本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用 記錄 Amazon CloudWatch API 和主控台操作 AWS CloudTrail
Amazon CloudWatch、CloudWatch Synthetics、CloudWatch RUM、Amazon Q Developer 操作調查、Network Flow Monitor 和 Internet Monitor 已與 整合 AWS CloudTrail,此服務可提供使用者、角色或服務所採取動作的記錄 AWS 。CloudTrail 會擷取由您的帳戶或代表 AWS 您的帳戶發出的 API 呼叫。擷取的呼叫包括從 CloudWatch 主控台的呼叫,以及對 CloudWatch API 操作的程式碼呼叫。使用 CloudTrail 收集的資訊,您可以判斷對 CloudWatch 提出的請求、提出請求的 IP 地址、提出請求的時間,以及其他詳細資訊。
每一筆事件或日誌專案都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:
-
該請求是使用根使用者還是使用者憑證提出。
-
請求是否代表 IAM Identity Center 使用者提出。
-
提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。
-
該請求是否由另一項 AWS 服務服務提出。
當您建立帳戶 AWS 帳戶 時CloudTrail 會在 中處於作用中狀態,而且您會自動存取 CloudTrail 事件歷史記錄。CloudTrail 事件歷史記錄為 AWS 區域中過去 90 天記錄的管理事件,提供可檢視、可搜尋、可下載且不可變的記錄。如需詳細資訊,請參閱「AWS CloudTrail 使用者指南」中的使用 CloudTrail 事件歷史記錄。檢視事件歷史記錄不會產生 CloudTrail 費用。
如需 AWS 帳戶 過去 90 天內持續記錄的事件,請建立追蹤或 CloudTrail Lake 事件資料存放區。
- CloudTrail 追蹤
-
線索能讓 CloudTrail 將日誌檔案交付至 Amazon S3 儲存貯體。使用 建立的所有線索 AWS Management Console 都是多區域。您可以使用 AWS CLI建立單一或多區域追蹤。建議您建立多區域追蹤,因為您擷取 AWS 區域 帳戶中所有 的活動。如果您建立單一區域追蹤,您只能檢視追蹤 AWS 區域中記錄的事件。如需追蹤的詳細資訊,請參閱《AWS CloudTrail 使用者指南》中的為您的 AWS 帳戶建立追蹤和為組織建立追蹤。
您可以透過建立追蹤,免費將持續管理事件的一個複本從 CloudTrail 傳遞至您的 Amazon S3 儲存貯體,但這樣做會產生 Amazon S3 儲存費用。如需 CloudTrail 定價的詳細資訊,請參閱 AWS CloudTrail 定價
。如需 Amazon S3 定價的相關資訊,請參閱 Amazon S3 定價 。 - CloudTrail Lake 事件資料存放區
-
CloudTrail Lake 讓您能夠對事件執行 SQL 型查詢。CloudTrail Lake 會將分列式 JSON 格式的現有事件轉換為 Apache ORC
格式。ORC 是一種單欄式儲存格式,針對快速擷取資料進行了最佳化。系統會將事件彙總到事件資料存放區中,事件資料存放區是事件的不可變集合,其依據為您透過套用進階事件選取器選取的條件。套用於事件資料存放區的選取器控制哪些事件持續存在並可供您查詢。如需 CloudTrail Lake 的詳細資訊,請參閱AWS CloudTrail 《 使用者指南》中的使用 AWS CloudTrail Lake。 CloudTrail Lake 事件資料存放區和查詢會產生費用。建立事件資料存放區時,您可以選擇要用於事件資料存放區的定價選項。此定價選項將決定擷取和儲存事件的成本,以及事件資料存放區的預設和最長保留期。如需 CloudTrail 定價的詳細資訊,請參閱 AWS CloudTrail 定價
。
注意
如需有關在 CloudTrail 中記錄的 CloudWatch Logs API 呼叫的資訊,請參閱 CloudTrail 中的 CloudWatch Logs 資訊 CloudTrail。 CloudTrail
主題
CloudTrail 中的 CloudWatch 資訊
CloudWatch 支援將下列動作當作事件,記錄在 CloudTrail 日誌檔案中:
範例:CloudWatch 日誌檔項目
以下範例顯示的是展示 PutMetricAlarm 動作的 CloudTrail 日誌項目。
{ "Records": [{ "eventVersion": "1.01", "userIdentity": { "type": "Root", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID" }, "eventTime": "2014-03-23T21:50:34Z", "eventSource": "monitoring.amazonaws.com", "eventName": "PutMetricAlarm", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-sdk-ruby2/2.0.0.rc4 ruby/1.9.3 x86_64-linux Seahorse/0.1.0", "requestParameters": { "threshold": 50.0, "period": 60, "metricName": "CloudTrail Test", "evaluationPeriods": 3, "comparisonOperator": "GreaterThanThreshold", "namespace": "AWS/CloudWatch", "alarmName": "CloudTrail Test Alarm", "statistic": "Sum" }, "responseElements": null, "requestID": "29184022-b2d5-11e3-a63d-9b463e6d0ff0", "eventID": "b096d5b7-dcf2-4399-998b-5a53eca76a27" }, ..additional entries ] }
以下日誌檔案項目顯示一位使用者呼叫了 CloudWatch Events PutRule 動作。
{ "eventVersion":"1.03", "userIdentity":{ "type":"Root", "principalId":"123456789012", "arn":"arn:aws:iam::123456789012:root", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2015-11-17T23:56:15Z" } } }, "eventTime":"2015-11-18T00:11:28Z", "eventSource":"events.amazonaws.com", "eventName":"PutRule", "awsRegion":"us-east-1", "sourceIPAddress":"AWS Internal", "userAgent":"AWS CloudWatch Console", "requestParameters":{ "description":"", "name":"cttest2", "state":"ENABLED", "eventPattern":"{\"source\":[\"aws.ec2\"],\"detail-type\":[\"EC2 Instance State-change Notification\"]}", "scheduleExpression":"" }, "responseElements":{ "ruleArn":"arn:aws:events:us-east-1:123456789012:rule/cttest2" }, "requestID":"e9caf887-8d88-11e5-a331-3332aa445952", "eventID":"49d14f36-6450-44a5-a501-b0fdcdfaeb98", "eventType":"AwsApiCall", "apiVersion":"2015-10-07", "recipientAccountId":"123456789012" }
