本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 AWS CloudTrail 記錄 AWS 資源總管 API 呼叫
AWS 資源總管已與整合AWS CloudTrail,該服務提供由使用者、角色或資源總管AWS 服務中的服務所採取之動作的記錄。 CloudTrail 擷取資源瀏覽器的所有 API 呼叫當作事件。擷取的呼叫包括從資源總管主控台進行的呼叫,以及對資源總管 API 操作的程式碼呼叫。
如果您建立*追蹤記錄*,就可以持續傳送 CloudTrail 事件至 Amazon S3 儲存貯體,包括資源 Explorer 的事件。追蹤是一種組態,能讓事件以日誌檔案的形式交付到您指定的 Amazon S3 儲存貯體。如果您不設定追蹤記錄,仍然可以透過 CloudTrail 主控台中的 **Event history (事件歷史記錄)** 檢視最新的事件。您可以使用收集的資訊來 CloudTrail判斷向資源 Explorer 發出的請求,以及發出請求的 IP 地址、提出請求的對象、時間和其他詳細資訊。
若要進一步了解 CloudTrail,請參閱使[AWS CloudTrail用者指南](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/)。
## 資源總管資訊 CloudTrail
CloudTrail 當您建立帳戶AWS 帳戶時,系統即會在中啟用。此外,資源總管中發生活動時,系統便會將該活動記錄至 CloudTrail 事件,並將其他AWS 服務事件記錄到**事件歷史**記錄中。您可以檢視、搜尋和下載 AWS 帳戶 的最新事件。如需詳細資訊,請參閱[使用 CloudTrail 事件歷程記錄檢視事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。
**重要**
您可以通過搜索**事件源 = 資源**瀏覽器 **-2.amazonaws.com 找到所有資源瀏**覽器事件
若要持續記錄您的事件AWS 帳戶,包括資源總管的事件,請建立追蹤。*線索*能讓 CloudTrail 將日誌檔案交付至 Amazon S3 儲存貯體。依預設,當您在主控台中建立追蹤時,該追蹤會套用至所有的 AWS 區域。該追蹤會記錄來自 AWS 分割區中所有區域的事件,並將日誌檔案交付到您指定的 Amazon S3 儲存貯體。此外,您還能設定其他服務,AWS 服務以進一步分析和處理 CloudTrail 日誌中收集的事件資料。如需詳細資訊,請參閱《*AWS CloudTrail 使用者指南*》中的以下主題:
+ [建立 AWS 帳戶 的追蹤](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [AWS與 CloudTrail 日誌的服務整合](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [設定的 Amazon SNS 通知 CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [從多個區域接收 CloudTrail 日誌檔案](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html)
+ [從多個帳戶接收 CloudTrail 日誌檔案](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
系統會記錄所有資源總管動作, CloudTrail 並記錄在 [AWS 資源總管API 參考](https://docs.aws.amazon.com/resource-explorer/latest/apireference/)中。例如,呼叫`CreateIndex``DeleteIndex`、和`UpdateIndex`動作會在 CloudTrail 記錄檔中產生項目。
每個事件或日誌項目都會包含可幫助您確定請求發出者的資訊。
+ AWS 帳戶根認證
+ AWS Identity and Access Management (IAM) 角色或聯合身分使用者提供的暫時安全憑證。
+ IAM 使用者提供的長期安全憑證。
+ 其他 AWS 服務。
**重要**
基於安全理由`Tags``Filters`,系統會從 CloudTrail 軌跡項目編輯所有、和`QueryString`值。
如需詳細資訊,請參閱 [CloudTrail userIdentity 元素](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)。
## 了解資源總管日誌檔案項目
追蹤是一種組態,能讓事件以日誌檔案的形式交付至您指定的 Amazon S3 儲存貯體。 CloudTrail 日誌檔案包含一個或多個日誌項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。 CloudTrail 日誌檔案並非依公有 API 呼叫的堆疊追蹤排序,因此不會以任何特定順序出現。
**Topics**
+ [CreateIndex](#ct-createindex)
+ [DeleteIndex](#ct-deleteindex)
+ [UpdateIndexType](#ct-updateindextype)
+ [搜尋](#ct-search)
+ [CreateView](#ct-createview)
+ [DeleteView](#ct-deleteview)
+ [DisassociateDefaultView](#ct-disassociatedefaultview)
### CreateIndex
以下範例顯示的是展示`CreateIndex`動作的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-166EXAMPLE",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-166EXAMPLE",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-23T19:13:59Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "CreateIndex",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.create-index",
"requestParameters": {
"ClientToken": "792ee665-58af-423c-bfdb-d7c9aEXAMPLE"
},
"responseElements": {
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"State": "CREATING",
"CreatedAt": "2022-08-23T19:13:59.775Z"
},
"requestID": "a193afe9-17ff-4f30-ae0a-73bb0EXAMPLE",
"eventID": "2ec50598-4de6-474d-bd0e-f5c00EXAMPLE",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### DeleteIndex
以下範例顯示的是展示`DeleteIndex`動作的 CloudTrail 長項目。
**注意**
此動作也會以非同步方式刪除該區域中帳戶的所有檢視,因此每個已刪除的檢視都會產生`DeleteView`事件。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:My-Role-Name",
"arn": "arn:aws:sts::123456789012:assumed-role/My-Admin-Role/My-Delegated-Role",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/My-Admin-Role",
"accountId": "123456789012",
"userName": "My-Admin-Role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T18:33:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-23T19:04:06Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "DeleteIndex",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.delete-index",
"requestParameters": {
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
},
"responseElements": {
"Access-Control-Expose-Headers": "x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date",
"State": "DELETING",
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
},
"requestID": "d7d80bd2-cd2d-47fb-88d6-5133aEXAMPLE",
"eventID": "675eab39-c514-4d32-989d-0ea98EXAMPLE",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### UpdateIndexType
