本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用记录 AWS AppSync API 调用 AWS CloudTrail
AWS AppSync 与 AWS CloudTrail一项服务集成,该服务提供用户、角色或 AWS 服务在中执行的操作的记录 AWS AppSync。 CloudTrail 将所有 API 调用捕获 AWS AppSync 为事件。捕获的调用包括来自 AWS AppSync 控制台的调用和对控制台的代码调用 AWS AppSync APIs。您可以使用收集的信息来确定 CloudTrail 向哪个请求发出的请求 AWS AppSync、请求者的 IP 地址、发出请求的时间,以及其他详细信息。
您可以创建*跟踪*以允许向亚马逊简单存储服务 (Amazon S3) 存储桶持续传送 CloudTrail 事件,包括的事件。 AWS AppSync如果您未配置跟踪,您仍然可以在 CloudTrail 控制台中查看最新事件。
有关的更多信息 CloudTrail,请参阅《[AWS CloudTrail 用户指南》](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。
## AWS AppSync 信息在 CloudTrail
CloudTrail 在您创建 AWS 账户时已在您的账户上启用。在 CloudTrail 控制台的 “**事件历史记录**” 中,您可以查看、搜索和下载 AWS 账户中的近期事件。有关更多信息,请参阅《*AWS CloudTrail 用户指南》*中的[使用 CloudTrail事件历史记录查看事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。
要持续记录您 AWS 账户中的事件,包括的事件 AWS AppSync,请创建跟踪。预设情况下,在控制台中创建跟踪时,此跟踪应用于所有 AWS 区域。跟踪记录 AWS 分区中所有区域的事件,并将日志文件传送到您指定的 Amazon S3 存储桶。此外,您可以配置其他 AWS 服务,以进一步分析和处理 CloudTrail 日志中收集的事件数据。有关更多信息,请参阅《AWS CloudTrail 用户指南》**中的以下内容:
+ [为您的 AWS 账户创建跟踪](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [AWS 与日志的服务集成 CloudTrail ](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [配置 Amazon SNS 通知 CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [接收来自多个区域的 CloudTrail 日志文件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html)
+ [从多个账户接收 CloudTrail 日志文件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
CloudTrail 记录所有 AWS AppSync API 操作。例如,调用`CreateGraphqlApi``CreateDataSource`、并在 CloudTrail 日志文件中`ListResolvers` APIs 生成条目。在 [AWS AppSync API Reference](https://docs.aws.amazon.com/appsync/latest/APIReference/Welcome.html) 中介绍了这些操作和其他操作。
每个事件或日志条目都包含有关生成请求的人员信息。身份信息可以帮助您确定:
+ 请求是使用根证书还是 AWS Identity and Access Management (IAM) 用户凭证发出。
+ 请求是使用角色还是联合用户的临时安全凭证发出的。
+ 请求是否由其他 AWS 服务发出。
有关更多信息,请参阅《[CloudTrail 用户指南》中的 “*AWS CloudTrail 用户*身份元素](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)”。
## AWS AppSync 中的数据事件 CloudTrail
[数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events)可提供对资源或在资源中所执行资源操作(例如,读取或写入 Amazon S3 对象)的相关信息。这些也称为数据面板操作。数据事件通常是高容量活动。默认情况下, CloudTrail 不记录数据事件。 CloudTrail **事件历史**记录不记录数据事件。
记录数据事件将收取额外费用。有关 CloudTrail 定价的更多信息,请参阅[AWS CloudTrail 定价](https://aws.amazon.com/cloudtrail/pricing/)。
您可以使用 CloudTrail 控制台或 CloudTrail API 操作记录`AWS::AppSync::GraphQLApi`资源类型的数据事件(这些操作包括查询 AWS CLI、变更和订阅操作,将操作连接到您的实时 WebSocket 端点,但不包括通过实时终端 WebSocket 节点发送的消息。) 有关如何记录数据事件的更多信息,请参阅《AWS CloudTrail 用户指南》**中的[使用 AWS 管理控制台记录数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console)和[使用 AWS Command Line Interface记录数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-with-the-AWS-CLI)。
下表列出了您可以记录数据事件的 AWS AppSync 资源类型。**数据事件类型(控制台)**列显示要从控制 CloudTrail 台**的数据事件类型**列表中选择的值。res **ources.type 值**列显示该`resources.type`值,您将在使用或配置高级事件选择器时指定该值。 AWS CLI CloudTrail APIs“** APIs 记录到的数据 CloudTrail**” 列显示了 CloudTrail 针对该资源类型记录的 API 调用。
| 数据事件类型(控制台) | resources.type 值 | 数据 APIs 已记录到 CloudTrail |
| --- | --- | --- |
| AppSync GraphQL | AWS::AppSync::GraphQLApi | [https://docs.aws.amazon.com/appsync/latest/APIReference/API_GraphqlApi.html](https://docs.aws.amazon.com/appsync/latest/APIReference/API_GraphqlApi.html) |
您可以将高级事件选择器配置为在 `eventName`、`readOnly` 和 `resources.ARN` 字段上进行筛选,从而仅记录那些对您很重要的事件。有关这些字段的更多信息,请参阅《AWS CloudTrail API 参考》**中的 [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html)。
```
[
{
"name": "Only 1 AppSync API",
"fieldSelectors": [
{
"field": "eventCategory",
"equals": [
"Data"
]
},
{
"field": "resources.type",
"equals": [
"AWS::AppSync::GraphQLApi"
]
},
{
"field": "resources.ARN",
"equals": [
"arn:aws:appsync:us-east-1:111122223333:apis/YourGraphQLApiId"
]
}
]
}
]
```
## 了解 AWS AppSync 日志文件条目
CloudTrail 将事件作为包含一个或多个日志条目的日志文件传送。一个事件表示来自任何源的单个请求,并包括有关请求的操作、操作日期和时间、请求参数等信息。由于这些日志文件不是公有 API 调用的有序堆栈跟踪,因此,它们不会按任何特定顺序显示。
