本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 监控和记录 AWS Certificate Manager
监控是维护 AWS 解决方案的可靠性、可用性和性能的重要组成部分。 AWS Certificate Manager 您应该从 AWS 解决方案的所有部分收集监控数据,以便在出现多点故障时可以更轻松地进行调试。
以下主题介绍可用于 ACM 的 AWS 云监控工具。
**Topics**
+ [使用亚马逊 EventBridge](cloudwatch-events.md)
+ [CloudTrail 与一起使用 AWS Certificate Manager](cloudtrail.md)
+ [支持的 CloudWatch 指标](cloudwatch-metrics.md)
# 使用亚马逊 EventBridge
您可以使用 [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/)(前身为 CloudWatch Events)实现 AWS 服务自动化,并自动响应系统事件,例如应用程序可用性问题或资源更改。来自包括 ACM 在内的 AWS 服务的事件几乎实时地传送到 Amazon EventBridge 。您可以使用事件来触发目标,包括 AWS Lambda 函数、 AWS Batch 作业、Amazon SNS 主题等。有关更多信息,请参阅[什么是亚马逊 EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html)
**Topics**
+ [亚马逊对 ACM 的 EventBridge 支持](supported-events.md)
+ [EventBridge 在 ACM 中向亚马逊发起行动](example-actions.md)
# 亚马逊对 ACM 的 EventBridge 支持
本主题列出并描述了 Amazon EventBridge 支持的 ACM 相关事件。
## “ACM 证书即将到期”事件
ACM 每天都会发送所有有效证书(公有、私有和导入)的到期事件,证书的到期前 45 天开始,公共 private/imported 证书的到期前 30 天开始。可以使用 ACM API 的[PutAccountConfiguration](https://docs.aws.amazon.com/acm/latest/APIReference/API_PutAccountConfiguration.html)操作来更改此时间。
ACM 会为由其颁发的符合条件的证书自动启动续订,但导入的证书需要在过期之前重新颁发并重新导入 ACM,以避免发生中断。有关更多信息,请参阅[重新导入证书](https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html#reimport-certificate-api)。您可以使用过期事件来设置自动化以将证书重新导入 ACM。有关使用自动化的示例 AWS Lambda,请参阅[EventBridge 在 ACM 中向亚马逊发起行动](example-actions.md)。
*ACM 证书即将到期*事件具有以下结构。
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Approaching Expiration",
"source": "aws.acm",
"account": "account",
"time": "2020-09-30T06:51:08Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"DaysToExpiry": 31,
"CommonName": "example.com"
}
}
```
## “ACM 证书已过期”事件
**注意**
“证书已过期”事件不适用于[导入的证书](import-certificate.md)。
客户可以侦听此事件,以便在其账户中 ACM 颁发的公有或私有证书过期时收到提醒。
*ACM 证书已过期*事件具有以下结构。
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Expired",
"source": "aws.acm",
"account": "account",
"time": "2019-12-22T18:43:48Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"CertificateType" : "AMAZON_ISSUED" | "PRIVATE",
"CommonName": "example.com",
"DomainValidationMethod" : "EMAIL" | "DNS",
"CertificateCreatedDate" : "2018-12-22T18:43:48Z",
"CertificateExpirationDate" : "2019-12-22T18:43:48Z",
"InUse" : TRUE | FALSE,
"Exported" : TRUE | FALSE
}
}
```
## “ACM 证书可用”活动
客户可以侦听此事件,以便在托管的公有或私有证书准备就绪时收到通知。该事件将在颁发、续订和导入时发布。对于私有证书,一旦它可用,仍然需要客户操作才能将其部署到主机。
*ACM 证书可用*事件具有以下结构。
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Available",
"source": "aws.acm",
"account": "account",
"time": "2019-12-22T18:43:48Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
“Action” : "ISSUANCE" | "RENEWAL" | "IMPORT" | "REIMPORT",
"CertificateType" : "AMAZON_ISSUED" | "PRIVATE" | "IMPORTED",
"CommonName": "example.com",
"DomainValidationMethod" : "EMAIL" | "DNS",
"CertificateCreatedDate" : "2019-12-22T18:43:48Z",
"CertificateExpirationDate" : "2019-12-22T18:43:48Z",
"DaysToExpiry" : 198,
"InUse" : TRUE | FALSE,
"Exported" : TRUE | FALSE
}
}
```
## “ACM 证书需要续订操作”事件
**注意**
“需要执行证书续订操作”事件不适用于[导入的证书](import-certificate.md)。
客户可以侦听此事件,以便在必须采取客户操作后才能续订证书时收到提醒。例如,如果客户添加了阻止 ACM 续订证书的 CAA 记录,则当私有证书到期前 45 天和公共证书到期前 30 天自动续订失败时,ACM 会发布此事件。如果客户未采取任何行动,ACM 会在 30 天(仅限私人)、15 天、3 天和 1 天后再次尝试续订,或者直到客户采取行动,证书过期或证书不再符合续订资格。每次续订尝试都会发布一个事件。
*ACM 证书需要续订操作*事件具有以下结构。
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Renewal Action Required",
"source": "aws.acm",
"account": "account",
"time": "2019-12-22T18:43:48Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"CertificateType" : "AMAZON_ISSUED" | "PRIVATE",
"CommonName": "example.com",
"DomainValidationMethod" : "EMAIL" | "DNS",
"RenewalStatusReason" : "CAA_ERROR" | "PENDING_DOMAIN_VALIDATION" | "NO_AVAILABLE_CONTACTS" | "ADDITIONAL_VERIFICATION_REQUIRED" | "DOMAIN_NOT_ALLOWED" | "INVALID_PUBLIC_DOMAIN" | "DOMAIN_VALIDATION_DENIED" | "PCA_LIMIT_EXCEEDED" | "PCA_INVALID_ARN" | "PCA_INVALID_STATE" | "PCA_REQUEST_FAILED" | "PCA_NAME_CONSTRAINTS_VALIDATION" | "PCA_RESOURCE_NOT_FOUND" | "PCA_INVALID_ARGS" | "PCA_INVALID_DURATION" | "PCA_ACCESS_DENIED" | "SLR_NOT_FOUND" | "OTHER",
"DaysToExpiry": 30,
"CertificateExpirationDate" : "2019-12-22T18:43:48Z",
