本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用 AWS CloudTrail 记录 AWS 资源探索器 API 调用
AWS 资源探索器 与 AWS CloudTrail 集成,后者是记录用户、角色或 AWS 服务 在资源管理器中所执行操作的服务。CloudTrail 将资源管理器的所有 API 调用作为事件捕获。捕获的调用包含来自资源管理器控制台和代码对资源管理器 API 操作的调用。
如果您创建*跟踪记录*,则可以使 CloudTrail 事件持续传送到 Amazon S3 存储桶(包括资源管理器的事件)。跟踪是一种配置,可用于将事件作为日志文件传送到您指定的 Amazon S3 桶。如果您不配置跟踪,则仍可在 CloudTrail 控制台中的 **Event history(事件历史记录)** 中查看最新事件。使用 CloudTrail 收集的信息,您可以确定向资源管理器发出了什么请求、发出请求的 IP 地址、请求方、请求时间以及其他详细信息。
要了解有关 CloudTrail 的更多信息,请参阅《[AWS CloudTrail 用户指南](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/)》。
## CloudTrail 中的资源管理器信息
在您创建 AWS 账户 时,将在该账户上启用 CloudTrail。当资源管理器中发生活动时,该活动将记录在 CloudTrail 事件中,并与其他 AWS 服务 事件一起保存在**事件历史记录**中。您可以在 AWS 账户中查看、搜索和下载最新事件。有关更多信息,请参阅[使用 CloudTrail 事件历史记录查看事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。
**重要**
您可以通过搜索**事件来源** = **resource-explorer-2.amazonaws.com** 来找到所有资源管理器事件
要持续记录 AWS 账户 中的事件(包括资源管理器的事件),请创建跟踪。通过*跟踪记录*,CloudTrail 可将日志文件传送至 Simple Storage Service(Amazon S3)存储桶。预设情况下,在控制台中创建跟踪记录时,此跟踪记录应用于所有AWS 区域。此跟踪记录在 AWS 分区中记录所有区域中的事件,并将日志文件传送至您指定的 Simple Storage Service(Amazon S3)桶。此外,您可以配置其他 AWS 服务,进一步分析在 CloudTrail 日志中收集的事件数据并采取行动。有关更多信息,请参阅 *AWS CloudTrail 用户指南* 中的以下主题:
+ [为您的 AWS 账户 创建跟踪](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [AWS 服务与 CloudTrail Logs 的集成](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [为 CloudTrail 配置 Amazon SNS 通知](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [从多个区域接收 CloudTrail 日志文件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html)
+ [从多个账户接收 CloudTrail 日志文件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
CloudTrail 记录所有资源管理器操作,[AWS 资源探索器 API 参考](https://docs.aws.amazon.com/resource-explorer/latest/apireference/)中介绍了这些操作。例如,对 `CreateIndex`、`DeleteIndex` 和 `UpdateIndex` 操作的调用会在 CloudTrail 日志文件中生成条目。
每个事件或日志条目都包含相应信息,可帮助您确定提出请求的人员。
+ AWS 账户 根凭证
+ 来自 AWS Identity and Access Management(IAM)角色或联合用户的临时安全凭证。
+ 来自 IAM 用户的长期安全凭证。
+ 另一项 AWS 服务。
**重要**
出于安全考虑,所有 `Tags`、`Filters` 和 `QueryString` 值均从 CloudTrail 跟踪条目中编辑。
有关更多信息,请参阅 [CloudTrail userIdentity 元素](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)。
## 了解资源管理器日志文件条目
跟踪是一种配置,可用于将事件作为日志文件传送到您指定的 Amazon S3 桶。CloudTrail 日志文件包含一个或多个日志条目。一个事件表示来自任何源的一个请求,包括有关所请求的操作、操作的日期和时间、请求参数等方面的信息。CloudTrail 日志文件不是公用 API 调用的有序堆栈跟踪,因此它们不会按任何特定顺序显示。
**Topics**
+ [CreateIndex](#ct-createindex)
+ [DeleteIndex](#ct-deleteindex)
+ [UpdateIndexType](#ct-updateindextype)
+ [搜索](#ct-search)
+ [CreateView](#ct-createview)
+ [DeleteView](#ct-deleteview)
+ [DisassociateDefaultView](#ct-disassociatedefaultview)
### CreateIndex
下面的示例显示了一个 CloudTrail 日志条目,该条目说明了 `CreateIndex` 操作。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-166EXAMPLE",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-166EXAMPLE",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-23T19:13:59Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "CreateIndex",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.create-index",
"requestParameters": {
"ClientToken": "792ee665-58af-423c-bfdb-d7c9aEXAMPLE"
},
"responseElements": {
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"State": "CREATING",
"CreatedAt": "2022-08-23T19:13:59.775Z"
},
"requestID": "a193afe9-17ff-4f30-ae0a-73bb0EXAMPLE",
"eventID": "2ec50598-4de6-474d-bd0e-f5c00EXAMPLE",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### DeleteIndex
下面的示例显示了一个 CloudTrail 日志条目,该条目用于说明 `DeleteIndex` 操作。
**注意**
此操作还会异步删除该区域中的账户的所有视图,从而为每个删除的视图生成一个 `DeleteView` 事件。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:My-Role-Name",
"arn": "arn:aws:sts::123456789012:assumed-role/My-Admin-Role/My-Delegated-Role",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/My-Admin-Role",
"accountId": "123456789012",
"userName": "My-Admin-Role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T18:33:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-23T19:04:06Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "DeleteIndex",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.delete-index",
"requestParameters": {
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
},
"responseElements": {
"Access-Control-Expose-Headers": "x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date",
"State": "DELETING",