以下日誌檔案項目顯示一位使用者呼叫了 CloudWatch Logs CreateExportTask 動作。
{ "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/someuser", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "someuser" }, "eventTime": "2016-02-08T06:35:14Z", "eventSource": "logs.amazonaws.com", "eventName": "CreateExportTask", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-sdk-ruby2/2.0.0.rc4 ruby/1.9.3 x86_64-linux Seahorse/0.1.0", "requestParameters": { "destination": "yourdestination", "logGroupName": "yourloggroup", "to": 123456789012, "from": 0, "taskName": "yourtask" }, "responseElements": { "taskId": "15e5e534-9548-44ab-a221-64d9d2b27b9b" }, "requestID": "1cd74c1c-ce2e-12e6-99a9-8dbb26bd06c9", "eventID": "fd072859-bd7c-4865-9e76-8e364e89307c", "eventType": "AwsApiCall", "apiVersion": "20140328", "recipientAccountId": "123456789012" }
CloudTrail 中的 CloudWatch 資料事件 CloudTrail
CloudTrail 可以擷取與 CloudWatch 資料平面操作 GetMetricData 和 GetMetricWidgetImage 相關的 API 活動。
資料事件也稱為資料平面操作,可讓您深入了解在資源上執行或在資源內執行的資源操作。資料事件通常是大量資料的活動。
根據預設,CloudTrail 不會記錄資料事件。CloudTrail 事件歷史記錄不會記錄資料事件。
資料事件需支付額外的費用。如需 CloudTrail 定價的詳細資訊,請參閱 AWS CloudTrail 定價
您可以使用 CloudTrail 主控台或 CloudTrail API 操作來記錄 CloudWatch 資源類型的資料事件。 CloudTrail AWS CLI CloudTrail 如需如何記錄資料事件的詳細資訊,請參閱《AWS CloudTrail 使用者指南》中的使用 AWS Management Console記錄資料事件和使用 AWS Command Line Interface記錄資料事件。
資料平面事件可以依資源類型篩選。由於在 CloudTrail 中使用資料事件需要額外成本,因此依資源篩選可讓您更妥善地控制記錄和支付的項目。
使用 CloudTrail 收集的資訊,您可以識別 CloudWatch GetMetricData 或 GetMetricWidgetImage APIs的特定請求、請求者的 IP 地址、請求者的身分,以及請求的日期和時間。使用 CloudTrail 記錄 GetMetricData 和 GetMetricWidgetImage APIs 可協助您啟用 AWS 帳戶的營運和風險稽核、管理和合規。
注意
當您在 CloudTrail 中檢視 GetMetricData 事件時,您可能會看到比您起始的呼叫更多的呼叫。這是因為 CloudWatch 會將事件記錄到 CloudTrail,以便由內部元件啟動 GetMetricData 動作。例如,您會看到 CloudWatch 儀表板啟動的 GetMetricData 呼叫重新整理小工具資料,以及監控帳戶啟動的 GetMetricData 呼叫,以跨帳戶可觀測性從來源帳戶擷取資料。這些內部啟動的呼叫不會產生 CloudWatch 費用,但會計入在 CloudTrail 中記錄的事件數量,以及根據記錄的事件數量計算的 CloudTrail 費用。
以下是 GetMetricData 操作的 CloudTrail 事件範例。
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDA2NYTR2EPCTNY7AF3L", "arn": "arn:aws:iam::111122223333:user/admin", "accountId": "111122223333", "accessKeyId": "EXAMPLE1234567890", "userName": "admin" }, "eventTime": "2024-05-08T16:20:34Z", "eventSource": "monitoring.amazonaws.com", "eventName": "GetMetricData", "awsRegion": "us-east-1", "sourceIPAddress": "99.45.3.7", "userAgent": "aws-cli/2.13.23 Python/3.11.5 Darwin/23.4.0 exe/x86_64 prompt/off command/cloudwatch.get-metric-data", "requestParameters": { "metricDataQueries": [{ "id": "e1", "expression": "m1 / m2", "label": "ErrorRate" }, { "id": "m1", "metricStat": { "metric": { "namespace": "CWAgent", "metricName": "disk_used_percent", "dimensions": [{ "name": "LoadBalancerName", "value": "EXAMPLE4623a5cb6a7384c5229" }] }, "period": 300, "stat": "Sum", "unit": "Count" }, "returnData": false }, { "id": "m2", "metricStat": { "metric": { "namespace": "CWAgent", "metricName": "disk_used_percent", "dimensions": [{ "name": "LoadBalancerName", "value": "EXAMPLE4623a5cb6a7384c5229" }] }, "period": 300, "stat": "Sum" }, "returnData": true } ], "startTime": "Apr 19, 2024, 4:00:00 AM", "endTime": "May 8, 2024, 4:30:00 AM" }, "responseElements": null, "requestID": "EXAMPLE-57ac-47d5-938c-f5917c6799d5", "eventID": "EXAMPLE-211c-404b-b13d-36d93c8b4fbf", "readOnly": true, "resources": [{ "type": "AWS::CloudWatch::Metric" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "monitoring.us-east-1.amazonaws.com" } }