"InUse" : TRUE | FALSE,
"Exported" : TRUE | FALSE
}
}
```
## “ACM 证书已吊销”事件
客户可以侦听此事件,以便在其账户中 ACM 颁发的公有或私有证书吊销时收到提醒。
**注意**
只能吊销导出的证书。无法通过 revoke-certificate 吊销导入的证书。
*ACM 证书已吊销*事件具有以下结构。
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Revoked",
"source": "aws.acm",
"account": "account",
"time": "2019-12-22T18:43:48Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"CertificateType" : "AMAZON_ISSUED" | "PRIVATE",
"CommonName": "example.com",
"CertificateExpirationDate" : "2019-12-22T18:43:48Z",
"Exportable": TRUE | FALSE
}
}
```
## AWS 健康事件
AWS 系统会为符合续订条件的 ACM 证书生成运行状况事件。有关续订资格的信息,请参阅[中的托管证书续订 AWS Certificate Manager](managed-renewal.md)。
系统会在两种情况下生成运行状况事件:
+ 成功续订公有或私有证书时。
+ 何时客户必须完成操作后才能成功续订。这可能意味着需要点击电子邮件中的链接(用于通过电子邮件进行验证的证书),或者解决某个错误。每个事件都包含以下事件类型代码中的一个。这些代码以变量的形式公开,供您用于筛选。
+ `AWS_ACM_RENEWAL_STATE_CHANGE`(证书已续订、已过期或即将过期)
+ `CAA_CHECK_FAILURE`(CAA 检查失败)
+ `AWS_ACM_RENEWAL_FAILURE`(由私有 CA 签名的证书)
运行状况事件具有如下结构。在此示例中,`AWS_ACM_RENEWAL_STATE_CHANGE` 事件已生成。
```
{
"source":[
"aws.health"
],
"detail-type":[
"AWS Health Event"
],
"detail":{
"service":[
"ACM"
],
"eventTypeCategory":[
"scheduledChange"
],
"eventTypeCode":[
"AWS_ACM_RENEWAL_STATE_CHANGE"
]
}
}
```
# EventBridge 在 ACM 中向亚马逊发起行动
您可以根据这些事件创建 Amazon EventBridge 规则,并使用 Amazon EventBridge 控制台配置检测到事件时发生的操作。本节提供配置 Amazon EventBridge 规则和由此产生的操作的示例程序。
**Topics**
+ [通过 Amazon SNS 响应事件](event-sns-response.md)
+ [使用 Lambda 函数响应事件](event-lambda-response.md)
# 通过 Amazon SNS 响应事件
本节介绍如何配置 Amazon SNS,以在每当 ACM 生成运行状况事件时发送文本通知。
完成以下过程来配置响应。
**创建 Amazon EventBridge 规则并触发操作**
1. 创建 Amazon EventBridge 规则。有关更多信息,请参阅[创建对事件做出反应的 Amazon EventBridge 规则](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html)。
1. 在 Amazon EventBridge 控制台中 [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/),导航至**事件** > **规则**页面,然后选择**创建规则**。
1. 在**创建规则**页面上,选择 **Event Pattern(事件模式)**。
1. 对于**服务名称**,从菜单中选择 **Health(运行状况)**。
1. 对于**事件类型**,选择 **Specific Health events(特定运行状况事件)**。
1. 选择 **Specific service(s)(特定服务)**,然后从菜单中选择 **ACM**。
1. 选择 **Specific event type category(s)(特定事件类型类别)**,然后选择 **accountNotification**。
1. 选择 **Any event type code(任何事件类型代码)**。
1. 选择 **Any resource(任何资源)**。
1. 在**事件模式预览**编辑器中,粘贴事件发出的 JSON 模式。此示例使用 [AWS 健康事件](supported-events.md#health-event) 部分中的模式。
```
{
"source":[
"aws.health"
],
"detail-type":[
"AWS Health Event"
],
"detail":{
"service":[
"ACM"
],
"eventTypeCategory":[
"scheduledChange"
],
"eventTypeCode":[
"AWS_ACM_RENEWAL_STATE_CHANGE"
]
}
}
```
1. 配置操作。
在**目标**部分,您可以从许多可以立即使用您的事件的服务中进行选择,例如 Amazon Simple Notification Service (SNS),也可以选择 **Lambda 函数**将事件传递到自定义的可执行代码。有关 AWS Lambda 实现的示例,请参阅 [使用 Lambda 函数响应事件](event-lambda-response.md)。
# 使用 Lambda 函数响应事件
此过程演示 AWS Lambda 如何使用在亚马逊上监听 EventBridge、使用亚马逊简单通知服务 (SNS) Simple Notification Service 创建通知以及如何向其发布调查结果 AWS Security Hub CSPM,从而为管理员和安全团队提供可见性。
**设置 Lambda 函数和 IAM 角色**
1. 首先配置 AWS Identity and Access Management (IAM) 角色并定义 Lambda 函数所需的权限。通过此安全性最佳实践,您可以灵活地指定谁有权调用该函数,并限制授予该用户的权限。不建议直接在用户帐户下运行大多数 AWS 操作,尤其不要在管理员帐户下运行。
使用 [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/) 打开 IAM 控制台。
1. 使用 JSON 策略编辑器创建在以下模板中定义的策略。提供您自己的地区和 AWS 账户详情。有关更多信息,请参阅[在“JSON”选项卡上创建策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LambdaCertificateExpiryPolicy1",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:123456789012:*"
},
{
"Sid": "LambdaCertificateExpiryPolicy2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/handle-expiring-certificates:*"
]
},
{
"Sid": "LambdaCertificateExpiryPolicy3",
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate"
],
"Resource": "*"
},
{
"Sid": "LambdaCertificateExpiryPolicy4",
"Effect": "Allow",
"Action": "SNS:Publish",
"Resource": "*"
},
{
"Sid": "LambdaCertificateExpiryPolicy5",
"Effect": "Allow",
"Action": [
"SecurityHub:BatchImportFindings",
"SecurityHub:BatchUpdateFindings",
"SecurityHub:DescribeHub"
],
"Resource": "*"
},
{
"Sid": "LambdaCertificateExpiryPolicy6",
"Effect": "Allow",
"Action": "cloudwatch:ListMetrics",
"Resource": "*"
}
]
}
```
------
1. 创建 IAM 角色并向其附加新策略。有关创建 IAM 角色和附加策略的信息,请参阅[为 AWS 服务创建角色(控制台)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console)。
1. 打开 AWS Lambda 控制台,网址为[https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/)。