下列範例顯示示範將索引從類型`LOCAL`升級為的`UpdateIndexType`動作的 CloudTrail 記錄項目`AGGREGATOR`。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-1661282039",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-1661282039",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-23T19:21:18Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "UpdateIndexType",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.update-index-type",
"requestParameters": {
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"Type": "AGGREGATOR"
},
"responseElements": {
"Type": "AGGREGATOR",
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"LastUpdatedAt": "2022-08-23T19:21:17.924Z",
"State": "UPDATING"
},
"requestID": "a145309d-df14-4c2e-a9f6-8ed45EXAMPLE",
"eventID": "ed33ab96-f5c6-4a77-a69a-8585aEXAMPLE",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### 搜尋
以下範例顯示的是展示`Search`動作的 CloudTrail 日誌項目。
**注意**
基於安全理由,系統會在 CloudTrail 追蹤項目中編輯`Filters`、和`QueryString`參數的所有參照。`Tag`
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-1661282039",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-1661282039",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-03T16:50:11Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "Search",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.search",
"requestParameters": {
"QueryString": "***"
},
"responseElements": null,
"requestID": "22320db5-b194-446f-b9f4-e603bEXAMPLE",
"eventID": "addb3bca-0c41-46bf-a5e6-42299EXAMPLE",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### CreateView
以下範例顯示的是展示`CreateView`動作的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-1661282039",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-1661282039",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-01-20T21:54:48Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "CreateView",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.create-view",
"requestParameters": {
"ViewName": "CTTagsTest",
"Tags": "***"
},
"responseElements": {
"View": {
"Filters": "***",
"IncludedProperties": [],
"LastUpdatedAt": "2023-01-20T21:54:48.079Z",
"Owner": "123456789012",
"Scope": "arn:aws:iam::123456789012:root",
"ViewArn": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/CTTest/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
}
},
"requestID": "b22d8ced-4905-42c4-b1aa-ef713EXAMPLE",
"eventID": "f62e339f-1070-41a8-a6ec-12491EXAMPLE",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### DeleteView
下列範例顯示 CloudTrail 記錄項目,其中示範由於相同作業而自`DeleteView`動啟動動`DeleteIndex`作時可能發生的事件AWS 區域。
**注意**
如果已刪除的檢視是 [區域] 的預設檢視,此動作也會非同步取消檢視作為預設檢視的關聯性。這會產生一個`DisassociateDefaultView`事件。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEEXAMPLE:botocore-session-1661282039",
"arn": "arn:aws:sts::123456789012:assumed-role/cli-role/botocore-session-1661282039",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/cli-role",
"accountId": "123456789012",
"userName": "cli-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-23T19:13:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-09-16T19:33:27Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "DeleteView",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.delete-view",
"requestParameters": null,
"responseElements": null,
"eventID": "cd174d1e-0a24-4b47-8b67-d024aEXAMPLE",
"readOnly": false,
"resources": [{
"accountId": "334026708824",
"type": "AWS::ResourceExplorer2::View",
"ARN": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/CTTest/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
}],
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
### DisassociateDefaultView
下列範例顯示的 CloudTrail 記錄項目會示範由於目前預設檢視上的`DisassociateDefaultView`作業而自動啟動動`DeleteView`作時可能發生的事件。
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "123456789012",
"invokedBy": "resource-explorer-2.amazonaws.com"
},
"eventTime": "2022-09-16T19:33:26Z",
"eventSource": "resource-explorer-2.amazonaws.com",
"eventName": "DisassociateDefaultView",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.24.34.15",
"userAgent": "aws-cli/2.7.14 Python/3.9.11 Windows/10 exe/AMD64 prompt/off command/resource-explorer-2.disassociate-default-view",
"requestParameters": null,
"responseElements": null,
"eventID": "d8016cb1-5c23-4ea4-bda2-70b03EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```