CloudTrail 中的查詢產生資訊
也支援查詢產生器主控台事件的 CloudTrail 記錄。CloudWatch Metric Insights 和 CloudWatch Logs Insights 目前支援查詢產生器。在這些 CloudTrail 事件中, eventSource是 monitoring.amazonaws.com。
下列範例顯示 CloudTrail 日誌項目,示範 CloudWatch Metrics Insights 中的 GenerateQuery 動作。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:assumed-role/role_name", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111222333444:role/Administrator", "accountId": "123456789012", "userName": "SAMPLE_NAME" }, "attributes": { "creationDate": "2020-04-08T21:43:24Z", "mfaAuthenticated": "false" } } }, "eventTime": "2020-04-08T23:06:30Z", "eventSource": "monitoring.amazonaws.com", "eventName": "GenerateQuery", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "exampleUserAgent", "requestParameters": { "query_ask": "***", "query_type": "MetricsInsights", "metrics_insights": { "aws_namespaces": [ "AWS/S3", "AWS/Lambda", "AWS/DynamoDB" ] }, "include_description": true }, "responseElements": null, "requestID": "2f56318c-cfbd-4b60-9d93-1234567890", "eventID": "52723fd9-4a54-478c-ac55-1234567890", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
CloudTrail 中的 Amazon Q Developer 操作調查事件
Amazon Q Developer 操作調查支援將下列動作記錄為 CloudTrail 日誌檔案中的事件。
-
CreateInvestigation
-
GetInvestigation
-
UpdateInvestigation
-
DeleteInvestigation
-
ListInvestigations
-
CreateInvestigationGroup
-
GetInvestigationGroup
-
UpdateInvestigationGroup
-
DeleteInvestigationGroup
-
ListInvestigationsGroup
-
PutInvestigationGroupPolicy
-
DeleteInvestigationGroupPolicy
-
ListTagsForResource
-
GetInvestigationGroupPolicy
-
TagResource
-
UntagResource
-
CreateInvestigationEvent
-
GetInvestigationEvent
-
UpdateInvestigationEvent
-
ListInvestigationEvents
-
CreateInvestigationResource
-
GetInvestigationResource
範例:Amazon Q Developer 操作調查日誌檔案項目
下列範例顯示示範 CreateInvestigationGroup動作的 Amazon Q Developer 操作調查日誌項目。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:assumed-role/role_name", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:role/role_name", "accountId": "123456789012", "userName": "SAMPLE_NAME" }, "attributes": { "creationDate": "2024-10-30T18:42:05Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-10-30T18:48:26Z", "eventSource": "aiops.amazonaws.com", "eventName": "CreateInvestigationGroup", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "exampleUserAgent", "requestParameters": { "name": "exampleName", "roleArn": "arn:aws:iam::123456789012:role/role_name" }, "responseElements": { "arn": "arn:aws:aiops:us-east-1:123456789012:investigation-group/021345abcdef67890" }, "requestId": "e9caf887-8d88-11e5-a331-3332aa445952", "requestId": "49d14f36-6450-44a5-a501-b0fdcdfaeb98", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" }
