本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 記錄 AWS AppSync API 呼叫 AWS CloudTrail
AWS AppSync 已與 服務整合 AWS CloudTrail,此服務提供使用者、角色或服務 AWS 在其中採取之動作的記錄 AWS AppSync。CloudTrail 會將 的所有 API 呼叫擷取 AWS AppSync 為事件。擷取的呼叫包括來自 AWS AppSync 主控台的呼叫,以及來自對 AWS AppSync APIs的程式碼呼叫。您可以使用 CloudTrail 所收集的資訊來判斷提出的請求 AWS AppSync、提出請求者的 IP 地址、提出請求的人員、提出請求的時間,以及其他詳細資訊。
您可以建立*線索*,以將 CloudTrail 事件持續交付至 Amazon Simple Storage Service (Amazon S3) 儲存貯體,包括 的事件 AWS AppSync。如果您未設定線索,仍然可以在 CloudTrail 主控台中檢視最新的事件。
如需有關 CloudTrail 的相關資訊,請參閱 [AWS CloudTrail 使用者指南](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。
## AWS AppSync CloudTrail 中的資訊
當您建立 AWS 帳戶時,會在您的帳戶上啟用 CloudTrail。在**事件歷史記錄**中的 CloudTrail 主控台中,您可以檢視、搜尋和下載 AWS 帳戶中的最新事件。如需詳細資訊,請參閱《AWS CloudTrail 使用者指南》**中的[使用 CloudTrail 事件歷史記錄檢視事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。
若要持續記錄您 AWS 帳戶中的事件,包括 的事件 AWS AppSync,請建立追蹤。根據預設,當您在主控台建立線索時,線索會套用到所有 AWS 區域。線索會記錄 AWS 分割區中所有區域的事件,並將日誌檔案交付至您指定的 Amazon S3 儲存貯體。此外,您可以設定其他 AWS 服務,以進一步分析和處理 CloudTrail 日誌中所收集的事件資料。如需詳細資訊,請參閱《AWS CloudTrail 使用者指南》** 中的下列主題:
+ [為 AWS 您的帳戶建立線索](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [AWS CloudTrail 日誌的服務整合](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [設定 CloudTrail 的 Amazon SNS 通知](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [從多個區域接收 CloudTrail 日誌檔案](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html)
+ [從多個帳戶接收 CloudTrail 日誌檔案](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
CloudTrail 會記錄所有 AWS AppSync API 操作。例如,對 `CreateGraphqlApi`、 `CreateDataSource`和 `ListResolvers` APIs呼叫會在 CloudTrail 日誌檔案中產生項目。這些和其他操作都記錄在 [AWS AppSync API 參考](https://docs.aws.amazon.com/appsync/latest/APIReference/Welcome.html)中。
每一筆事件或日誌專案都會包含產生請求者的資訊。身分資訊可協助您判斷:
+ 是否使用根或 AWS Identity and Access Management (IAM) 使用者登入資料提出請求。
+ 提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。
+ 請求是否由其他 AWS 服務提出。
如需詳細資訊,請參閱《AWS CloudTrail 使用者指南》**中的 [CloudTrail userIdentity 元素](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)。
## AWS AppSync CloudTrail 中的資料事件
[資料事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events)提供在資源上或在資源中執行的資源操作的相關資訊 (例如,讀取或寫入 Amazon S3 物件)。這些也稱為資料平面操作。資料事件通常是大量資料的活動。根據預設,CloudTrail 不會記錄資料事件。CloudTrail **事件歷史記錄**不會記錄資料事件。
資料事件需支付額外的費用。如需 CloudTrail 定價的詳細資訊,請參閱 [AWS CloudTrail 定價](https://aws.amazon.com/cloudtrail/pricing/)。
您可以使用 CloudTrail 主控台 AWS CLI或 CloudTrail API 操作 (包括查詢、變動和訂閱操作、將操作連接到您的即時 WebSocket 端點,而不是透過您的即時 WebSocket 端點傳送的訊息) 來記錄`AWS::AppSync::GraphQLApi`資源類型的資料事件。如需如何記錄資料事件的詳細資訊,請參閱 *AWS CloudTrail 使用者指南*中的[使用 AWS 管理主控台 記錄資料事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console)和[使用 AWS Command Line Interface記錄資料事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-with-the-AWS-CLI)。
下表列出您可以記錄資料事件 AWS AppSync 的資源類型。**資料事件類型 (主控台)** 欄顯示從 CloudTrail 主控台的資料**事件類型**清單中選擇的值。**resources.type 值**欄會顯示值,您會在使用 AWS CLI 或 CloudTrail APIs 設定進階事件選取器時指定此`resources.type`值。**記錄到 CloudTrail 的資料 API** 資料行會針對資源類型顯示記錄到 CloudTrail 的 API 呼叫。
| 資料事件類型 (主控台) | resources.type 值 | 記錄到 CloudTrail 的資料 API |
| --- | --- | --- |
| AppSync GraphQL | AWS::AppSync::GraphQLApi | [https://docs.aws.amazon.com/appsync/latest/APIReference/API_GraphqlApi.html](https://docs.aws.amazon.com/appsync/latest/APIReference/API_GraphqlApi.html) |
您可以設定進階事件選取器來篩選 `eventName`、`readOnly` 和 `resources.ARN` 欄位,以僅記錄對您重要的事件。如需這些欄位的詳細資訊,請參閱AWS CloudTrail API 參考**中的[https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html)。
```
[
{
"name": "Only 1 AppSync API",
"fieldSelectors": [
{
"field": "eventCategory",
"equals": [
"Data"
]
},
{
"field": "resources.type",
"equals": [
"AWS::AppSync::GraphQLApi"
]
},
{
"field": "resources.ARN",
"equals": [
"arn:aws:appsync:us-east-1:111122223333:apis/YourGraphQLApiId"
]
}
]
}
]
```
## 了解 AWS AppSync 日誌檔案項目
CloudTrail 會將事件交付為包含一或多個日誌項目的日誌檔案。事件代表來自任何來源的單一請求,並包含所請求操作、操作的日期和時間、請求參數等相關資訊。由於這些日誌檔案不是公有 API 呼叫的排序堆疊追蹤,因此不會以任何特定順序顯示。
