本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS 私有 CA 使用 CloudWatch Events 監控
您可以使用 [Amazon CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/) 自動化您的 AWS 服務,並自動回應系統事件,例如應用程式可用性問題或資源變更。 AWS 服務的事件會以接近即時的方式傳送到 CloudWatch Events。您可撰寫簡單的規則,指出您在意的事件,以及當事件符合規則時所要自動執行的動作。CloudWatch Events 至少發佈一次。如需詳細資訊,請參閱[建立由事件觸發的 CloudWatch Events 規則](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html).
使用 Amazon EventBridge 將 CloudWatch Events 轉換成動作。使用 EventBridge,您可以使用事件來觸發目標,包括 AWS Lambda 函數、 AWS Batch 工作、Amazon SNS 主題等。如需詳細資訊,請參閱[什麼是 Amazon EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html)
## 建立私有 CA 時成功或失敗
這些事件是由 [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) 操作觸發的。
**成功**
成功時,操作會傳回新 CA 的 ARN。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA Creation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-04T19:14:56Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
],
"detail":{
"result":"success"
}
}
```
**失敗**
失敗時,操作會傳回 CA 的 ARN。使用 ARN,您可以呼叫 [DescribeCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthority.html) 來判斷 CA 的狀態。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA Creation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-04T19:14:56Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
],
"detail":{
"result":"failure"
}
}
```
## 發出憑證時成功或失敗
這些事件是由 [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) 操作觸發的。
**成功**
成功時,操作會傳回 CA 和新憑證的 ARN。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA Certificate Issuance",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-04T19:57:46Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
"arn:aws:acm-pca:{{region}}:{{account}}:certificate-authority/{{CA_ID}}/certificate/{{certificate_ID}}"
],
"detail":{
"result":"success"
}
}
```
**失敗**
失敗時,操作會傳回憑證 ARN 和 CA 的 ARN。使用憑證 ARN,您可以呼叫 [GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html) 來檢視失敗的原因。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA Certificate Issuance",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-04T19:57:46Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
"arn:aws:acm-pca:{{region}}:{{account}}:certificate-authority/{{CA_ID}}/certificate/{{certificate_ID}}"
],
"detail":{
"result":"failure"
}
}
```
## 撤銷憑證時成功
這些事件是由 [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) 操作觸發的。
如果撤銷失敗或憑證已遭撤銷,則不會傳送任何事件。
****Success****
成功時,操作會傳回 CA 和撤銷憑證的 ARN。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA Certificate Revocation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-05T20:25:19Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
"arn:aws:acm-pca:{{region}}:{{account}}:certificate-authority/{{CA_ID}}/certificate/{{certificate_ID}}"
],
"detail":{
"result":"success"
}
}
```
## 產生 CRL 時成功或失敗
這些事件是由 [RevokeCerticate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) 操作觸發的,其會造成建立憑證撤銷清單 (CRL)。
**成功**
成功時,操作會傳回與 CRL 相關聯 CA 的 ARN。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA CRL Generation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-04T21:07:08Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
],
"detail":{
"result":"success"
}
}
```
**失敗 1 – 由於許可錯誤,CRL 無法儲存至 Amazon S3**
如果發生此錯誤,請檢查您的 Amazon S3 儲存貯體許可。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA CRL Generation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-07T23:01:25Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
],
"detail":{
"result":"failure",
"reason":"Failed to write CRL to S3. Check your S3 bucket permissions."
}
}
```
**失敗 2 – 由於內部錯誤,CRL 無法儲存至 Amazon S3**
如果發生此錯誤,請重試操作。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA CRL Generation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-07T23:01:25Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
],
"detail":{
"result":"failure",
"reason":"Failed to write CRL to S3. Internal failure."
}
}
```
**失敗 3 – AWS 私有 CA 無法建立 CRL**
若要疑難排解此錯誤,請檢查您的 [CloudWatch 指標](https://docs.aws.amazon.com/privateca/latest/APIReference/PcaCloudWatch.html)。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA CRL Generation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-07T23:01:25Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
],
"detail":{
"result":"failure",
"reason":"Failed to generate CRL. Internal failure."
}
}
```
## 建立 CA 稽核報告時成功或失敗
這些事件是由 [CreateCertificateAuthorityAuditReport](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html) 操作觸發的。
**成功**
成功時,操作會傳回 CA 的 ARN 和稽核報告的 ID。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA Audit Report Generation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-04T21:54:20Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
"{{audit_report_ID}}"
],
"detail":{
"result":"success"
}
}
```
**失敗**
當 Amazon S3 儲存貯體 AWS 私有 CA 上缺少`PUT`許可、儲存貯體上啟用加密或其他原因時,稽核報告可能會失敗。
```
{
"version":"0",
"id":"{{event_ID}}",
"detail-type":"ACM Private CA Audit Report Generation",
"source":"aws.acm-pca",
"account":"{{account}}",
"time":"2019-11-04T21:54:20Z",
"region":"{{region}}",
"resources":[
"arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
"{{audit_report_ID}}"
],
"detail":{
"result":"failure"
}
}
```