使用 AWS CloudTrail 監控資源回收筒 - Amazon Elastic Compute Cloud

使用 AWS CloudTrail 監控資源回收筒

資源回收筒服務與 AWS CloudTrail 整合。CloudTrail 服務會提供由使用者、角色或 AWS 服務的動作記錄。CloudTrail 會將在資源回收筒中執行的所有 API 呼叫擷取為事件。如果您建立追蹤,就可以將 CloudTrail 事件持續交付到 Amazon Simple Storage Service (Amazon S3) 儲存貯體。即使您未設定追蹤,依然可以透過 CloudTrail 主控台中的 Event history (事件歷史記錄) 檢視最新管理事件。您可以使用由 CloudTrail 收集的資訊,來判斷對資源回收筒提出的請求、提出請求的 IP 地址、提出請求的人員、提出請求的時間,以及其他詳細資訊。

如需有關 CloudTrail 的詳細資訊,請參閱 AWS CloudTrail 使用者指南

CloudTrail 中的資源回收筒資訊

當您建立帳戶時,系統即會在 AWS 帳戶中啟用 CloudTrail。當資源回收筒中發生支援的事件活動時,系統便會將該活動記錄至 CloudTrail 事件,並將其他 AWS 服務事件記錄到 Event history (事件歷史記錄) 中。您可以檢視、搜尋和下載 AWS 帳戶的最新事件。如需詳細資訊,請參閱使用 CloudTrail 事件歷史記錄檢視事件

如需您 AWS 帳戶中正在進行事件的記錄 (包含資源回收筒的事件),請建立線索。線索可讓 CloudTrail 將日誌檔案傳遞到 S3 儲存貯體。根據預設,當您在主控台建立追蹤記錄時,追蹤記錄會套用到所有 AWS 區域。該追蹤會記錄來自 AWS 分割區中所有區域的事件,並將日誌檔案交付到您指定的 S3 儲存貯體。此外,您可以設定其他 AWS 服務,以進一步分析和處理 CloudTrail 日誌中所收集的事件資料。如需詳細資訊,請參閱 AWS CloudTrail 使用者指南中的建立追蹤的概觀

支援的 API 動作

對於資源回收筒,您可以使用 CloudTrail 將下列 API 動作記錄為管理事件

  • CreateRule

  • UpdateRule

  • GetRules

  • ListRule

  • DeleteRule

  • TagResource

  • UntagResource

  • ListTagsForResource

如需有關記錄管理事件的詳細資訊,請參閱 CloudTrail 使用者指南中的記錄追蹤的管理事件

身分資訊

每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:

  • 該請求是否透過根或 AWS Identity and Access Management (IAM) 使用者憑證來提出。

  • 提出該要求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。

  • 該請求是否由另一項 AWS 服務提出。

如需詳細資訊,請參閱 CloudTrail userIdentityElement

了解資源回收筒日誌檔項目

權杖是一種組態,能讓事件以日誌檔案的形式交付至您指定的 S3 儲存貯體。CloudTrail 日誌檔案包含一個或多個日誌項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。CloudTrail 日誌檔並非依公有 API 呼叫的堆疊追蹤排序,因此不會以任何特定順序出現。