1. 创建 Lambda 函数。有关更多信息,请参阅[使用控制台创建 Lambda 函数](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html)。完成以下步骤:
1. 在**创建函数**页面上,选择 **Author from scratch(从头开始创作)**选项以创建函数。
1. 在**函数名称字段中指定一个名称**,例如 handle-expiring-certificates “”。
1. 在 **Runtime(运行时)**列表中,选择“Python 3.8”。
1. 展开 **Change default execution role(更改默认执行角色)**,然后选择 **Use an existing role(使用现有角色)**。
1. 从 **Existing role(现有角色)**列表中选择您先前创建的角色。
1. 选择**创建函数**。
1. 在 **Function code(函数代码)**下,插入以下代码。
```
# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
import json
import boto3
import os
from datetime import datetime, timedelta, timezone
# -------------------------------------------
# setup global data
# -------------------------------------------
utc = timezone.utc
# make today timezone aware
today = datetime.now().replace(tzinfo=utc)
# set up time window for alert - default to 45 if its missing
if os.environ.get('EXPIRY_DAYS') is None:
expiry_days = 45
else:
expiry_days = int(os.environ['EXPIRY_DAYS'])
expiry_window = today + timedelta(days = expiry_days)
def lambda_handler(event, context):
# if this is coming from the ACM event, its for a single certificate
if (event['detail-type'] == "ACM Certificate Approaching Expiration"):
response = handle_single_cert(event, context.invoked_function_arn)
return {
'statusCode': 200,
'body': response
}
def handle_single_cert(event, context_arn):
cert_client = boto3.client('acm')
cert_details = cert_client.describe_certificate(CertificateArn=event['resources'][0])
result = 'The following certificate is expiring within ' + str(expiry_days) + ' days: ' + cert_details['Certificate']['DomainName']
# check the expiry window before logging to Security Hub and sending an SNS
if cert_details['Certificate']['NotAfter'] < expiry_window:
# This call is the text going into the SNS notification
result = result + ' (' + cert_details['Certificate']['CertificateArn'] + ') '
# this call is publishing to SH
result = result + ' - ' + log_finding_to_sh(event, cert_details, context_arn)
# if there's an SNS topic, publish a notification to it
if os.environ.get('SNS_TOPIC_ARN') is None:
response = result
else:
sns_client = boto3.client('sns')
response = sns_client.publish(TopicArn=os.environ['SNS_TOPIC_ARN'], Message=result, Subject='Certificate Expiration Notification')
return result
def log_finding_to_sh(event, cert_details, context_arn):
# setup for security hub
sh_region = get_sh_region(event['region'])
sh_hub_arn = "arn:aws:securityhub:{0}:{1}:hub/default".format(sh_region, event['account'])
sh_product_arn = "arn:aws:securityhub:{0}:{1}:product/{1}/default".format(sh_region, event['account'])
# check if security hub is enabled, and if the hub arn exists
sh_client = boto3.client('securityhub', region_name = sh_region)
try:
sh_enabled = sh_client.describe_hub(HubArn = sh_hub_arn)
# the previous command throws an error indicating the hub doesn't exist or lambda doesn't have rights to it so we'll stop attempting to use it
except Exception as error:
sh_enabled = None
print ('Default Security Hub product doesn\'t exist')
response = 'Security Hub disabled'
# This is used to generate the URL to the cert in the Security Hub Findings to link directly to it
cert_id = right(cert_details['Certificate']['CertificateArn'], 36)
if sh_enabled:
# set up a new findings list
new_findings = []
# add expiring certificate to the new findings list
new_findings.append({
"SchemaVersion": "2018-10-08",
"Id": cert_id,
"ProductArn": sh_product_arn,
"GeneratorId": context_arn,
"AwsAccountId": event['account'],
"Types": [
"Software and Configuration Checks/AWS Config Analysis"
],
"CreatedAt": event['time'],
"UpdatedAt": event['time'],
"Severity": {
"Original": '89.0',
"Label": 'HIGH'
},
"Title": 'Certificate expiration',
"Description": 'cert expiry',
'Remediation': {
'Recommendation': {
'Text': 'A new certificate for ' + cert_details['Certificate']['DomainName'] + ' should be imported to replace the existing imported certificate before expiration',
'Url': "https://console.aws.amazon.com/acm/home?region=" + event['region'] + "#/?id=" + cert_id
}
},
'Resources': [
{
'Id': event['id'],