**注意**
对于从 AWS AppSync中发出的日志,`requestID` 不是权威的唯一 ID。`requestID` 可以由客户端覆盖。因此,在根据此信息作出决策时应谨慎行事。
以下示例 CloudTrail 日志条目演示了该`CreateApiKey`操作。
```
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "CreateApiKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": {
"apiKey": {
"id": "***",
"expires": 1518037200000
}
},
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
```
以下示例 CloudTrail 日志条目演示了该`ListApiKeys`操作。
```
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/diego_ramirez",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "ListApiKeys",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": {
"apiKeys": [
{
"id": "***",
"expires": 1517954400000
},
{
"id": "***",
"expires": 1518037200000
},
]
},
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
```
以下示例 CloudTrail 日志条目演示了该`DeleteApiKey`操作。
```
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/diego_ramirez",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "DeleteApiKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"id": "***",
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": null,
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
```
以下示例 CloudTrail 日志条目演示了通过自定义 Lambda 函数授权器成功授权的 GraphQL 突变。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T15:42:30Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyMutation",
"authType": [
"AWS_LAMBDA"
],
"fieldAuthorizationResults": {
"deniedFields": []
}
},
"requestID": "c2d3768b-3446-40a1-bd95-8399fe776f96",
"eventID": "21568be1-a1a8-4f43-b978-63cb4cc02a96",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
```
以下示例 CloudTrail 日志条目演示了通过自定义 Lambda 函数授权器授权的部分成功的 GraphQL 操作。请注意用于指定拒绝字段的 `fieldAuthorizationResults.deniedFields` 属性。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T16:11:49Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyMutation",
"authType": [
"AWS_LAMBDA"
],
"fieldAuthorizationResults": {
"deniedFields": [
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Mutation/fields/createPost",
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Subscription/fields/onCreatePost",
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Post/fields/status"
]
}
},
"requestID": "ae817c4c-66ba-4f64-92a5-ba9c9c341dcd",
"eventID": "30109698-7605-476a-9dff-b7ed78d134dc",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
```
以下示例 CloudTrail 日志条目演示了 GraphQL 操作失败。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T15:51:11Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"errorCode": "AccessDenied",
"errorMessage": "{\n \"errors\" : [ {\n \"errorType\" : \"UnauthorizedException\",\n \"message\" : \"You are not authorized to make this call.\"\n } ]\n}",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyFullyDeniedLambdaMutation"
},
"requestID": "0bef3cf3-a48b-4de9-8b1f-038afb563516",
"eventID": "b738651f-4ec0-4548-8fec-200c6b42842b",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
```
以下示例说明成功的 GraphQL 请求。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:jane_doe",
"arn": "arn:aws:sts::123456789012:assumed-role/admin/jane_doe",
"accountId": "123456789012",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/admin",
"accountId": "123456789012",
"userName": "jane_doe"
},
"attributes": {
"creationDate": "2024-11-06T15:40:09Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-11-06T16:03:43Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "IamFullSuccess",
"authType": [
"AWS_IAM"
],
"fieldAuthorizationResults": {
"allowedFields": [
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Mutation/fields/createSecondPostAllowed"
],
"deniedFields": []
}
},
"requestID": "edc6bbbf-6bf2-40f5-820f-ef444f12e0c1",
"eventID": "524656a5-0925-4370-9e7e-08888e9c299f",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
```