本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS AppSync 已與 整合 AWS CloudTrail,此服務提供使用者、角色或服務在 AWS 中採取動作的記錄 AWS AppSync。CloudTrail 會將 的所有 API 呼叫擷取 AWS AppSync 為事件。擷取的呼叫包括來自 AWS AppSync 主控台的呼叫,以及來自對 AWS AppSync APIs的程式碼呼叫。您可以使用 CloudTrail 所收集的資訊來判斷所提出的請求 AWS AppSync、提出請求者的 IP 地址、提出請求的時間,以及其他詳細資訊。
您可以建立線索,以啟用 CloudTrail 事件持續交付至 Amazon Simple Storage Service (Amazon S3) 儲存貯體,包括 的事件 AWS AppSync。如果您未設定追蹤,仍然可以在 CloudTrail 主控台中檢視最新的事件。
如需有關 CloudTrail 的相關資訊,請參閱 AWS CloudTrail 使用者指南。
AWS AppSync CloudTrail 中的資訊
當您建立 AWS 帳戶時,會在您的帳戶上啟用 CloudTrail。在事件歷史記錄中的 CloudTrail 主控台中,您可以檢視、搜尋和下載 AWS 帳戶中的最新事件。如需詳細資訊,請參閱《AWS CloudTrail 使用者指南》中的使用 CloudTrail 事件歷史記錄檢視事件。
若要持續記錄您 AWS 帳戶中的事件,包括 的事件 AWS AppSync,請建立追蹤。根據預設,當您在主控台建立線索時,線索會套用到所有 AWS 區域。追蹤會記錄 AWS 分割區中所有 區域的事件,並將日誌檔案交付至您指定的 Amazon S3 儲存貯體。此外,您可以設定其他 AWS 服務,以進一步分析和處理 CloudTrail 日誌中所收集的事件資料。如需詳細資訊,請參閱《AWS CloudTrail 使用者指南》 中的下列主題:
CloudTrail 會記錄所有 AWS AppSync API 操作。例如,對 CreateGraphqlApi、 CreateDataSource和 ListResolvers APIs呼叫會在 CloudTrail 日誌檔案中產生項目。這些和其他操作都會記錄在 AWS AppSync API 參考中。
每一筆事件或日誌專案都會包含產生請求者的資訊。身分資訊可協助您判斷:
-
請求是使用根還是 AWS Identity and Access Management (IAM) 使用者登入資料提出。
-
提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。
-
請求是否由其他 AWS 服務提出。
如需詳細資訊,請參閱《AWS CloudTrail 使用者指南》中的 CloudTrail userIdentity 元素。
AWS AppSync CloudTrail 中的資料事件
資料事件提供在資源上或在資源中執行的資源操作的相關資訊 (例如,讀取或寫入 Amazon S3 物件)。這些也稱為資料平面操作。資料事件通常是大量資料的活動。根據預設,CloudTrail 不會記錄資料事件。CloudTrail 事件歷史記錄不會記錄資料事件。
資料事件需支付額外的費用。如需 CloudTrail 定價的詳細資訊,請參閱 AWS CloudTrail 定價
您可以使用 CloudTrail 主控台 AWS CLI或 CloudTrail API 操作 (包括查詢、變動和訂閱操作、將操作連接到您的即時 WebSocket 端點,但不能透過您的即時 WebSocket 端點傳送訊息) 來記錄AWS::AppSync::GraphQL資源類型的資料事件。如需如何記錄資料事件的詳細資訊,請參閱《AWS CloudTrail 使用者指南》中的使用 AWS Management Console記錄資料事件和使用 AWS Command Line Interface記錄資料事件。
下表列出您可以記錄資料事件 AWS AppSync 的資源類型。資料事件類型 (主控台) 欄顯示從 CloudTrail 主控台中的資料事件類型清單中選擇的值。resources.type 值欄會顯示值,您會在使用 AWS CLI 或 CloudTrail APIs 設定進階事件選取器時指定該resources.type值。記錄到 CloudTrail 的資料 API 資料行會針對資源類型顯示記錄到 CloudTrail 的 API 呼叫。
| 資料事件類型 (主控台) | resources.type 值 | 記錄到 CloudTrail 的資料 API |
|---|---|---|
| AppSync GraphQL |
AWS::AppSync::GraphQL
|
您可以設定進階事件選取器來篩選 eventName、readOnly 和 resources.ARN 欄位,以僅記錄對您重要的事件。如需這些欄位的詳細資訊,請參閱AWS CloudTrail API 參考中的AdvancedFieldSelector。
[
{
"name": "Only 1 AppSync API",
"fieldSelectors": [
{
"field": "eventCategory",
"equals": [
"Data"
]
},
{
"field": "resources.type",
"equals": [
"AWS::AppSync::GraphQL"
]
},
{
"field": "resources.ARN",
"equals": [
"arn:aws:appsync:us-east-1:111122223333:apis/YourGraphQLApiId"
]
}
]
}
]了解 AWS AppSync 日誌檔案項目
CloudTrail 以包含一或多個日誌項目的日誌檔案的形式交付事件。事件代表來自任何來源的單一請求,並包含所請求操作、操作的日期和時間、請求參數等相關資訊。由於這些日誌檔案不是公有 API 呼叫的排序堆疊追蹤,因此不會以任何特定順序顯示。
注意
對於從 發出的日誌, requestID不是授權的唯一 ID AWS AppSync。requestID 可由用戶端覆寫。因此,根據此資訊做出決策時,您應該謹慎。
下列範例 CloudTrail 日誌項目示範 CreateApiKey操作。
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "CreateApiKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": {
"apiKey": {
"id": "***",
"expires": 1518037200000
}
},
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}下列範例 CloudTrail 日誌項目示範 ListApiKeys操作。
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/diego_ramirez",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "ListApiKeys",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": {
"apiKeys": [
{
"id": "***",
"expires": 1517954400000
},
{
"id": "***",
"expires": 1518037200000
},
]
},
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}下列範例 CloudTrail 日誌項目示範 DeleteApiKey操作。
{
"Records": [{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/diego_ramirez",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego_ramirez"
