本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
CloudTrail 日誌檔案範例
CloudTrail 會監控您帳戶的事件。如果您建立追蹤,其會將這些事件做為日誌檔案交付至您的 Amazon S3 儲存貯體。如果您在 CloudTrail Lake 中建立事件資料存放區,事件會記錄到您的事件資料存放區。事件資料存放區不會使用 S3 儲存貯體。
CloudTrail 日誌檔案名稱格式
CloudTrail 針對交付至 Amazon S3 儲存貯體的日誌檔案物件, 會使用下列檔案名稱格式:
AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat
-
YYYY、MM、DD、HH和mm是交付日誌檔案之年、月、日、時和分的數字。小時為 24 小時格式。Z表示時間位於 中UTC。注意
在特定時間交付的日誌檔案,會包含該時間之前的任何時間點所寫入之記錄。
-
日誌檔案名稱的 16 字元
UniqueString元件是為了避免覆寫檔案。它沒有任何意義,所以日誌處理軟體應會忽略它。 -
FileNameFormat是檔案的編碼。目前,這是json.gz,這是壓縮 gzip 格式JSON的文字檔案。
CloudTrail 日誌檔案名稱範例
111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz
日誌檔案範例
日誌檔案包含一或多筆記錄。下列範例是日誌的程式碼片段,可顯示開始建立日誌檔案之動作的記錄。
如需 CloudTrail 事件記錄欄位的資訊,請參閱 CloudTrail 記錄內容。
Amazon EC2日誌範例
Amazon Elastic Compute Cloud (Amazon EC2) 在 中提供可調整大小的運算容量 AWS 雲端。您可以啟動虛擬伺服器、設定安全和聯網功能,以及管理儲存。Amazon EC2也可以快速擴展或縮減規模,以處理需求的變化或熱門度激增,從而減少預測伺服器流量的需求。如需詳細資訊,請參閱 Amazon EC2使用者指南。
下列範例顯示名為 Mateo IAM的使用者執行 aws ec2 start-instances命令來呼叫執行個體 i-EXAMPLE56126103cb和 的 Amazon EC2StartInstances動作i-EXAMPLEaff4840c22。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::123456789012:user/Mateo", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Mateo", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:17:28Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.start-instances", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb" }, { "instanceId": "i-EXAMPLEaff4840c22" } ] } }, "responseElements": { "requestId": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16", "instancesSet": { "items": [ { "instanceId": "i-EXAMPLEaff4840c22", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }, { "instanceId": "i-EXAMPLE56126103cb", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } } ] } }, "requestID": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16", "eventID": "e755e09c-42f9-4c5c-9064-EXAMPLE228c7", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
下列範例顯示名為 Nikki IAM的使用者執行 aws ec2 stop-instances命令來呼叫 Amazon EC2StopInstances動作以停止兩個執行個體。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::777788889999:user/Nikki", "accountId": "777788889999", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "userName": "Nikki", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:14:20Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.stop-instances", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb" }, { "instanceId": "i-EXAMPLEaff4840c22" } ] }, "force": false }, "responseElements": { "requestId": "c308a950-e43e-444e-afc1-EXAMPLE73e49", "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } }, { "instanceId": "i-EXAMPLEaff4840c22", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } } ] } }, "requestID": "c308a950-e43e-444e-afc1-EXAMPLE73e49", "eventID": "9357a8cc-a0eb-46a1-b67e-EXAMPLE19b14", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777788889999", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
下列範例顯示名為 Arnav IAM的使用者執行 aws ec2 create-key-pair命令來呼叫 CreateKeyPair動作。請注意, responseElements包含金鑰對的雜湊,且已 AWS 移除金鑰材料。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::444455556666:user/Arnav", "accountId": "444455556666", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "userName": "Arnav", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:19:22Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateKeyPair", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.create-key-pair", "requestParameters": { "keyName": "my-key", "keyType": "rsa", "keyFormat": "pem" }, "responseElements": { "requestId": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196", "keyName": "my-key", "keyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "keyPairId": "key-abcd12345eEXAMPLE", "keyMaterial": "<sensitiveDataRemoved>" }, "requestID": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196", "eventID": "2ae450ff-e72b-4de1-87b0-EXAMPLE5227cb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "444455556666", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
IAM 日誌範例
AWS Identity and Access Management (IAM) 是一種 Web 服務,可協助您安全地控制對 資源的 AWS 存取。透過 IAM,您可以集中管理許可,以控制使用者可以存取哪些 AWS 資源。您可以使用 IAM 來控制 (已登入) 的身分驗證和授權使用資源的 (許可)。如需詳細資訊,請參閱《IAM 使用者指南》https://docs.aws.amazon.com/IAM/latest/UserGuide/。
下列範例顯示名為 Mary IAM的使用者執行 aws iam create-user命令來呼叫 CreateUser動作,以建立新的名為 的使用者Richard。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGITEXAMPLE", "arn": "arn:aws:iam::888888888888:user/Mary", "accountId": "888888888888", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Mary", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:25:09Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user", "requestParameters": { "userName": "Richard" }, "responseElements": { "user": { "path": "/", "arn": "arn:aws:iam::888888888888:user/Richard", "userId": "AIDA6ON6E4XEP7EXAMPLE", "createDate": "Jul 19, 2023 9:25:09 PM", "userName": "Richard" } }, "requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc", "eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "888888888888", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