以下為 CloudTrail 日誌項目範例。

CreateRule
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-08-02T21:43:38Z" } } }, "eventTime": "2021-08-02T21:45:22Z", "eventSource": "rbin.amazonaws.com", "eventName": "CreateRule", "awsRegion": "us-west-2", "sourceIPAddress": "123.123.123.123", "userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9", "requestParameters": { "retentionPeriod": { "retentionPeriodValue": 8, "retentionPeriodUnit": "DAYS" }, "description": "Match all snapshots", "resourceType": "EBS_SNAPSHOT" }, "responseElements": { "identifier": "jkrnexample" }, "requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample", "eventID": "714fafex-2eam-42pl-913e-926d4example", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com" } }
GetRule
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-08-02T21:43:38Z" } } }, "eventTime": "2021-08-02T21:45:33Z", "eventSource": "rbin.amazonaws.com", "eventName": "GetRule", "awsRegion": "us-west-2", "sourceIPAddress": "123.123.123.123", "userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9", "requestParameters": { "identifier": "jkrnexample" }, "responseElements": null, "requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample", "eventID": "714fafex-2eam-42pl-913e-926d4example", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com" } }
ListRules
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-08-02T21:43:38Z" } } }, "eventTime": "2021-08-02T21:44:37Z", "eventSource": "rbin.amazonaws.com", "eventName": "ListRules", "awsRegion": "us-west-2", "sourceIPAddress": "123.123.123.123", "userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9", "requestParameters": { "resourceTags": [ { "resourceTagKey": "test", "resourceTagValue": "test" } ] }, "responseElements": null, "requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample", "eventID": "714fafex-2eam-42pl-913e-926d4example", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com" } }
UpdateRule
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-08-02T21:43:38Z" } } }, "eventTime": "2021-08-02T21:46:03Z", "eventSource": "rbin.amazonaws.com", "eventName": "UpdateRule", "awsRegion": "us-west-2", "sourceIPAddress": "123.123.123.123", "userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9", "requestParameters": { "identifier": "jkrnexample", "retentionPeriod": { "retentionPeriodValue": 365, "retentionPeriodUnit": "DAYS" }, "description": "Match all snapshots", "resourceType": "EBS_SNAPSHOT" }, "responseElements": null, "requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample", "eventID": "714fafex-2eam-42pl-913e-926d4example", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com" } }
DeleteRule
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-08-02T21:43:38Z" } } }, "eventTime": "2021-08-02T21:46:25Z", "eventSource": "rbin.amazonaws.com", "eventName": "DeleteRule", "awsRegion": "us-west-2", "sourceIPAddress": "123.123.123.123", "userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9", "requestParameters": { "identifier": "jkrnexample" }, "responseElements": null, "requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample", "eventID": "714fafex-2eam-42pl-913e-926d4example", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com" } }
TagResource
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012:cheluyao-Isengard", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-10-22T21:38:34Z" } } }, "eventTime": "2021-10-22T21:43:15Z", "eventSource": "rbin.amazonaws.com", "eventName": "TagResource", "awsRegion": "us-west-2", "sourceIPAddress": "123.123.123.123", "userAgent": "aws-cli/1.20.26 Python/3.6.14 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 botocore/1.21.26", "requestParameters": { "resourceArn": "arn:aws:rbin:us-west-2:123456789012:rule/ABCDEF01234", "tags": [ { "key": "purpose", "value": "production" } ] }, "responseElements": null, "requestID": "examplee-7962-49ec-8633-795efexample", "eventID": "example4-6826-4c0a-bdec-0bab1example", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "beta.us-west-2.api.rbs.aws.dev" } }
UntagResource
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012:cheluyao-Isengard", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-10-22T21:38:34Z" } } }, "eventTime": "2021-10-22T21:44:16Z", "eventSource": "rbin.amazonaws.com", "eventName": "UntagResource", "awsRegion": "us-west-2", "sourceIPAddress": "123.123.123.123", "userAgent": "aws-cli/1.20.26 Python/3.6.14 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 botocore/1.21.26", "requestParameters": { "resourceArn": "arn:aws:rbin:us-west-2:123456789012:rule/ABCDEF01234", "tagKeys": [ "purpose" ] }, "responseElements": null, "requestID": "example7-6c1e-4f09-9e46-bb957example", "eventID": "example6-75ff-4c94-a1cd-4d5f5example", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "beta.us-west-2.api.rbs.aws.dev" } }
ListTagsForResource
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012:cheluyao-Isengard", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-10-22T21:38:34Z" } } }, "eventTime": "2021-10-22T21:42:31Z", "eventSource": "rbin.amazonaws.com", "eventName": "ListTagsForResource", "awsRegion": "us-west-2", "sourceIPAddress": "123.123.123.123", "userAgent": "aws-cli/1.20.26 Python/3.6.14 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 botocore/1.21.26", "requestParameters": { "resourceArn": "arn:aws:rbin:us-west-2:123456789012:rule/ABCDEF01234" }, "responseElements": null, "requestID": "example8-10c7-43d4-b147-3d9d9example", "eventID": "example2-24fc-4da7-a479-c9748example", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "beta.us-west-2.api.rbs.aws.dev" } }