本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# AWS 私有 CA 使用 CloudWatch 事件进行监控
<a name="CloudWatchEvents"></a>

您可以使用 [Amazon CloudWatch ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/) Events 实现 AWS 服务自动化，并自动响应系统事件，例如应用程序可用性问题或资源更改。来自 AWS 服务的事件以近乎实时的方式传递到 CloudWatch 活动。您可以编写简单的规则来指明您感兴趣的事件，以及当事件与规则匹配时要采取的自动操作。 CloudWatch 活动至少发布一次。有关更多信息，请参阅[创建在 CloudWatch 事件上触发的事件规则](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html)。

CloudWatch 使用 Amazon 将事件转化为操作 EventBridge。借 EventBridge助，您可以使用事件触发目标，包括 AWS Lambda 函数、 AWS Batch 作业、Amazon SNS 主题等。有关更多信息，请参阅[什么是亚马逊 EventBridge？](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html)

## 创建私有 CA 时成功或失败
<a name="cwe-issue-CA"></a>

这些事件由[CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)操作触发。

**成功**  
成功时，该操作将返回新 CA 的 ARN。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA Creation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-04T19:14:56Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
   ],
   "detail":{
      "result":"success"
   }
}
```

**Failure**  
失败时，该操作将返回原 CA 的 ARN。使用 ARN，您可以致电[DescribeCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthority.html)确定 CA 的状态。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA Creation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-04T19:14:56Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
   ],
   "detail":{
      "result":"failure"
   }
}
```

## 颁发证书时成功或失败
<a name="cwe-issue-cert"></a>

这些事件由[IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)操作触发。

**成功**  
成功后，该操作将 ARNs 返回 CA 和新证书的。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA Certificate Issuance",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-04T19:57:46Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
      "arn:aws:acm-pca:{{region}}:{{account}}:certificate-authority/{{CA_ID}}/certificate/{{certificate_ID}}"
   ],
   "detail":{
      "result":"success"
   }
}
```

**Failure**  
失败时，该操作将返回证书 ARN 和 CA 的 ARN。使用证书 ARN，您可以致电[GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html)查看失败原因。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA Certificate Issuance",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-04T19:57:46Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
      "arn:aws:acm-pca:{{region}}:{{account}}:certificate-authority/{{CA_ID}}/certificate/{{certificate_ID}}"
   ],
   "detail":{
      "result":"failure"
   }
}
```

## 吊销证书时成功
<a name="cwe-revocation"></a>

此事件由[RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html)操作触发。

如果吊销失败或证书已被吊销，则不会发送任何事件。

****成功****  
成功后，该操作将 ARNs 返回 CA 和已吊销证书的。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA Certificate Revocation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-05T20:25:19Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
      "arn:aws:acm-pca:{{region}}:{{account}}:certificate-authority/{{CA_ID}}/certificate/{{certificate_ID}}"
   ],
   "detail":{
      "result":"success"
   }
}
```

## 生成 CRL 时成功或失败
<a name="cwe-CRL"></a>

这些事件由操作触发，该[RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html)操作应导致创建证书吊销列表 (CRL)。

**成功**  
成功时，该操作将返回与 CRL 关联的 CA 的 ARN。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA CRL Generation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-04T21:07:08Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
   ],
   "detail":{
      "result":"success"
   }
}
```

**失败 1 – 由于权限错误，CRL 无法保存到 Amazon S3**  
如果发生此错误，请检查您的 Amazon S3 桶权限。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA CRL Generation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-07T23:01:25Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
   ],
   "detail":{
      "result":"failure",
      "reason":"Failed to write CRL to S3. Check your S3 bucket permissions."
   }
}
```

**失败 2 – 由于内部错误，CRL 无法保存到 Amazon S3**  
如果发生此错误，请重试该操作。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA CRL Generation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-07T23:01:25Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
   ],
   "detail":{
      "result":"failure",
      "reason":"Failed to write CRL to S3. Internal failure."
   }
}
```

**失败 3-创建 CRL 失 AWS 私有 CA 败**  
要解决此错误，请检查您的 [CloudWatch 指标](https://docs.aws.amazon.com/privateca/latest/APIReference/PcaCloudWatch.html)。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA CRL Generation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-07T23:01:25Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}"
   ],
   "detail":{
      "result":"failure",
      "reason":"Failed to generate CRL. Internal failure."
   }
}
```

## 创建 CA 审计报告时成功或失败
<a name="cwe-audit"></a>

这些事件由[CreateCertificateAuthorityAuditReport](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html)操作触发。

**成功**  
成功时，该操作将返回 CA 的 ARN 和审计报告的 ID。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA Audit Report Generation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-04T21:54:20Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
      "{{audit_report_ID}}"
   ],
   "detail":{
      "result":"success"
   }
}
```

**Failure**  
在您的 Amazon S3 存储桶上 AWS 私有 CA 缺乏`PUT`权限、在存储桶上启用加密或其他原因时，审计报告可能会失败。

```
{
   "version":"0",
   "id":"{{event_ID}}",
   "detail-type":"ACM Private CA Audit Report Generation",
   "source":"aws.acm-pca",
   "account":"{{account}}",
   "time":"2019-11-04T21:54:20Z",
   "region":"{{region}}",
   "resources":[
      "arn:{{aws}}:acm-pca:{{us-east-1}}:{{111122223333}}:certificate-authority/{{11223344-1234-1122-2233-112233445566}}",
      "{{audit_report_ID}}"
   ],
   "detail":{
      "result":"failure"
   }
}
```