'Type': 'ACM Certificate',
'Partition': 'aws',
'Region': event['region']
}
],
'Compliance': {'Status': 'WARNING'}
})
# push any new findings to security hub
if new_findings:
try:
response = sh_client.batch_import_findings(Findings=new_findings)
if response['FailedCount'] > 0:
print("Failed to import {} findings".format(response['FailedCount']))
except Exception as error:
print("Error: ", error)
raise
return json.dumps(response)
# function to setup the sh region
def get_sh_region(event_region):
# security hub findings may need to go to a different region so set that here
if os.environ.get('SECURITY_HUB_REGION') is None:
sh_region_local = event_region
else:
sh_region_local = os.environ['SECURITY_HUB_REGION']
return sh_region_local
# quick function to trim off right side of a string
def right(value, count):
# To get right part of string, use negative first index in slice.
return value[-count:]
```
1. 在 **Environment variables(环境变量)**下,选择 **Edit(编辑)**并可选择添加以下变量。
+ (可选)EXPIRY\$1DAYS
指定发送证书过期通知之前的准备时间(天数)。此函数默认为 45 天,但您可以指定自定义值。
+ (可选)SNS\$1TOPIC\$1ARN
指定 Amazon SNS 的 ARN。以 arn: aws: sns::: 的格式提供完整的 ARN。** ** **
+ (可选)SECURITY\$1HUB\$1REGION
在不同的区域 AWS Security Hub CSPM 中指定。如果未指定此选项,则使用正在运行的 Lambda 函数的区域。如果该函数在多个区域运行,则可能需要将所有证书消息发送到单个区域中的 Security Hub CSPM。
1. 在 **Basic settings(基本设置)**下,将 **Timeout(超时)**设置为 30 秒。
1. 在页面顶部,选择 **Deploy(部署)**。
完成以下过程中的任务以开始使用此解决方案。
**自动发送过期电子邮件通知**
在此示例中,当通过 Amazon EventBridge 发起活动时,我们为每份即将到期的证书提供一封电子邮件。预设情况下,ACM 每天都会为距离过期日 45 天或更短时间的证书引发一个事件。(此时间段可以使用 ACM API 的 [PutAccountConfiguration](https://docs.aws.amazon.com/acm/latest/APIReference/API_PutAccountConfiguration.html) 操作自定义。) 这些事件中的每一个都会触发以下级联的自动操作:
```
ACM raises Amazon EventBridge event →
>>>>>>> events
Event matches Amazon EventBridge rule →
Rule calls Lambda function →
Function sends SNS email and logs a Finding in Security Hub CSPM
```
1. 创建 Lambda 函数并配置权限。(已完成 – 请参阅 [设置 Lambda 函数和 IAM 角色](#lambda-setup))。
1. 为 Lambda 函数创建用于发送通知的*标准* SNS 主题。有关更多信息,请参阅[创建 Amazon SNS 主题](https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html)。
1. 为任何感兴趣的人订阅新 SNS 主题。有关更多信息,请参阅[订阅 Amazon SNS 主题](https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html)。
1. 创建用于触发 Lambda 函数的亚马逊 EventBridge 规则。有关更多信息,请参阅[创建对事件做出反应的 Amazon EventBridge 规则](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html)。
在 Amazon EventBridge 控制台中 [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/),导航至**事件** > **规则**页面,然后选择**创建规则**。指定**服务名称**、**事件类型**和 **Lambda 函数**。在**事件模式预览**编辑器中,粘贴以下代码:
```
{
"source": [
"aws.acm"
],
"detail-type": [
"ACM Certificate Approaching Expiration"
]
}
```
**显示示例事件**下会显示如 Lambda 接收这样的事件:
```
{
"version": "0",
"id": "9c95e8e4-96a4-ef3f-b739-b6aa5b193afb",
"detail-type": "ACM Certificate Approaching Expiration",
"source": "aws.acm",
"account": "123456789012",
"time": "2020-09-30T06:51:08Z",
"region": "us-east-1",
"resources": [
"arn:aws:acm:us-east-1:123456789012:certificate/61f50cd4-45b9-4259-b049-d0a53682fa4b"
],
"detail": {
"DaysToExpiry": 31,
"CommonName": "My Awesome Service"
}
}
```
**清理**
一旦您不再需要示例配置或任何配置,最佳实践是删除该配置的所有痕迹,以避免安全问题和以后的意外费用:
+ IAM 策略和角色
+ Lambda 函数
+ CloudWatch 活动规则
+ CloudWatch 与 Lambda 关联的日志
+ SNS 主题
# CloudTrail 与一起使用 AWS Certificate Manager
AWS Certificate Manager 与 AWS CloudTrail一项服务集成,该服务提供用户、角色或 AWS 服务在 ACM 中执行的操作的记录。 CloudTrail 默认情况下,您的 AWS 账户已启用。 CloudTrail 将 ACM 的 API 调用捕获为事件,包括来自 ACM 控制台的调用和对 ACM API 操作的代码调用。如果您配置*跟踪*,则可以允许将 CloudTrail 事件持续传输到 Amazon S3 存储桶,包括 ACM 的事件。如果您未配置跟踪,您仍然可以在 CloudTrail 控制台的 “事件**历史记录” 中查看最新的事件**。
使用收集的信息 CloudTrail,您可以确定向 ACM 发出的请求、发出请求的 IP 地址、谁发出了请求、何时发出请求以及其他详细信息。有关更多信息,请参阅[使用事件历史记录查看 CloudTrail 事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。当 ACM 中出现支持的事件活动时,该活动会与其他 AWS 服务 CloudTrail 事件一起记录在**事件历史**记录中。您可以在 AWS 账户中查看、搜索和下载最新事件。
此外,您可以配置其他 AWS 服务,以进一步分析和处理 CloudTrail 日志中收集的事件数据。
有关的更多信息 CloudTrail,请参阅以下文档:
+ [AWS CloudTrail 用户指南](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/)。
+ [创建跟踪概述](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail 支持的服务和集成](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [配置 Amazon SNS 通知 CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [接收来自多个区域的 CloudTrail 日志文件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html)和[接收来自多个账户的 CloudTrail 日志文件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