下列範例顯示示範 CreateInvestigationEvent動作的 Amazon Q Developer 操作調查日誌項目。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:sts::123456789012:assumed-role/role_name", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:role/role_name", "accountId": "123456789012", "userName": "SAMPLE_NAME" }, "attributes": { "creationDate": "2024-10-30T16:17:49Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-10-30T16:35:34Z", "eventSource": "aiops.amazonaws.com", "eventName": "CreateInvestigationEvent", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "exampleUserAgent", "requestParameters": { "identifier": "arn:aws:aiops:us-east-1:123456789012:investigation-group/021345abcdef67890", "investigationId": "bcdef01234567890", "clientToken": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "type": "METRIC_OBSERVATION", "body": "***" }, "responseElements": { "investigationGroupArn": "arn:aws:aiops:us-east-1:123456789012:investigation-group/021345abcdef67890", "investigationId": "bcdef01234567890", "investigationEventId": "14567890abcdef0g" }, "requestId": "e9caf887-8d88-11e5-a331-3332aa445952", "eventId": "49d14f36-6450-44a5-a501-b0fdcdfaeb98", "readOnly": false, "resources": [{ "accountId": "123456789012", "type": "AWS::AIOps::InvestigationGroup", "ARN": "arn:aws:aiops:us-east-1:123456789012:investigation-group/021345abcdef67890" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "123456789012", "eventCategory": "Data" }
下列範例顯示示範 UpdateInvestigationEvent動作的 Amazon Q Developer 操作調查日誌項目。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:sts::123456789012:assumed-role/role_name", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:role/role_name", "accountId": "123456789012", "userName": "SAMPLE_NAME" }, "attributes": { "creationDate": "2024-10-30T16:17:49Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-10-30T16:24:48Z", "eventSource": "aiops.amazonaws.com", "eventName": "UpdateInvestigationEvent", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "exampleUserAgent", "requestParameters": { "identifier": "arn:aws:aiops:us-east-1:123456789012:investigation-group/021345abcdef67890", "investigationId": "bcdef01234567890", "investigationEventId": "14567890abcdef0g", "comment": "***" }, "responseElements": null, "requestId": "e9caf887-8d88-11e5-a331-3332aa445952", "eventId": "49d14f36-6450-44a5-a501-b0fdcdfaeb98", "readOnly": false, "resources": [{ "accountId": "123456789012", "type": "AWS::AIOps::InvestigationGroup", "ARN": "arn:aws:aiops:us-east-1:123456789012:investigation-group/021345abcdef67890" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "123456789012", "eventCategory": "Data" }
CloudTrail 中的網路流量監控
Network Flow Monitor 支援將下列動作記錄為 CloudTrail 日誌檔案中的事件。
範例:Network Flow Monitor 日誌檔案項目
下列範例顯示示範 CreateMonitor動作的 Network Flow Monitor CloudTrail 日誌檔案項目。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:assumed-role/role_name", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:role/Admin", "accountId": "123456789012", "userName": "SAMPLE_NAME" }, "attributes": { "creationDate": "2024-11-03T15:43:27Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-11-03T15:58:11Z", "eventSource": "networkflowmonitor.amazonaws.com", "eventName": "CreateMonitor", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "requestParameters": { "MonitorName": "TestMonitor", "ClientToken": "33551db7-1618-4aab-cdef-EXAMPLE33333", "LocalResources": [ { "Type": "AWS::EC2::Subnet", "Identifier": "subnet-cdef-EXAMPLEbbbbb" }, { "Type": "AWS::EC2::Subnet", "Identifier": "subnet-cdef-EXAMPLEccccc" }, { "Type": "AWS::EC2::Subnet", "Identifier": "subnet-cdef-EXAMPLEddddd" }, { "Type": "AWS::EC2::Subnet", "Identifier": "subnet-cdef-EXAMPLEeeeee" }, { "Type": "AWS::EC2::Subnet", "Identifier": "subnet-cdef-EXAMPLEfffff" }, { "Type": "AWS::EC2::Subnet", "Identifier": "subnet-cdef-EXAMPLEggggg" } ] }, "responseElements": { "Access-Control-Expose-Headers": "*", "MonitorArn": "arn:aws:networkflowmonitor:us-east-1:000000000000:monitor/TestMonitor", "MonitorName": "TestMonitor", "MonitorStatus": "ACTIVE" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:role/Admin", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-10-11T17:25:41Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-10-11T17:30:18Z", "eventSource": "networkflowmonitor.amazonaws.com", "eventName": "ListMonitors", "awsRegion": "us-east-2", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "requestParameters": null, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
CloudTrail 中的網路流量監控資料平面事件
CloudTrail 可以擷取與 CloudWatch-NetworkFlowMonitor 資料平面操作相關的 API 活動。
資料事件也稱為資料平面操作,可讓您深入了解在資源上執行或在資源內執行的資源操作。資料事件通常是大量資料的活動。
若要在 CloudTrail 檔案中啟用網路流量監控資料事件的記錄,您需要在 CloudTrail 中啟用資料平面 API 活動的記錄。如需詳細資訊,請參閱記錄追蹤的資料事件。
資料平面事件可以依資源類型篩選。由於在 CloudTrail 中使用資料事件需要額外成本,因此依資源篩選可讓您更妥善地控制記錄和支付的項目。
使用 CloudTrail 收集的資訊,您可以識別 CloudWatch-NetworkFlowMonitor 資料平面 APIs的特定請求、請求者的 IP 地址、請求者的身分,以及請求的日期和時間。使用 CloudTrail 記錄資料平面 APIs 可協助您進行 AWS 帳戶的操作和風險稽核、管理和合規。
以下是 Network Flow Monitor 中的資料平面 APIs。
下列範例顯示 CloudTrail 日誌項目,示範 GetQueryResultsMonitorsTopContributors 動作。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:assumed-role/role_name", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:role/Admin", "accountId": "123456789012", "userName": "SAMPLE_NAME" }, "attributes": { "creationDate": "2024-11-03T15:43:27Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-11-15T14:08:04Z", "eventSource": "networkflowmonitor.amazonaws.com", "eventName": "GetQueryResultsMonitorTopContributors", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "errorCode": "AccessDenied", "requestParameters": { "QueryId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEQuery, "MaxResults": "20", "MonitorName": "TestMonitor" }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "resources": [ { "accountId": "123456789012", "type": "AWS::NetworkFlowMonitor::Monitor", "ARN": "arn:aws:networkflowmonitor:us-east-1:123456789012:monitor/TestMonitor" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "000000000000", "eventCategory": "Data" }
下列範例顯示 CloudTrail 日誌項目,示範 GetQueryResultsWorkloadInsightsTopContributors 動作。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:assumed-role/role_name", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:role/Admin", "accountId": "123456789012", "userName": "SAMPLE_NAME" }, "attributes": { "creationDate": "2024-11-03T15:43:27Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-11-15T14:08:04Z", "eventSource": "networkflowmonitor.amazonaws.com", "eventName": "GetQueryResultsWorkloadInsightsTopContributorsData", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "errorCode": "AccessDenied", "requestParameters": { "QueryId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEQuery", "ScopeId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEScope" }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "resources": [ { "accountId": "496383180932", "type": "AWS::NetworkFlowMonitor::Scope", "ARN": "arn:aws:networkflowmonitor:us-east-1:123456789012:scope/a1b2c3d4-5678-90ab-cdef-EXAMPLEScope" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "000000000000", "eventCategory": "Data" }
