示範:以程式設計方式擷取 AWS Health 事件資料的最後七天 - AWS Health

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

示範:以程式設計方式擷取 AWS Health 事件資料的最後七天

在下列程式碼範例中, AWS Health 使用針對全域端點的DNS查詢來判斷作用中的區域端點和簽署區域。 AWS Health 使用此資訊來擷取過去七天的事件資料報告。如果作用中端點變更,程式碼會重新啟動工作流程。

示範:使用 Java 擷取 AWS Health 事件資料的最後七天

先決條件

您必須安裝 Gradle

使用 Java 範例
  1. 從 下載AWS Health 高可用性端點示範 GitHub。

  2. 導覽至示範專案high-availability-endpoint/java目錄。

  3. 在命令列視窗中,輸入下列命令。

    gradle build
  4. 輸入下列命令來指定您的 AWS 登入資料。

    export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" export AWS_SESSION_TOKEN="your-aws-token"
  5. 輸入下列命令來執行示範。

    gradle run
    範例 : AWS Health 事件輸出

    程式碼範例會傳回您 AWS 帳戶中過去七天內最近的 AWS Health 事件。在下列範例中,輸出包含 AWS Config 服務 AWS Health 的事件。

    > Task :run [main] INFO aws.health.high.availability.endpoint.demo.HighAvailabilityV2Workflow - EventDetails(Event=Event(Arn=arn:aws:health:global::event/CONFIG/AWS_CONFIG_OPERATIONAL_NOTIFICATION/AWS_CONFIG_OPERATIONAL_NOTIFICATION_88a43e8a-e419-4ca7-9baa-56bcde4dba3, Service=CONFIG, EventTypeCode=AWS_CONFIG_OPERATIONAL_NOTIFICATION, EventTypeCategory=accountNotification, Region=global, StartTime=2020-09-11T02:55:49.899Z, LastUpdatedTime=2020-09-11T03:46:31.764Z, StatusCode=open, EventScopeCode=ACCOUNT_SPECIFIC), EventDescription=EventDescription(LatestDescription=As part of our ongoing efforts to optimize costs associated with recording changes related to certain ephemeral workloads, AWS Config is scheduled to release an update to relationships modeled within ConfigurationItems (CI) for 7 EC2 resource types on August 1, 2021. Examples of ephemeral workloads include changes to Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon Elastic MapReduce jobs, and Amazon EC2 Autoscaling. This update will optimize CI models for EC2 Instance, SecurityGroup, Network Interface, Subnet, VPC, VPN Gateway, and Customer Gateway resource types to record direct relationships and deprecate indirect relationships. A direct relationship is defined as a one-way relationship (A->B) between a resource (A) and another resource (B), and is typically derived from the Describe API response of resource (A). An indirect relationship, on the other hand, is a relationship that AWS Config infers (B->A), in order to create a bidirectional relationship. For example, EC2 instance -> Security Group is a direct relationship, since security groups are returned as part of the describe API response for an EC2 instance. But Security Group -> EC2 instance is an indirect relationship, since EC2 instances are not returned when describing an EC2 Security group. Until now, AWS Config has recorded both direct and indirect relationships. With the launch of Advanced queries in March 2019, indirect relationships can easily be answered by running Structured Query Language (SQL) queries such as: SELECT resourceId, resourceType WHERE resourceType ='AWS::EC2::Instance' AND relationships.resourceId = 'sg-234213' By deprecating indirect relationships, we can optimize the information contained within a Configuration Item while reducing AWS Config costs related to relationship changes. This is especially useful in case of ephemeral workloads where there is a high volume of configuration changes for EC2 resource types. Which resource relationships are being removed? Resource Type: Related Resource Type 1 AWS::EC2::CustomerGateway: AWS::VPN::Connection 2 AWS::EC2::Instance: AWS::EC2::EIP, AWS::EC2::RouteTable 3 AWS::EC2::NetworkInterface: AWS::EC2::EIP, AWS::EC2::RouteTable 4 AWS::EC2::SecurityGroup: AWS::EC2::Instance, AWS::EC2::NetworkInterface 5 AWS::EC2::Subnet: AWS::EC2::Instance, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable 6 AWS::EC2::VPC: AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::Subnet, AWS::EC2::VPNGateway, AWS::EC2::SecurityGroup 7 AWS::EC2::VPNGateway: AWS::EC2::RouteTable, AWS::EC2::VPNConnection Alternate mechanism to retrieve this relationship information: The SelectResourceConfig API accepts a SQL SELECT command, performs the corresponding search, and returns resource configurations matching the properties. You can use this API to retrieve the same relationship information. For example, to retrieve the list of all EC2 Instances related to a particular VPC vpc-1234abc, you can use the following query: SELECT resourceId, resourceType WHERE resourceType ='AWS::EC2::Instance' AND relationships.resourceId = 'vpc-1234abc' If you have any questions regarding this deprecation plan, please contact AWS 支援 [1]. Additional sample queries to retrieve the relationship information for the resources listed above is provided in [2]. [1] https://aws.amazon.com/support [2] https://docs.aws.amazon.com/config/latest/developerguide/examplerelationshipqueries.html), EventMetadata={})