**Topics**
+ [日志记录中 CloudTrail 支持 ACM API 操作](acm-supported-actions-in-cloudtrail.md)
+ [记录集成服务的 API 调用](ct-related.md)
# 日志记录中 CloudTrail 支持 ACM API 操作
ACM 支持将以下操作作为事件记录在 CloudTrail 日志文件中:
每个事件或日志条目都包含有关生成请求的人员信息。身份信息有助于您确定以下内容:
+ 请求是使用 AWS 账户根用户 或 AWS Identity and Access Management (IAM) 用户证书发出的。
+ 请求是使用角色还是联合用户的临时安全凭证发出的。
+ 请求是否由其他 AWS 服务发出
有关更多信息,请参阅 [CloudTrail userIdentity 元素](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)。
以下部分提供了支持的 API 操作的示例日志。
+ [向证书添加标签 ([AddTagsToCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_AddTagsToCertificate.html))](#ct-acm-addtags)
+ [删除证书 ([DeleteCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DeleteCertificate.html))](#ct-acm-delete)
+ [描述证书 ([DescribeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html))](#ct-acm-describe)
+ [导出证书 ([ExportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ExportCertificate.html))](#ct-acm-export)
+ [导入证书 ([ImportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html))](#ct-acm-import)
+ [列出证书 ([ListCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListCertificates.html))](#ct-acm-list)
+ [列出证书的标签 ([ListTagsForCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForCertificate.html))](#ct-acm-listtags)
+ [从证书中删除标签 ([RemoveTagsFromCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RemoveTagsFromCertificate.html))](#ct-acm-removetag)
+ [请求证书 ([RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html))](#ct-acm-request)
+ [重新发送验证电子邮件 ([ResendValidationEmail](https://docs.aws.amazon.com/acm/latest/APIReference/API_ResendValidationEmail.html))](#ct-acm-resendmail)
+ [检索证书 ([GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html))](#ct-acm-get)
## 向证书添加标签 ([AddTagsToCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_AddTagsToCertificate.html))
以下 CloudTrail 示例显示了调用 [AddTagsToCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_AddTagsToCertificate.html)API 的结果。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:53:53Z",
"eventSource":"acm.amazonaws.com",
"eventName":"AddTagsToCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"tags":[
{
"value":"Alice",
"key":"Admin"
}
],
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## 删除证书 ([DeleteCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DeleteCertificate.html))
以下 CloudTrail 示例显示了调用 [DeleteCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DeleteCertificate.html)API 的结果。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:26Z",
"eventSource":"acm.amazonaws.com",
"eventName":"DeleteCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## 描述证书 ([DescribeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html))
以下 CloudTrail 示例显示了调用 [DescribeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html)API 的结果。
**注意**
`DescribeCertificate`操作 CloudTrail 日志不显示有关您指定的 ACM 证书的信息。您可以使用控制台 AWS Command Line Interface、或 [DescribeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html)API 查看有关证书的信息。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:42Z",
"eventSource":"acm.amazonaws.com",
"eventName":"DescribeCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## 导出证书 ([ExportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ExportCertificate.html))
以下 CloudTrail 示例显示了调用 [ExportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ExportCertificate.html)API 的结果。
```
{
"Records":[
{
"version":"0",
"id":"01234567-89ab-cdef-0123-456789abcdef",
"detail-type":"AWS API Call via CloudTrail",
"source":"aws.acm",
"account":"123456789012",
"time":"2018-05-24T15:28:11Z",
"region":"us-east-1",
"resources":[
],
"detail":{
"eventVersion":"1.04",
"userIdentity":{
"type":"Root",
"principalId":"123456789012",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2018-05-24T15:28:11Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ExportCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.15.4 Python/2.7.9 Windows/8 botocore/1.10.4",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"passphrase": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"responseElements":{