CloudTrail 中的網際網路監視器
網路監視器支援將下列動作記錄為 CloudTrail 日誌檔案中的事件。
範例:網際網路監視器日誌檔案項目
以下範例顯示的是展示 ListMonitors 動作的 CloudTrail 網路監視器日誌項目。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:role/Admin", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-10-11T17:25:41Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-10-11T17:30:18Z", "eventSource": "internetmonitor.amazonaws.com", "eventName": "ListMonitors", "awsRegion": "us-east-2", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "requestParameters": null, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
以下範例顯示的是展示 CreateMonitor 動作的 CloudTrail 網路監視器日誌項目。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:role/Admin", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-10-11T17:25:41Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-10-11T17:30:08Z", "eventSource": "internetmonitor.amazonaws.com", "eventName": "CreateMonitor", "awsRegion": "us-east-2", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "requestParameters": { "MonitorName": "TestMonitor", "Resources": ["arn:aws:ec2:us-east-2:444455556666:vpc/vpc-febc0b95"], "ClientToken": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" }, "responseElements": { "Arn": "arn:aws:internetmonitor:us-east-2:444455556666:monitor/ct-onboarding-test", "Status": "PENDING" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
CloudTrail 中的 CloudWatch Synthetics 資訊
CloudWatch Synthetics 支援將下列動作當作事件,記錄在 CloudTrail 日誌檔案中:
範例:CloudWatch Synthetics 日誌檔項目
以下範例顯示的是展示 DescribeCanaries 動作的 CloudTrail Synthetics 日誌項目。
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111222333444:role/Administrator", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-04-08T21:43:24Z" } } }, "eventTime": "2020-04-08T23:06:47Z", "eventSource": "synthetics.amazonaws.com", "eventName": "DescribeCanaries", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", "requestParameters": null, "responseElements": null, "requestID": "201ed5f3-15db-4f87-94a4-123456789", "eventID": "73ddbd81-3dd0-4ada-b246-123456789", "readOnly": true, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
以下範例顯示的是展示 UpdateCanary 動作的 CloudTrail Synthetics 日誌項目。
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111222333444:role/Administrator", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-04-08T21:43:24Z" } } }, "eventTime": "2020-04-08T23:06:47Z", "eventSource": "synthetics.amazonaws.com", "eventName": "UpdateCanary", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", "requestParameters": { "Schedule": { "Expression": "rate(1 minute)" }, "name": "sample_canary_name", "Code": { "Handler": "myOwnScript.handler", "ZipFile": "SAMPLE_ZIP_FILE" } }, "responseElements": null, "requestID": "fe4759b0-0849-4e0e-be71-1234567890", "eventID": "9dc60c83-c3c8-4fa5-bd02-1234567890", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
以下範例顯示的是展示 GetCanaryRuns 動作的 CloudTrail Synthetics 日誌項目。