},
"eventTime": "2018-01-31T21:49:09Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "DeleteApiKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.2.0.1",
"userAgent": "aws-cli/1.11.72 Python/2.7.11 Darwin/16.7.0 botocore/1.5.35",
"requestParameters": {
"id": "***",
"apiId": "a1b2c3d4e5f6g7h8i9jexample"
},
"responseElements": null,
"requestID": "99999999-9999-9999-9999-999999999999",
"eventID": "99999999-9999-9999-9999-999999999999",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}下列範例 CloudTrail 日誌項目示範使用自訂 Lambda 函數授權方授權的成功 GraphQL 變動。
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T15:42:30Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyMutation",
"authType": [
"AWS_LAMBDA"
],
"fieldAuthorizationResults": {
"deniedFields": []
}
},
"requestID": "c2d3768b-3446-40a1-bd95-8399fe776f96",
"eventID": "21568be1-a1a8-4f43-b978-63cb4cc02a96",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}下列範例 CloudTrail 日誌項目示範部分成功的 GraphQL 操作,該操作已授權自訂 Lambda 函數授權方。請注意指定拒絕欄位的 fieldAuthorizationResults.deniedFields 屬性。
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T16:11:49Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyMutation",
"authType": [
"AWS_LAMBDA"
],
"fieldAuthorizationResults": {
"deniedFields": [
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Mutation/fields/createPost",
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Subscription/fields/onCreatePost",
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Post/fields/status"
]
}
},
"requestID": "ae817c4c-66ba-4f64-92a5-ba9c9c341dcd",
"eventID": "30109698-7605-476a-9dff-b7ed78d134dc",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}下列範例 CloudTrail 日誌項目示範失敗的 GraphQL 操作。
{
"eventVersion": "1.10",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2024-11-06T15:51:11Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"errorCode": "AccessDenied",
"errorMessage": "{\n \"errors\" : [ {\n \"errorType\" : \"UnauthorizedException\",\n \"message\" : \"You are not authorized to make this call.\"\n } ]\n}",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "MyFullyDeniedLambdaMutation"
},
"requestID": "0bef3cf3-a48b-4de9-8b1f-038afb563516",
"eventID": "b738651f-4ec0-4548-8fec-200c6b42842b",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}下列範例示範成功的 GraphQL 請求。
{
"eventVersion": "1.10",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:jane_doe",
"arn": "arn:aws:sts::123456789012:assumed-role/admin/jane_doe",
"accountId": "123456789012",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/admin",
"accountId": "123456789012",
"userName": "jane_doe"
},
"attributes": {
"creationDate": "2024-11-06T15:40:09Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-11-06T16:03:43Z",
"eventSource": "appsync.amazonaws.com",
"eventName": "GraphQL",
"awsRegion": "us-west-2",
"sourceIPAddress": "15.248.1.214",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"operationName": "IamFullSuccess",
"authType": [
"AWS_IAM"
],
"fieldAuthorizationResults": {
"allowedFields": [
"arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u/types/Mutation/fields/createSecondPostAllowed"
],
"deniedFields": []
}
},
"requestID": "edc6bbbf-6bf2-40f5-820f-ef444f12e0c1",
"eventID": "524656a5-0925-4370-9e7e-08888e9c299f",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::AppSync::GraphQLApi",
"ARN": "arn:aws:appsync:us-west-2:123456789012:apis/rxfqcxzi3nbvza2hsq4njqqq6u"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}