fc-73e33example",
"eventID": "a0b1b5c7-906c-439d-9925-90293example",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::CloudFront::KeyValueStore",
"ARN": "arn:aws:cloudfront::111122223333:key-value-store/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "111122223333.cloudfront-kvs.global.api.aws"
}
}
```
有关 CloudTrail 记录内容的信息,请参阅《AWS CloudTrail 用户指南》**中的 [CloudTrail 记录内容](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html)。