**注意**
對於從 發出的日誌, `requestID`不是授權的唯一 ID AWS AppSync。`requestID` 可由用戶端覆寫。因此,您應該在根據此資訊做出決策時謹慎。
下列範例 CloudTrail 日誌項目示範 `CreateApiKey`操作。
```
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "CreateApiKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": {
"apiKey": {
"id": "***",
"expires": 1518037200000
}
},
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
```
下列範例 CloudTrail 日誌項目示範 `ListApiKeys`操作。
```
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/diego_ramirez",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "ListApiKeys",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": {
"apiKeys": [
{
"id": "***",
"expires": 1517954400000
},
{
"id": "***",
"expires": 1518037200000
},
]
},
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
```
下列範例 CloudTrail 日誌項目示範 `DeleteApiKey`操作。
```
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/diego_ramirez",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "DeleteApiKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"id": "***",
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": null,
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
```
下列範例 CloudTrail 日誌項目示範使用自訂 Lambda 函數授權方授權的成功 GraphQL 變動。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T15:42:30Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyMutation",
"authType": [
"AWS_LAMBDA"
],
"fieldAuthorizationResults": {
"deniedFields": []
}
},
"requestID": "c2d3768b-3446-40a1-bd95-8399fe776f96",
"eventID": "21568be1-a1a8-4f43-b978-63cb4cc02a96",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
```
下列範例 CloudTrail 日誌項目示範使用自訂 Lambda 函數授權方授權的部分成功 GraphQL 操作。請注意指定拒絕欄位的 `fieldAuthorizationResults.deniedFields` 屬性。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T16:11:49Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyMutation",
"authType": [
"AWS_LAMBDA"
],
"fieldAuthorizationResults": {
"deniedFields": [
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Mutation/fields/createPost",
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Subscription/fields/onCreatePost",
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Post/fields/status"
]
}
},
"requestID": "ae817c4c-66ba-4f64-92a5-ba9c9c341dcd",
"eventID": "30109698-7605-476a-9dff-b7ed78d134dc",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
```
下列範例 CloudTrail 日誌項目示範失敗的 GraphQL 操作。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T15:51:11Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"errorCode": "AccessDenied",
"errorMessage": "{\n \"errors\" : [ {\n \"errorType\" : \"UnauthorizedException\",\n \"message\" : \"You are not authorized to make this call.\"\n } ]\n}",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyFullyDeniedLambdaMutation"
},
"requestID": "0bef3cf3-a48b-4de9-8b1f-038afb563516",
"eventID": "b738651f-4ec0-4548-8fec-200c6b42842b",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
```
下列範例示範成功的 GraphQL 請求。
```
{
"eventVersion": "1.10",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:jane_doe",
"arn": "arn:aws:sts::123456789012:assumed-role/admin/jane_doe",
"accountId": "123456789012",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/admin",
"accountId": "123456789012",
"userName": "jane_doe"
},
"attributes": {
"creationDate": "2024-11-06T15:40:09Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-11-06T16:03:43Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "IamFullSuccess",
"authType": [
"AWS_IAM"
],
"fieldAuthorizationResults": {
"allowedFields": [
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Mutation/fields/createSecondPostAllowed"
],
"deniedFields": []
}
},
"requestID": "edc6bbbf-6bf2-40f5-820f-ef444f12e0c1",
"eventID": "524656a5-0925-4370-9e7e-08888e9c299f",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
```