下列範例顯示名為 Paulo IAM的使用者執行 aws iam add-user-to-group命令來呼叫 AddUserToGroup動作,將名為 Jane 的使用者新增至 Admin群組。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::555555555555:user/Paulo", "accountId": "555555555555", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Paulo", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:25:09Z", "eventSource": "iam.amazonaws.com", "eventName": "AddUserToGroup", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.add-user-to-group", "requestParameters": { "groupName": "Admin", "userName": "Jane" }, "responseElements": null, "requestID": "ecd94349-b36f-44bf-b6f5-EXAMPLE9c463", "eventID": "2939ba50-1d26-4a5a-83bd-EXAMPLE85850", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555555555555", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
下列範例顯示名為 Saanvi IAM的使用者執行 aws iam create-role命令,以呼叫 CreateRole動作來建立角色。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGITEXAMPLE", "arn": "arn:aws:iam::777777777777:user/Saanvi", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Saanvi", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:29:12Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateRole", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-role", "requestParameters": { "roleName": "TestRole", "description": "Allows EC2 instances to call AWS services on your behalf.", "assumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"sts:AssumeRole\"],\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]}}]}" }, "responseElements": { "role": { "assumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22sts%3AAssumeRole%22%5D%2C%22Principal%22%3A%7B%22Service%22%3A%5B%22ec2.amazonaws.com%22%5D%7D%7D%5D%7D", "arn": "arn:aws:iam::777777777777:role/TestRole", "roleId": "AROA6ON6E4XEFFEXAMPLE", "createDate": "Jul 19, 2023 9:29:12 PM", "roleName": "TestRole", "path": "/" } }, "requestID": "ff38f36e-ebd3-425b-9939-EXAMPLE1bbe", "eventID": "9da77cd0-493f-4c89-8852-EXAMPLEa887c", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777777777777", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
錯誤代碼和訊息日誌範例
下列範例顯示名為 Terry IAM的使用者執行 aws cloudtrail update-trail命令來呼叫 UpdateTrail動作,以更新名為 的線索myTrail2,但找不到線索名稱。日誌會顯示 errorCode 和 errorMessage 元素中的這個錯誤。
{"Records": [{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::111122223333:user/Terry", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Terry", "sessionContext": { "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:35:03Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "UpdateTrail", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.0 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.update-trail", "errorCode": "TrailNotFoundException", "errorMessage": "Unknown trail: arn:aws:cloudtrail:us-east-1:111122223333:trail/myTrail2 for the user: 111122223333", "requestParameters": { "name": "myTrail2", "isMultiRegionTrail": true }, "responseElements": null, "requestID": "28d2faaf-3319-4649-998d-EXAMPLE72818", "eventID": "694d604a-d190-4470-8dd1-EXAMPLEe20c1", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
CloudTrail Insights 事件日誌範例
下列範例顯示 CloudTrail Insights 事件日誌。Insights 事件實際上是一對事件,其會標記異常寫入管理API活動或錯誤回應活動的期間開始和結束。state 欄位會顯示事件是在異常活動期間的開始還是結束時記錄的。事件名稱 與 的名稱相同UpdateInstanceInformation, AWS Systems Manager API其會 CloudTrail 分析管理事件以判斷發生異常活動。雖然開始和結束事件具有唯一的 eventID 值,但它們也具有由該組使用的 sharedEventID 值。Insights 事件會顯示 baseline (活動的正常模式)、insight (觸發開始 Insights 事件的或平均異常活動),以及在結束事件中,顯示 Insights 事件期間平均異常活動的 insight 值。如需 CloudTrail Insights 的詳細資訊,請參閱 使用 CloudTrail Insights。
{ "Records": [{ "eventVersion": "1.08", "eventTime": "2023-01-02T02:51:00Z", "awsRegion": "us-east-1", "eventID": "654a30ff-b0f3-4527-81b6-EXAMPLEf2393", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "bcbfc274-8559-4a56-beb0-EXAMPLEa6c34", "insightDetails": { "state": "Start", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 84.410596421 }, "insight": { "average": 669 } } } }, "eventCategory": "Insight" }, { "eventVersion": "1.08", "eventTime": "2023-01-02T00:22:00Z", "awsRegion": "us-east-1", "eventID": "258de2fb-e2a9-4fb5-aeb2-EXAMPLE449a4", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "8b74a7bc-d5d3-4d19-9d60-EXAMPLE08b51", "insightDetails": { "state": "End", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 74.156423842 }, "insight": { "average": 657 }, "insightDuration": 1 } } }, "eventCategory": "Insight" }] }