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
},
"requestID": "d7d80bd2-cd2d-47fb-88d6-5133aEXAMPLE",
"eventID": "675eab39-c514-4d32-989d-0ea98EXAMPLE",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### UpdateIndexType
以下示例显示了一个 CloudTrail 日志条目,该条目演示了将索引从类型 `LOCAL` 提升为 `AGGREGATOR` 的 `UpdateIndexType` 操作。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-1661282039",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-1661282039",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-23T19:21:18Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "UpdateIndexType",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.update-index-type",
"requestParameters": {
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"Type": "AGGREGATOR"
},
"responseElements": {
"Type": "AGGREGATOR",
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"LastUpdatedAt": "2022-08-23T19:21:17.924Z",
"State": "UPDATING"
},
"requestID": "a145309d-df14-4c2e-a9f6-8ed45EXAMPLE",
"eventID": "ed33ab96-f5c6-4a77-a69a-8585aEXAMPLE",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### 搜索
下面的示例显示了一个 CloudTrail 日志条目,该条目说明了 `Search` 操作。
**注意**
出于安全考虑,对 `Tag`、`Filters` 和 `QueryString` 参数的所有引用均在 CloudTrail 跟踪条目中编辑。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-1661282039",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-1661282039",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-03T16:50:11Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "Search",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.search",
"requestParameters": {
"QueryString": "***"
},
"responseElements": null,
"requestID": "22320db5-b194-446f-b9f4-e603bEXAMPLE",
"eventID": "addb3bca-0c41-46bf-a5e6-42299EXAMPLE",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### CreateView
下面的示例显示了一个 CloudTrail 日志条目,该条目说明了 `CreateView` 操作。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-1661282039",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-1661282039",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-01-20T21:54:48Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "CreateView",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.create-view",
"requestParameters": {
"ViewName": "CTTagsTest",
"Tags": "***"
},
"responseElements": {
"View": {
"Filters": "***",
"IncludedProperties": [],
"LastUpdatedAt": "2023-01-20T21:54:48.079Z",
"Owner": "123456789012",
"Scope": "arn:aws:iam::123456789012:root",
"ViewArn": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/CTTest/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
}
},
"requestID": "b22d8ced-4905-42c4-b1aa-ef713EXAMPLE",
"eventID": "f62e339f-1070-41a8-a6ec-12491EXAMPLE",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### DeleteView
下面的示例显示了一个 CloudTrail 日志条目,该条目演示了当 `DeleteView` 操作由于相同 AWS 区域 中的 `DeleteIndex` 操作而自动开始时可能发生的事件。
**注意**
如果已删除的视图是该区域的默认视图,则此操作还会异步取消该视图作为默认视图的关联。这将生成一个 `DisassociateDefaultView` 事件。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-1661282039",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-1661282039",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-09-16T19:33:27Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "DeleteView",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.delete-view",
"requestParameters": null,
"responseElements": null,
"eventID": "cd174d1e-0a24-4b47-8b67-d024aEXAMPLE",
"readOnly": false,
"resources": [{
"accountId": "334026708824",
"type": "AWS::ResourceExplorer2::View",
"ARN": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/CTTest/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
}],
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### DisassociateDefaultView
下面的示例显示了一个 CloudTrail 日志条目,该条目演示了当 `DisassociateDefaultView` 操作由于当前默认视图上的 `DeleteView` 操作而自动开始时可能发生的事件。
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "123456789012",
"invokedBy": "resource-explorer-2.amazonaws.com"
},
"eventTime": "2022-09-16T19:33:26Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "DisassociateDefaultView",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.disassociate-default-view",
"requestParameters": null,
"responseElements": null,
"eventID": "d8016cb1-5c23-4ea4-bda2-70b03EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```