使用 AWS CloudTrail 记录 IAM Identity Center SCIM API 调用
IAM Identity Center SCIM 与 AWS CloudTrail 集成,后者可提供用户、角色或 AWS 服务 采取的操作记录。CloudTrail 将 SCIM 的 API 调用作为事件捕获。使用 CloudTrail 收集的信息,您可以确定所请求操作的有关信息、操作的日期和时间、请求参数,等等。要了解有关 CloudTrail 的更多信息,请参阅《AWS CloudTrail User Guide》。
当 SCIM 中发生受支持的事件活动时,该活动将记录在 CloudTrail 事件中,并与其他 AWS 服务 事件一同保存在事件历史记录中。您可以在 AWS 账户 中查看、搜索和下载最新事件。来自 SCIM 的事件会将 eventSource 设置为 identitystore-scim.amazonaws.com。有关更多信息,请参阅 Working with CloudTrail Event history。
注意
在您创建 AWS 账户 时,将在该帐户上启用 CloudTrail。但您可能需要轮换访问令牌,才能查看来自 SCIM 的事件。
有关更多信息,请参阅 轮换访问令牌。
SCIM 支持将以下操作记录为 CloudTrail 中的事件:
示例
以下是 CloudTrail 事件的部分示例。
示例 1:成功调用 CreateUser 产生的事件。
{
"eventVersion": "1.10",
"userIdentity": {
"type": "WebIdentityUser",
"accountId": "123456789012",
"accessKeyId": "xxxx"
},
"eventTime": "xxxx",
"eventSource": "identitystore-scim.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "xx.xxx.xxx.xxx",
"userAgent": "Go-http-client/2.0",
"requestParameters": {
"httpBody": {
"displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
"name": {
"familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
"givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"active": true,
"userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"tenantId": "xxxx"
},
"responseElements": {
"displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
"name": {
"familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
"givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"active": true,
"userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"requestID": "xxxx",
"eventID": "xxxx",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
}
}示例 2:由于缺少路径会导致 Missing path in PATCH request 错误消息的 PatchGroup 中的事件。
{
"eventVersion": "1.10",
"userIdentity": {
"type": "WebIdentityUser",
"accountId": "123456789012",
"accessKeyId": "xxxx"
},
"eventTime": "xxxx",
"eventSource": "identitystore-scim.amazonaws.com",
"eventName": "PatchGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "xxx.xxx.xxx.xxx",
"userAgent": "Go-http-client/2.0",
"errorCode": "ValidationException",
"errorMessage": "Missing path in PATCH request",
"requestParameters": {
"httpBody": {
"operations": [
{
"op": "REMOVE",
"value": "HIDDEN_DUE_TO_SECURITY_REASONS"
}
],
"schemas": [
"HIDDEN_DUE_TO_SECURITY_REASONS"
]
},
"tenantId": "xxxx",
"id": "xxxx"
},
"responseElements": null,
"requestID": "xxxx",
"eventID": "xxxx",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
}
}
示例 3:由于存在正在尝试创建的组的名称,会导致 Duplicate GroupDisplayName 错误消息的 CreateGroup 调用中的事件。
{
"eventVersion": "1.10",
"userIdentity": {
"type": "WebIdentityUser",
"accountId": "123456789012",
"accessKeyId": "xxxx"
},
"eventTime": "xxxx",
"eventSource": "identitystore-scim.amazonaws.com",
"eventName": "CreateGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "xxx.xxx.xxx.xxx",
"userAgent": "Go-http-client/2.0",
"errorCode": "ConflictException",
"errorMessage": "Duplicate GroupDisplayName",
"requestParameters": {
"httpBody": {
"displayName": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"tenantId": "xxxx"
},
"responseElements": null,
"requestID": "xxxx",
"eventID": "xxxx",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
}
}
示例 4:会导致 List attribute emails exceeds allowed limit of 1 error 错误消息的 PatchUser 调用中的事件。用户只能有一个电子邮件地址。
{ "eventVersion": "1.10", "userIdentity": { "type": "WebIdentityUser", "accountId": "123456789012", "accessKeyId": "xxxx" }, "eventTime": "xxxx", "eventSource": "identitystore-scim.amazonaws.com", "eventName": "PatchUser", "awsRegion": "us-east-1", "sourceIPAddress": "xxx.xxx.xxx.xxx", "userAgent": "Go-http-client/2.0", "errorCode": "ValidationException", "errorMessage": "List attribute emails exceeds allowed limit of 1", "requestParameters": { "httpBody": { "operations": [ { "op": "REPLACE", "path": "emails", "value": "HIDDEN_DUE_TO_SECURITY_REASONS" } ], "schemas": [ "HIDDEN_DUE_TO_SECURITY_REASONS" ] }, "tenantId": "xxxx", "id": "xxxx" }, "responseElements": null, "requestID": "xxxx", "eventID": "xxxx", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com" } }
常见错误消息
以下是可能在 IAM Identity Center SCIM API 调用的 CloudTrail 事件中收到的常见验证错误消息:
-
List attribute email exceeds allowed limit of 1 -
List attribute addresses allowed limit of 1 -
1 validation errors detected: Value at '*name.familyName*' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+ -
2 validation errors detected: Value at 'name.familyName' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'name.familyName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+ -
2 validation errors detected: Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+", -
Invalid JSON from RequestBody -
Invalid Filter format
有关 IAM Identity Center SCIM 预置错误问题排查的更多信息,请参阅 AWS re:Post 文章