"certificateChain":
"-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----",
"privateKey":"**********",
"certificate":
"-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----",
"privateKey": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"readOnly": false,
"eventType":"AwsApiCall"
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
```
## 导入证书 ([ImportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html))
以下示例显示了记录对 ACM [ImportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html)API 操作的调用的 CloudTrail 日志条目。
```
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/Alice",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-10-04T16:01:30Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ImportCertificate",
"awsRegion":"ap-southeast-2",
"sourceIPAddress":"54.240.193.129",
"userAgent":"Coral/Netty",
"requestParameters":{
"privateKey":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":1674,
"capacity":1674,
"address":0
},
"certificateChain":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":2105,
"capacity":2105,
"address":0
},
"certificate":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":2503,
"capacity":2503,
"address":0
}
},
"responseElements":{
"certificateArn":"arn:aws:acm:ap-southeast-2:111122223333:certificate/01234567-89ab-cdef-0123-456789abcdef"
},
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}
```
## 列出证书 ([ListCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListCertificates.html))
以下 CloudTrail 示例显示了调用 [ListCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListCertificates.html)API 的结果。
**注意**
`ListCertificates`操作 CloudTrail 日志不显示您的 ACM 证书。您可以使用控制台 AWS Command Line Interface、或 [ListCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListCertificates.html)API 查看证书列表。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:43Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListCertificates",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"maxItems":1000,
"certificateStatuses":[
"ISSUED"
]
},
"responseElements":null,
"requestID":"74c99844-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"cdfe1051-88aa-4aa3-8c33-a325270bff21",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## 列出证书的标签 ([ListTagsForCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForCertificate.html))
以下 CloudTrail 示例显示了调用 [ListTagsForCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForCertificate.html)API 的结果。
**注意**
该`ListTagsForCertificate`操作的 CloudTrail 日志不会显示您的标签。您可以使用控制台 AWS Command Line Interface、或 [ListTagsForCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForCertificate.html)API 查看标签列表。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:30:11Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListTagsForCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"responseElements":null,
"requestID":"b010767f-fbfb-11e5-b596-79e9a97a2544",
"eventID":"32181be6-a4a0-48d3-8014-c0d972b5163b",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## 从证书中删除标签 ([RemoveTagsFromCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RemoveTagsFromCertificate.html))
以下 CloudTrail 示例显示了调用 [RemoveTagsFromCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RemoveTagsFromCertificate.html)API 的结果。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T14:10:01Z",
"eventSource":"acm.amazonaws.com",
"eventName":"RemoveTagsFromCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"tags":[
{
"value":"Bob",
"key":"Admin"
}
]
},
"responseElements":null,
"requestID":"40ded461-fc01-11e5-a747-85804766d6c9",
"eventID":"0cfa142e-ef74-4b21-9515-47197780c424",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## 请求证书 ([RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html))
以下 CloudTrail 示例显示了调用 [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html)API 的结果。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:49Z",
"eventSource":"acm.amazonaws.com",
"eventName":"RequestCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"domainName":"example.com",
"validationMethod": "DNS",
"idempotencyToken":"8186023d89681c3ad5",
"options": {
"export": "ENABLED"
},
"keyAlgorithm": "RSA_2048"
},
