本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
CloudTrail 記錄檔範例
CloudTrail 監控您帳戶的事件。如果您建立追蹤,其會將這些事件做為日誌檔案交付至您的 Amazon S3 儲存貯體。如果您在 CloudTrail Lake 中建立事件資料倉庫,則會將事件記錄到您的事件資料倉庫中。事件資料存放區不會使用 S3 儲存貯體。
CloudTrail 記錄檔名稱格式
CloudTrail 將下列檔案名稱格式用於傳送至 Amazon S3 儲存貯體的日誌檔物件:
AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat
-
YYYY、MM、DD、HH和mm是交付日誌檔案之年、月、日、時和分的數字。小時為 24 小時格式。表Z示時間在中UTC。注意
在特定時間交付的日誌檔案,會包含該時間之前的任何時間點所寫入之記錄。
-
日誌檔案名稱的 16 字元
UniqueString元件是為了避免覆寫檔案。它沒有任何意義,所以日誌處理軟體應會忽略它。 -
FileNameFormat是檔案的編碼。目前,這是json.gz一個壓縮 gzip 格式的JSON文本文件。
範例 CloudTrail 記錄檔名稱
111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz
日誌檔案範例
日誌檔案包含一或多筆記錄。下列範例是日誌的程式碼片段,可顯示開始建立日誌檔案之動作的記錄。
如需 CloudTrail 事件記錄欄位的資訊,請參閱CloudTrail 記錄內容。
Amazon EC2 日誌示例
Amazon 彈性運算雲 (AmazonEC2) 在中提供可調整大小的計算容量。 AWS 雲端您可以啟動虛擬伺服器、設定安全和聯網功能,以及管理儲存。Amazon 還EC2可以快速擴展或縮減以處理需求的變化或受歡迎程度峰值,從而減少您預測伺服器流量的需求。如需詳細資訊,請參閱 Amazon EC2 使用者指南。
下列範例顯示名為的IAM使用者執Mateo行命aws ec2 start-instances令,針對執行個體i-EXAMPLE56126103cb和呼叫 Amazon EC2 StartInstances動作i-EXAMPLEaff4840c22。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::123456789012:user/Mateo", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Mateo", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:17:28Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.start-instances", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb" }, { "instanceId": "i-EXAMPLEaff4840c22" } ] } }, "responseElements": { "requestId": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16", "instancesSet": { "items": [ { "instanceId": "i-EXAMPLEaff4840c22", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }, { "instanceId": "i-EXAMPLE56126103cb", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } } ] } }, "requestID": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16", "eventID": "e755e09c-42f9-4c5c-9064-EXAMPLE228c7", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
下列範例顯示名為的IAM使用者執Nikki行命aws ec2 stop-instances令來呼叫 Amazon EC2 StopInstances動作來停止兩個執行個體。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::777788889999:user/Nikki", "accountId": "777788889999", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "userName": "Nikki", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:14:20Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.stop-instances", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb" }, { "instanceId": "i-EXAMPLEaff4840c22" } ] }, "force": false }, "responseElements": { "requestId": "c308a950-e43e-444e-afc1-EXAMPLE73e49", "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } }, { "instanceId": "i-EXAMPLEaff4840c22", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } } ] } }, "requestID": "c308a950-e43e-444e-afc1-EXAMPLE73e49", "eventID": "9357a8cc-a0eb-46a1-b67e-EXAMPLE19b14", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777788889999", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
下列範例顯示名為的IAM使用者Arnav執行aws ec2 create-key-pair命令來呼叫CreateKeyPair動作。請注意,responseElements包含 key pair 的散列並 AWS 刪除了密鑰材料。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::444455556666:user/Arnav", "accountId": "444455556666", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "userName": "Arnav", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:19:22Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateKeyPair", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.create-key-pair", "requestParameters": { "keyName": "my-key", "keyType": "rsa", "keyFormat": "pem" }, "responseElements": { "requestId": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196", "keyName": "my-key", "keyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "keyPairId": "key-abcd12345eEXAMPLE", "keyMaterial": "<sensitiveDataRemoved>" }, "requestID": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196", "eventID": "2ae450ff-e72b-4de1-87b0-EXAMPLE5227cb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "444455556666", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
IAM記錄範例
AWS Identity and Access Management (IAM) 是一項可協助您安全控制 AWS 資源存取的 Web 服務。您可以使用集中管理權限IAM,以控制使用者可以存取的 AWS 資源。您可IAM以用來控制誰要經過驗證 (登入) 和授權 (具有權限) 來使用資源。若要取得更多資訊,請參閱IAM使用者指南。
下面的例子顯示了名為的IAM用戶Mary運行了aws iam create-user命令來調用該CreateUser操作來創建一個名為的新用戶Richard。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGITEXAMPLE", "arn": "arn:aws:iam::888888888888:user/Mary", "accountId": "888888888888", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Mary", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:25:09Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user", "requestParameters": { "userName": "Richard" }, "responseElements": { "user": { "path": "/", "arn": "arn:aws:iam::888888888888:user/Richard", "userId": "AIDA6ON6E4XEP7EXAMPLE", "createDate": "Jul 19, 2023 9:25:09 PM", "userName": "Richard" } }, "requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc", "eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "888888888888", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