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111222333444:role/Administrator", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-04-08T21:43:24Z" } } }, "eventTime": "2020-04-08T23:06:30Z", "eventSource": "synthetics.amazonaws.com", "eventName": "GetCanaryRuns", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", "requestParameters": { "Filter": "TIME_RANGE", "name": "sample_canary_name", "FilterValues": [ "2020-04-08T23:00:00.000Z", "2020-04-08T23:10:00.000Z" ] }, "responseElements": null, "requestID": "2f56318c-cfbd-4b60-9d93-1234567890", "eventID": "52723fd9-4a54-478c-ac55-1234567890", "readOnly": true, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
CloudTrail 中的 CloudWatch RUM 資訊 CloudTrail
CloudWatch RUM 支援將下列動作記錄為 CloudTrail 日誌檔案中的事件:
範例:CloudWatch RUM 日誌檔案項目
本節包含一些 CloudWatch RUM API 的範例 CloudTrail 項目。 CloudWatch APIs
下列範例顯示示範 CreateAppMonitor 動作的 CloudTrail 日誌項目。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:sts::777777777777:assumed-role/EXAMPLE", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:iam::777777777777:role/EXAMPLE", "accountId": "777777777777", "userName": "USERNAME_EXAMPLE" }, "attributes": { "creationDate": "2024-07-23T16:48:47Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-07-23T18:02:57Z", "eventSource": "rum.amazonaws.com", "eventName": "CreateAppMonitor", "awsRegion": "us-east-1", "sourceIPAddress": "54.240.198.39", "userAgent": "aws-internal/3 aws-sdk-java/1.12.641 Linux/5.10.219-186.866.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.402-b08 java/1.8.0_402 vendor/Oracle_Corporation cfg/retry-mode/standard", "requestParameters": { "CustomEvents": { "Status": "ENABLED" }, "CwLogEnabled": true, "Domain": "*.github.io", "AppMonitorConfiguration": { "SessionSampleRate": 1, "IncludedPages": [], "ExcludedPages": [], "Telemetries": [ "performance", "errors", "http" ], "EnableXRay": false, "AllowCookies": true, "IdentityPoolId": "us-east-1:c81b9a1c-a5c9-4de5-8585-eb8df04e66f0" }, "Tags": { "TestAppMonitor": "" }, "Name": "TestAppMonitor" }, "responseElements": { "Id": "65a8cc63-4ae8-4f2c-b5fc-4a54ef43af51" }, "requestID": "cf7c30ad-25d3-4274-bab1-39c95a558007", "eventID": "2d43cc69-7f89-4f1a-95ae-0fc7e9b9fb3b", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777777777777", "eventCategory": "Management" }
下列範例顯示 CloudTrail 日誌項目,示範 PutRumMetricsDestination 動作。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:sts::777777777777:assumed-role/EXAMPLE", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:iam::777777777777:role/EXAMPLE", "accountId": "777777777777", "userName": "USERNAME_EXAMPLE" }, "attributes": { "creationDate": "2024-07-23T16:48:47Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-07-23T18:22:22Z", "eventSource": "rum.amazonaws.com", "eventName": "PutRumMetricsDestination", "awsRegion": "us-east-1", "sourceIPAddress": "52.94.133.142", "userAgent": "aws-cli/2.13.25 Python/3.11.5 Linux/5.10.219-186.866.amzn2int.x86_64 exe/x86_64.amzn.2 prompt/off command/rum.put-rum-metrics-destination", "requestParameters": { "Destination": "CloudWatch", "AppMonitorName": "TestAppMonitor" }, "responseElements": null, "requestID": "9b03fcce-b3a2-44fc-b771-900e1702998a", "eventID": "6250f9b7-0505-4f96-9668-feb64f82de5b", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777777777777", "eventCategory": "Management" }
下列範例顯示 CloudTrail 日誌項目,示範 BatchCreateRumMetricsDefinitions 動作。