"responseElements":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"requestID":"77dacef3-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"a4954cdb-8f38-44c7-8927-a38ad4be3ac8",
"eventType":"AwsApiCall",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"recipientAccountId":"123456789012"
}
]
}
```
## 吊销证书 ([RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html))
以下 CloudTrail 示例显示了调用 [RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html)API 的结果。
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:Role-Session-Name",
"arn": arn:aws:sts::111122223333:assumed-role/Role-Name/Role-Session-Name",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
},
"attributes": {
"creationDate": "2016-01-01T19:35:52Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime":"2016-01-01T21:11:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "RevokeCertificate",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
"requestParameters": {
"certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"revocationReason": "UNSPECIFIED"
},
"responseElements": {
"certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"requestID": "01234567-89ab-cdef-0123-456789abcdef",
"eventID": "01234567-89ab-cdef-0123-456789abcdef",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
```
## 重新发送验证电子邮件 ([ResendValidationEmail](https://docs.aws.amazon.com/acm/latest/APIReference/API_ResendValidationEmail.html))
以下 CloudTrail 示例显示了调用 [ResendValidationEmail](https://docs.aws.amazon.com/acm/latest/APIReference/API_ResendValidationEmail.html)API 的结果。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-17T23:58:25Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ResendValidationEmail",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"domain":"example.com",
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"validationDomain":"example.com"
},
"responseElements":null,
"requestID":"23760b88-ec9c-11e5-b6f4-cb861a6f0a28",
"eventID":"41c11b06-ca91-4c1c-8c61-af349ea8bab8",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## 检索证书 ([GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html))
以下 CloudTrail 示例显示了调用 [GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html)API 的结果。
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:41Z",
"eventSource":"acm.amazonaws.com",
"eventName":"GetCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"responseElements":{
"certificateChain":
"-----BEGIN CERTIFICATE-----
Base64-encoded certificate chain
-----END CERTIFICATE-----",
"certificate":
"-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----"
},
"requestID":"744dd891-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"7aa4f909-00dd-478a-9a00-b2709bcad2bb",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
# 记录集成服务的 API 调用
您可以使用审核 CloudTrail 与 ACM 集成的服务发出的 API 调用。有关使用的更多信息 CloudTrail,请参阅《[AWS CloudTrail 用户指南》](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。以下示例显示了可生成的日志的类型,具体取决于您用于预置 ACM 证书的 AWS 资源。
**Topics**
+ [创建负载均衡器](#ct-related-lb)
## 创建负载均衡器
您可以使用审核 CloudTrail 与 ACM 集成的服务发出的 API 调用。有关使用的更多信息 CloudTrail,请参阅《[AWS CloudTrail 用户指南》](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。以下示例显示了可以生成的日志类型,具体取决于您配置 ACM 证书所依据的 AWS 资源。
**Topics**
+ [创建负载均衡器](#ct-related-lb)
+ [使用负载均衡器注册 Amazon EC2 实例](#ct-related-ec2)
+ [加密私有密钥](#ct-related-encrypt)
+ [解密私有密钥](#ct-related-decrypt)
### 创建负载均衡器
以下示例演示名为 Alice 的 IAM 用户对 `CreateLoadBalancer` 函数的调用。负载均衡器的名称是 `TestLinuxDefault`,而且侦听器是使用 ACM 证书创建的。
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/Alice",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-01-01T21:10:36Z",
"eventSource":"elasticloadbalancing.amazonaws.com",
"eventName":"CreateLoadBalancer",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0/24",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"availabilityZones":[
"us-east-1b"
],
"loadBalancerName":"LinuxTest",
"listeners":[
{
"sSLCertificateId":"arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012",
"protocol":"HTTPS",
"loadBalancerPort":443,
"instanceProtocol":"HTTP",
"instancePort":80
}
]
},
"responseElements":{
"dNSName":"LinuxTest-1234567890.us-east-1.elb.amazonaws.com"
},