下面的例子顯示Paulo了名為的IAM用戶運行了aws iam add-user-to-group命令來調用該AddUserToGroup操作將名為的用戶添加Jane到Admin組中。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::555555555555:user/Paulo", "accountId": "555555555555", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Paulo", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:25:09Z", "eventSource": "iam.amazonaws.com", "eventName": "AddUserToGroup", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.add-user-to-group", "requestParameters": { "groupName": "Admin", "userName": "Jane" }, "responseElements": null, "requestID": "ecd94349-b36f-44bf-b6f5-EXAMPLE9c463", "eventID": "2939ba50-1d26-4a5a-83bd-EXAMPLE85850", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555555555555", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
以下示例顯示名為的IAM用戶Saanvi運行了aws iam create-role命令來調用該CreateRole操作來創建角色。
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGITEXAMPLE", "arn": "arn:aws:iam::777777777777:user/Saanvi", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Saanvi", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:29:12Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateRole", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-role", "requestParameters": { "roleName": "TestRole", "description": "Allows EC2 instances to call AWS services on your behalf.", "assumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"sts:AssumeRole\"],\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]}}]}" }, "responseElements": { "role": { "assumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22sts%3AAssumeRole%22%5D%2C%22Principal%22%3A%7B%22Service%22%3A%5B%22ec2.amazonaws.com%22%5D%7D%7D%5D%7D", "arn": "arn:aws:iam::777777777777:role/TestRole", "roleId": "AROA6ON6E4XEFFEXAMPLE", "createDate": "Jul 19, 2023 9:29:12 PM", "roleName": "TestRole", "path": "/" } }, "requestID": "ff38f36e-ebd3-425b-9939-EXAMPLE1bbe", "eventID": "9da77cd0-493f-4c89-8852-EXAMPLEa887c", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777777777777", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
錯誤代碼和訊息日誌範例
下列範例顯示名為的IAM使用者Terry執行aws cloudtrail update-trail命令來呼叫UpdateTrail動作來更新名為的追蹤myTrail2,但找不到追蹤名稱。日誌會顯示 errorCode 和 errorMessage 元素中的這個錯誤。
{"Records": [{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::111122223333:user/Terry", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Terry", "sessionContext": { "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:35:03Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "UpdateTrail", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.0 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.update-trail", "errorCode": "TrailNotFoundException", "errorMessage": "Unknown trail: arn:aws:cloudtrail:us-east-1:111122223333:trail/myTrail2 for the user: 111122223333", "requestParameters": { "name": "myTrail2", "isMultiRegionTrail": true }, "responseElements": null, "requestID": "28d2faaf-3319-4649-998d-EXAMPLE72818", "eventID": "694d604a-d190-4470-8dd1-EXAMPLEe20c1", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
CloudTrail 洞察事件日誌範例
下列範例顯示 CloudTrail 深入解析事件記錄檔。Insights 事件實際上是一對事件,用來標記異常寫入管理API活動或錯誤回應活動期間的開始和結束。state 欄位會顯示事件是在異常活動期間的開始還是結束時記錄的。事件名稱與 CloudTrail 分析管理事件以判斷發生異常活動的名稱相同。UpdateInstanceInformation AWS Systems Manager API雖然開始和結束事件具有唯一的 eventID 值,但它們也具有由該組使用的 sharedEventID 值。Insights 事件會顯示 baseline (活動的正常模式)、insight (觸發開始 Insights 事件的或平均異常活動),以及在結束事件中,顯示 Insights 事件期間平均異常活動的 insight 值。如需 CloudTrail 深入解析的詳細資訊,請參閱記錄 Insights 事件。
{ "Records": [{ "eventVersion": "1.08", "eventTime": "2023-01-02T02:51:00Z", "awsRegion": "us-east-1", "eventID": "654a30ff-b0f3-4527-81b6-EXAMPLEf2393", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "bcbfc274-8559-4a56-beb0-EXAMPLEa6c34", "insightDetails": { "state": "Start", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 84.410596421 }, "insight": { "average": 669 } } } }, "eventCategory": "Insight" }, { "eventVersion": "1.08", "eventTime": "2023-01-02T00:22:00Z", "awsRegion": "us-east-1", "eventID": "258de2fb-e2a9-4fb5-aeb2-EXAMPLE449a4", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "8b74a7bc-d5d3-4d19-9d60-EXAMPLE08b51", "insightDetails": { "state": "End", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 74.156423842 }, "insight": { "average": 657 }, "insightDuration": 1 } } }, "eventCategory": "Insight" }] }
