Logging API calls for integrated services - AWS Certificate Manager

Logging API calls for integrated services

You can use CloudTrail to audit API calls made by services that are integrated with ACM. For more information about using CloudTrail, see the AWS CloudTrail User Guide. The following examples show the types of logs that can be generated depending on the AWS resources on which you provision the ACM certificate.

You can use CloudTrail to audit API calls made by services that are integrated with ACM. For more information about using CloudTrail, see the AWS CloudTrail User Guide. The following examples show the types of logs that can be generated depending on the AWS resources on which you provision the ACM certificate.

The following example shows a call to the CreateLoadBalancer function by an IAM user named Alice. The name of the load balancer is TestLinuxDefault, and the listener is created using an ACM certificate.

{ "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::111122223333:user/Alice", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"Alice" }, "eventTime":"2016-01-01T21:10:36Z", "eventSource":"elasticloadbalancing.amazonaws.com", "eventName":"CreateLoadBalancer", "awsRegion":"us-east-1", "sourceIPAddress":"192.0.2.0/24", "userAgent":"aws-cli/1.9.15", "requestParameters":{ "availabilityZones":[ "us-east-1b" ], "loadBalancerName":"LinuxTest", "listeners":[ { "sSLCertificateId":"arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012", "protocol":"HTTPS", "loadBalancerPort":443, "instanceProtocol":"HTTP", "instancePort":80 } ] }, "responseElements":{ "dNSName":"LinuxTest-1234567890.us-east-1.elb.amazonaws.com" }, "requestID":"19669c3b-b0cc-11e5-85b2-57397210a2e5", "eventID":"5d6c00c9-a9b8-46ef-9f3b-4589f5be63f7", "eventType":"AwsApiCall", "recipientAccountId":"111122223333" }

When you provision your website or application on an Amazon Elastic Compute Cloud (Amazon EC2) instance, the load balancer must be made aware of that instance. This can be accomplished through the Elastic Load Balancing console or the AWS Command Line Interface. The following example shows a call to RegisterInstancesWithLoadBalancer for a load balancer named LinuxTest on AWS account 123456789012.

{ "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::123456789012:user/ALice", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"Alice", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2016-01-01T19:35:52Z" } }, "invokedBy":"signin.amazonaws.com" }, "eventTime":"2016-01-01T21:11:45Z", "eventSource":"elasticloadbalancing.amazonaws.com", "eventName":"RegisterInstancesWithLoadBalancer", "awsRegion":"us-east-1", "sourceIPAddress":"192.0.2.0/24", "userAgent":"signin.amazonaws.com", "requestParameters":{ "loadBalancerName":"LinuxTest", "instances":[ { "instanceId":"i-c67f4e78" } ] }, "responseElements":{ "instances":[ { "instanceId":"i-c67f4e78" } ] }, "requestID":"438b07dc-b0cc-11e5-8afb-cda7ba020551", "eventID":"9f284ca6-cbe5-42a1-8251-4f0e6b5739d6", "eventType":"AwsApiCall", "recipientAccountId":"123456789012" }

The following example shows an Encrypt call that encrypts the private key associated with an ACM certificate. Encryption is performed within AWS.

{ "Records":[ { "eventVersion":"1.03", "userIdentity":{ "type":"IAMUser", "principalId":"AIDACKCEVSQ6C2EXAMPLE", "arn":"arn:aws:iam::111122223333:user/acm", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "userName":"acm" }, "eventTime":"2016-01-05T18:36:29Z", "eventSource":"kms.amazonaws.com", "eventName":"Encrypt", "awsRegion":"us-east-1", "sourceIPAddress":"AWS Internal", "userAgent":"aws-internal", "requestParameters":{ "keyId":"arn:aws:kms:us-east-1:123456789012:alias/aws/acm", "encryptionContext":{ "aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" } }, "responseElements":null, "requestID":"3c417351-b3db-11e5-9a24-7d9457362fcc", "eventID":"1794fe70-796a-45f5-811b-6584948f24ac", "readOnly":true, "resources":[ { "ARN":"arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321", "accountId":"123456789012" } ], "eventType":"AwsServiceEvent", "recipientAccountId":"123456789012" } ] }

The following example shows a Decrypt call that decrypts the private key associated with an ACM certificate. Decryption is performed within AWS, and the decrypted key never leaves AWS.

{ "eventVersion":"1.03", "userIdentity":{ "type":"AssumedRole", "principalId":"AIDACKCEVSQ6C2EXAMPLE:1aba0dc8b3a728d6998c234a99178eff", "arn":"arn:aws:sts::111122223333:assumed-role/DecryptACMCertificate/1aba0dc8b3a728d6998c234a99178eff", "accountId":"111122223333", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2016-01-01T21:13:28Z" }, "sessionIssuer":{ "type":"Role", "principalId":"APKAEIBAERJR2EXAMPLE", "arn":"arn:aws:iam::111122223333:role/DecryptACMCertificate", "accountId":"111122223333", "userName":"DecryptACMCertificate" } } }, "eventTime":"2016-01-01T21:13:28Z", "eventSource":"kms.amazonaws.com", "eventName":"Decrypt", "awsRegion":"us-east-1", "sourceIPAddress":"AWS Internal", "userAgent":"aws-internal/3", "requestParameters":{ "encryptionContext":{ "aws:elasticloadbalancing:arn":"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/LinuxTest", "aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/87654321-4321-4321-4321-210987654321" } }, "responseElements":null, "requestID":"809a70ff-b0cc-11e5-8f42-c7fdf1cb6e6a", "eventID":"7f89f7a7-baff-4802-8a88-851488607fb9", "readOnly":true, "resources":[ { "ARN":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012", "accountId":"123456789012" } ], "eventType":"AwsServiceEvent", "recipientAccountId":"123456789012" }