本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # AWS CloudHSM 稽核日誌參考 AWS CloudHSM 會在稽核日誌事件中記錄 HSM 管理命令。每個事件都有一個操作碼 (`Opcode`) 值,以識別發生的動作和其回應。您可以使用 `Opcode` 值來搜尋、排序和篩選日誌。 下表定義 AWS CloudHSM 稽核日誌中的`Opcode`值。 | 操作碼 (Opcode) | Description | | --- |--- | | **使用者登入**:這些事件包含使用者名稱和使用者類型。 | | --- | | CN\_LOGIN (0xd) | [使用者登入](cloudhsm_mgmt_util-loginLogout.md) | | CN\_LOGOUT (0xe) | [使用者登出](cloudhsm_mgmt_util-loginLogout.md) | | CN\_APP\_FINALIZE | 與 HSM 的連線已關閉。已刪除此連線中的任何工作階段金鑰或規定人數字符。 | | CN\_CLOSE\_SESSION | 具有 HSM 的工作階段已關閉。已刪除此工作階段中的任何工作階段金鑰或規定人數字符。 | | **使用者管理**:這些事件包含使用者名稱和使用者類型。 | | --- | | CN\_CREATE\_USER (0x3) | [建立加密使用者 (CU)](cloudhsm_mgmt_util-createUser.md) | | CN\_CREATE\_CO | [建立加密管理員 (CO)](cloudhsm_mgmt_util-createUser.md) | | CN\_DELETE\_USER | [刪除使用者](cloudhsm_mgmt_util-deleteUser.md) | | CN\_CHANGE\_PSWD | [變更使用者密碼](cloudhsm_mgmt_util-changePswd.md) | | CN\_SET\_M\_VALUE | Set [規定人數身分驗證](quorum-auth-chsm-cli.md) (M of N) for a user action | | CN\_APPROVE\_TOKEN | Approve a [規定人數身分驗證](quorum-auth-chsm-cli.md) token for a user action | | CN\_DELETE\_TOKEN | Delete one or more [規定人數字符](quorum-auth-chsm-cli.md) | | CN\_GET\_TOKEN | Request a signing token to initiate a [規定人數操作](quorum-auth-chsm-cli.md) | | **金鑰管理**:這些事件包含金鑰控制代碼。 | | --- | | CN\_GENERATE\_KEY | [產生對稱金鑰](key_mgmt_util-genSymKey.md) | | CN\_GENERATE\_KEY\_PAIR (0x19) | Generate an asymmetric key pair | | CN\_CREATE\_OBJECT | Import a public key (without wrapping) | | CN\_MODIFY\_OBJECT | Set a key attribute | | CN\_DESTROY\_OBJECT (0x11) | Deletion of a [工作階段金鑰](https://docs.aws.amazon.com/cloudhsm/latest/userguide/manage-key-sync.html#concepts-key-sync) | | CN\_TOMBSTONE\_OBJECT | Deletion of a [權杖金鑰](https://docs.aws.amazon.com/cloudhsm/latest/userguide/manage-key-sync.html#concepts-key-sync) | | CN\_SHARE\_OBJECT | [共用或取消共用金鑰](cloudhsm_mgmt_util-shareKey.md) | | CN\_WRAP\_KEY | Export an encrypted copy of a key ([wrapKey](key_mgmt_util-wrapKey.md)) | | CN\_UNWRAP\_KEY | Import an encrypted copy of a key ([unwrapKey](key_mgmt_util-unwrapKey.md)) | | CN\_DERIVE\_KEY | Derive a symmetric key from an existing key | | CN\_NIST\_AES\_WRAP | 使用 AES 金鑰加密或解密金鑰 | | CN\_INSERT\_MASKED\_OBJECT\_USER | Insert an encrypted key with attributes from another HSM in the cluster. | | CN\_EXTRACT\_MASKED\_OBJECT\_USER | Wraps/encrypts a key with attributes from the HSM to be sent to another HSM in the cluster. | | **Session Management** | | --- | | CN\_ENCRYPT\_SESSION\_V2 (0x107) | Establishes an authenticated end-to-end encrypted session. | | END\_MARKER\_OPCODE (0xffff) | Inserts an end-marker in the audit logs buffer indicating no more loggable commands are allowed on the HSM | | **Back up HSMs** | | --- | | CN\_BACKUP\_BEGIN | Begin the backup process | | CN\_BACKUP\_END | Completed the backup process | | CN\_RESTORE\_BEGIN | Begin restoring from a backup | | CN\_RESTORE\_END | Completed the restoration process from a backup | | **Certificate-Based Authentication** | | --- | | CN\_CERT\_AUTH\_STORE\_CERT | Stores the cluster certificate | | **HSM Instance Commands** | | --- | | CN\_INIT\_TOKEN (0x1) | Start the HSM initialization process | | CN\_INIT\_DONE | The HSM initialization process has finished | | CN\_GEN\_KEY\_ENC\_KEY | Generate a key encryption key (KEK) | | CN\_GEN\_PSWD\_ENC\_KEY (0x1d) | Generate a password encryption key (PEK) | | **HSM crypto commands** | | --- | | CN\_FIPS\_RAND | Generate a FIPS-compliant random number[1](#hsm-audit-log-note-1) | 【1】 只會記錄 hsm1.medium 叢集。