"requestID":"19669c3b-b0cc-11e5-85b2-57397210a2e5",
"eventID":"5d6c00c9-a9b8-46ef-9f3b-4589f5be63f7",
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}
```
### 使用负载均衡器注册 Amazon EC2 实例
当您在某个 Amazon Elastic Compute Cloud (Amazon EC2) 实例上预置网站或应用程序时,负载均衡器必须了解该实例。这可以通过 Elastic Load Balancing 控制台或 AWS Command Line Interface来完成。以下示例显示了对 AWS 账户 123456789012 LinuxTest 上名`RegisterInstancesWithLoadBalancer`为的负载均衡器的调用。
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/ALice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice",
"sessionContext":{
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2016-01-01T19:35:52Z"
}
},
"invokedBy":"signin.amazonaws.com"
},
"eventTime":"2016-01-01T21:11:45Z",
"eventSource":"elasticloadbalancing.amazonaws.com",
"eventName":"RegisterInstancesWithLoadBalancer",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0/24",
"userAgent":"signin.amazonaws.com",
"requestParameters":{
"loadBalancerName":"LinuxTest",
"instances":[
{
"instanceId":"i-c67f4e78"
}
]
},
"responseElements":{
"instances":[
{
"instanceId":"i-c67f4e78"
}
]
},
"requestID":"438b07dc-b0cc-11e5-8afb-cda7ba020551",
"eventID":"9f284ca6-cbe5-42a1-8251-4f0e6b5739d6",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
```
### 加密私有密钥
以下示例说明用于加密与 ACM 证书关联的私有密钥的 `Encrypt` 调用。加密是在 AWS中执行。
```
{
"Records":[
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/acm",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"acm"
},
"eventTime":"2016-01-05T18:36:29Z",
"eventSource":"kms.amazonaws.com",
"eventName":"Encrypt",
"awsRegion":"us-east-1",
"sourceIPAddress":"AWS Internal",
"userAgent":"aws-internal",
"requestParameters":{
"keyId":"arn:aws:kms:us-east-1:123456789012:alias/aws/acm",
"encryptionContext":{
"aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
}
},
"responseElements":null,
"requestID":"3c417351-b3db-11e5-9a24-7d9457362fcc",
"eventID":"1794fe70-796a-45f5-811b-6584948f24ac",
"readOnly":true,
"resources":[
{
"ARN":"arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321",
"accountId":"123456789012"
}
],
"eventType":"AwsServiceEvent",
"recipientAccountId":"123456789012"
}
]
}
```
### 解密私有密钥
以下示例显示了用于对与 ACM 证书关联的私有密钥进行解密的 `Decrypt` 调用。解密是在内部执行的 AWS,解密后的密钥永远不会离开。 AWS
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"AssumedRole",
"principalId":"AIDACKCEVSQ6C2EXAMPLE:1aba0dc8b3a728d6998c234a99178eff",
"arn":"arn:aws:sts::111122223333:assumed-role/DecryptACMCertificate/1aba0dc8b3a728d6998c234a99178eff",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"sessionContext":{
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2016-01-01T21:13:28Z"
},
"sessionIssuer":{
"type":"Role",
"principalId":"APKAEIBAERJR2EXAMPLE",
"arn":"arn:aws:iam::111122223333:role/DecryptACMCertificate",
"accountId":"111122223333",
"userName":"DecryptACMCertificate"
}
}
},
"eventTime":"2016-01-01T21:13:28Z",
"eventSource":"kms.amazonaws.com",
"eventName":"Decrypt",
"awsRegion":"us-east-1",
"sourceIPAddress":"AWS Internal",
"userAgent":"aws-internal/3",
"requestParameters":{
"encryptionContext":{
"aws:elasticloadbalancing:arn":"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/LinuxTest",
"aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/87654321-4321-4321-4321-210987654321"
}
},
"responseElements":null,
"requestID":"809a70ff-b0cc-11e5-8f42-c7fdf1cb6e6a",
"eventID":"7f89f7a7-baff-4802-8a88-851488607fb9",
"readOnly":true,
"resources":[
{
"ARN":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
"accountId":"123456789012"
}
],
"eventType":"AwsServiceEvent",
"recipientAccountId":"123456789012"
}
```
# 支持的 CloudWatch 指标
Amazon CloudWatch 是一项 AWS 资源监控服务。您可以使用 CloudWatch 来收集和跟踪指标、设置警报以及自动对 AWS 资源变化做出反应。ACM 每天会为账户中的每个证书发布两次指标,直到到期。
`AWS/CertificateManager` 命名空间包括以下指标。
****
| 指标 | 说明 | 单位 | Dimensions |
| --- | --- | --- | --- |
| DaysToExpiry | 证书过期之前的天数。ACM 会在证书过期后停止发布此指标。 | 整数 | CertificateArn[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/acm/latest/userguide/cloudwatch-metrics.html) |
有关 CloudWatch 指标的更多信息,请参阅以下主题:
+ [使用亚马逊 CloudWatch指标](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html)
+ [创建 Amazon CloudWatch 警报](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html)