Java 資源

示範:使用 Python 擷取 AWS Health 事件資料的最後七天

先決條件

您必須安裝 Python 3

使用 Python 範例
  1. 從 下載AWS Health 高可用性端點示範 GitHub。

  2. 導覽至示範專案high-availability-endpoint/python目錄。

  3. 在命令列視窗中,輸入下列命令。

    pip3 install virtualenv virtualenv -p python3 v-aws-health-env
    注意

    對於 Python 3.3 和更新版本,您可以使用內建venv模組來建立虛擬環境,而不是安裝 virtualenv。如需詳細資訊,請參閱 Python 網站上的 venv - 虛擬環境的建立

    python3 -m venv v-aws-health-env
  4. 輸入下列命令以啟用虛擬環境。

    source v-aws-health-env/bin/activate
  5. 輸入下列命令來安裝相依性。

    pip install -r requirements.txt
  6. 輸入下列命令來指定您的 AWS 登入資料。

    export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" export AWS_SESSION_TOKEN="your-aws-token"
  7. 輸入下列命令來執行示範。

    python3 main.py
    範例 : AWS Health 事件輸出

    程式碼範例會傳回您 AWS 帳戶中過去七天內最近的 AWS Health 事件。下列輸出會傳回 AWS 安全通知 AWS Health 的事件。

    INFO:botocore.credentials:Found credentials in environment variables.
    INFO:root:Details: {'arn': 'arn:aws:health:global::event/SECURITY/AWS_SECURITY_NOTIFICATION/AWS_SECURITY_NOTIFICATION_0e35e47e-2247-47c4-a9a5-876544042721', 
    'service': 'SECURITY', 'eventTypeCode': 'AWS_SECURITY_NOTIFICATION', 'eventTypeCategory': 'accountNotification', 'region': 'global', 'startTime': datetime.datetime(2020, 8, 19, 23, 30, 42, 476000, 
    tzinfo=tzlocal()), 'lastUpdatedTime': datetime.datetime(2020, 8, 20, 20, 44, 9, 547000, tzinfo=tzlocal()), 'statusCode': 'open', 'eventScopeCode': 'PUBLIC'}, description: 
    {'latestDescription': 'This is the second notice regarding TLS requirements on FIPS endpoints.\n\nWe
    are in the process of updating all AWS Federal Information Processing Standard (FIPS) endpoints across all AWS regions 
    to Transport Layer Security (TLS) version 1.2 by March 31, 2021 . In order to avoid an interruption in service, we encourage you to act now, by ensuring that you connect to AWS FIPS endpoints at a TLS version of 1.2. 
    If your client applications fail to support TLS 1.2 it will result in connection failures when TLS versions below 1.2 are no longer supported.\n\nBetween now and March 31, 2021 AWS will remove TLS 1.0 and TLS 1.1 support from each FIPS endpoint where no connections below TLS 1.2 are detected over a 30-day period. 
    After March 31, 2021 we may deploy this change to all AWS FIPS endpoints, even if there continue
    to be customer connections detected at TLS versions below 1.2. \n\nWe will provide additional updates and reminders on the AWS Security Blog, with a ‘TLS’ tag [1]. If you need further guidance or assistance, please contact AWS 支援 [2] or your Technical Account Manager (TAM). 
    Additional information is below.\n\nHow can I identify clients that are connecting with TLS
    1.0/1.1?\nFor customers using S3 [3], Cloudfront [4] or Application Load Balancer [5] you can use
    your access logs to view the TLS connection information for these services, and identify client
    connections that are not at TLS 1.2. If you are using the AWS Developer Tools on your clients, 
    you can find information on how to properly configure your client’s TLS versions by visiting Tools to Build on AWS [7] or our associated AWS Security Blog has a link for each unique code language [7].\n\nWhat is Transport Layer Security (TLS)?\nTransport Layer Security (TLS Protocols) are cryptographic protocols designed to provide secure communication across a computer network 
    [6].\n\nWhat are AWS FIPS endpoints? \nAll AWS services offer Transport Layer Security (TLS) 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer FIPS 140-2 endpoints [9] for customers that require use of FIPS validated cryptographic libraries. \n\n[1] https://aws.amazon.com/blogs/security/tag/tls/\n[2] https://aws.amazon.com/support\n[3] 
    https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html\n[4] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html\n[5] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html\n[6] https://aws.amazon.com/tools\n[7] https://aws.amazon.com/blogs/security/tls-1-2-to-become-the-minimum-for-all-aws-fips-endpoints\n[8] 
    https://en.wikipedia.org/wiki/Transport_Layer_Security\n[9] https://aws.amazon.com/compliance/fips'}
  8. 完成後,請輸入下列命令來停用虛擬機器。

    deactivate

Python 資源