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:sts::777777777777:assumed-role/EXAMPLE", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:iam::777777777777:role/EXAMPLE", "accountId": "777777777777", "userName": "USERNAME_EXAMPLE" }, "attributes": { "creationDate": "2024-07-23T16:48:47Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-07-23T18:23:11Z", "eventSource": "rum.amazonaws.com", "eventName": "BatchCreateRumMetricDefinitions", "awsRegion": "us-east-1", "sourceIPAddress": "52.94.133.142", "userAgent": "aws-cli/2.13.25 Python/3.11.5 Linux/5.10.219-186.866.amzn2int.x86_64 exe/x86_64.amzn.2 prompt/off command/rum.batch-create-rum-metric-definitions", "requestParameters": { "Destination": "CloudWatch", "MetricDefinitions": [ { "Name": "NavigationToleratedTransaction", "Namespace": "AWS/RUM", "DimensionKeys": { "metadata.browserName": "BrowserName" }, "EventPattern": "{\"metadata\":{\"browserName\":[\"Chrome\"]},\"event_type\":[\"com.amazon.rum.performance_navigation_event\"],\"event_details\": {\"duration\": [{\"numeric\": [\"<=\",2000,\"<\",8000]}]}}" }, { "Name": "HttpErrorCount", "DimensionKeys": { "metadata.browserName": "BrowserName", "metadata.countryCode": "CountryCode" }, "EventPattern": "{\"metadata\":{\"browserName\":[\"Chrome\"], \"countryCode\":[\"US\"]},\"event_type\":[\"com.amazon.rum.http_event\"]}" } ], "AppMonitorName": "TestAppMonitor" }, "responseElements": { "Errors": [], "MetricDefinitions": [] }, "requestID": "b14c5eda-f107-48e5-afae-1ac20d0962a8", "eventID": "001b55c6-1de1-48c0-a236-31096dffe249", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777777777777", "eventCategory": "Management" }
CloudTrail 中的 CloudWatch RUM 資料平面事件 CloudTrail
CloudTrail 可以擷取與 CloudWatch RUM 資料平面操作 PutRumEvents 相關的 API 活動。
資料事件也稱為資料平面操作,可讓您深入了解在資源上執行或在資源內執行的資源操作。資料事件通常是大量資料的活動。
若要在 CloudTrail 檔案中啟用 PutRumEvents 資料事件的記錄,您需要在 CloudTrail 中啟用資料平面 API 活動的記錄。如需詳細資訊,請參閱記錄追蹤的資料事件。
資料平面事件可以依資源類型篩選。由於在 CloudTrail 中使用資料事件需要額外成本,因此依資源篩選可讓您更妥善地控制記錄和支付的項目。
使用 CloudTrail 收集的資訊,您可以識別 CloudWatch RUM PutRumEvents API 的特定請求、請求者的 IP 地址、請求者的身分,以及請求的日期和時間。使用 CloudTrail 記錄 PutRumEvents API 可協助您啟用 AWS 帳戶的營運和風險稽核、管理和合規。
下列範例顯示示範 PutRumEvents 動作的 CloudTrail 日誌項目。
{ "Records": [ { "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:sts::777777777777:assumed-role/EXAMPLE", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:iam::777777777777:role/EXAMPLE", "accountId": "777777777777", "userName": "USERNAME_EXAMPLE" }, "attributes": { "creationDate": "2024-05-16T20:32:39Z", "mfaAuthenticated": "false" } }, "invokedBy": "AWS Internal" }, "eventTime": "2024-05-16T20:32:42Z", "eventSource": "rum.amazonaws.com", "eventName": "PutRumEvents", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "id": "73ddbd81-1234-5678-b246-123456789", "batchId": "123456-3dd0-4ada-b246-123456789", "appMonitorDetails": { "name": "APP-MONITOR-NAME", "id": "123456-3dd0-4ada-b246-123456789", "version": "1.0.0" }, "userDetails": { "userId": "73ddbd81-1111-9999-b246-123456789", "sessionId": "a1b2c3456-15db-4f87-6789-123456789" }, "rumEvents": [ { "id": "201f367a-15db-1234-94a4-123456789", "timestamp": "May 16, 2024, 8:32:20 PM", "type": "com.amazon.rum.dom_event", "metadata": "{}", "details": "{}" } ] }, "responseElements": null, "requestID": "201ed5f3-15db-4f87-94a4-123456789", "eventID": "73ddbd81-3dd0-4ada-b246-123456789", "readOnly": false, "resources": [ { "accountId": "777777777777", "type": "AWS::RUM::AppMonitor", "ARN": "arn:aws:rum:us-east-1:777777777777:appmonitor/APPMONITOR_NAME_EXAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "777777777777", "eventCategory": "Data" } ] }
