存取 AWS Health API - AWS Health
端點使用高可用性端點示範簽署 AWS Health API 請求

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

存取 AWS Health API

AWS Health是使用 HTTPS 作為傳輸和 JSON 作為消息序列化格式的 RESTful Web 服務。您的應用程式程式碼能夠直接向 AWS Health API 發出請求。直接使用 REST API 時,您必須編寫必要的程式碼,以簽署和驗證您的請求。如需AWS Health作業和參數的詳細資訊,請參閱《AWS HealthAPI 參考》。

注意

您必須訂閱商業、Enterprise On-Ramp 或企業 Support 計劃AWS Support才能使用AWS Health API。如果您從沒有商業、Enterprise On-Ramp 或企業 Support 計劃的AWS帳戶呼叫AWS Health API,您會收到SubscriptionRequiredException錯誤。

您可以使用AWS SDK 來包裝AWS Health REST API 呼叫,以簡化應用程式開發作業。您可以指定您的AWS憑據,這些庫會為您處理身份驗證和請求簽名。

AWS Health也會在中提供AWS Health儀表板AWS Management Console,讓您用來檢視和搜尋事件和受影響的實體。請參閱 開始使用AWS Health儀表板 — 您的帳戶健康狀態

端點

AWS HealthAPI 遵循多區域應用程式架構,並在主動-被動組態中具有兩個地區端點。若要支援主動-被動 DNS 容錯移轉,請AWS Health提供單一的全域端點。您可以在全域端點上執行 DNS 查閱,以判斷作用中端點和對應的簽署AWS區域。這有助於您知道程式碼中要使用哪個端點,以便從AWS Health.

向全域端點提出要求時,您必須指定對目標的地區端點的AWS存取認證,並為您的區域設定簽署。否則,您的驗證可能會失敗。如需詳細資訊,請參閱簽署 AWS Health API 請求

下表代表預設組態。

描述 簽署區域 端點 通訊協定
作用中

us-east-1

健康 .1. amazonaws.com

 HTTPS
被動

us-east-2

健康 .1.

 HTTPS
全球服務

us-east-1

注意

這是目前作用中端點的簽署區域。

全球健康. 亞馬遜

 HTTPS

若要判斷端點是否為作用中端點,請在全域端點 CNAME 上執行 DNS 查閱,然後從解析的名稱擷取該AWS區域。

範例 :全域端點上的 DNS 查詢

下列命令會完成在然後,命令會傳回 US-東-1 區域端點。此輸出告訴您應該使用哪個端點AWS Health。

dig global.health.amazonaws.com | grep CNAME
global.health.amazonaws.com. 10 IN CNAME health.us-east-1.amazonaws.com
提示

主動端點和被動端點都會傳回AWS Health資料。不過,最新AWS Health資料只能從作用中端點取得。來自被動端點的資料最終會與主動端點一致。建議您在作用中端點變更時重新啟動任何工作流程。

使用高可用性端點示範

在下列程式碼範例中,AWS Health使用 DNS 查閱對全域端點來判斷作用中的地區端點和簽署區域。然後,如果作用中端點變更,程式碼會重新啟動工作流程。

使用

先決條件

您必須安裝搖籃

若要使用 Java 範例

  1. 從下載AWS Health高可用性端點示範 GitHub。

  2. 導覽至示範專案high-availability-endpoint/java目錄。

  3. 在命令行視窗中,請輸入下列命令。

    gradle build

  4. 輸入下列命令以指定您的AWS憑證。

    export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_SESSION_TOKEN="your-aws-token"

  5. 輸入下列命令來執行示範。

    gradle run
    範例 :AWS Health事件輸出

    程式碼範例會傳回您AWS帳戶中過去七天內最近發生的AWS Health事件。在下列範例中,輸出包含AWS Config服務的AWS Health事件。

    > Task :run
[main] INFO aws.health.high.availability.endpoint.demo.HighAvailabilityV2Workflow - EventDetails(Event=Event(Arn=arn:aws:health:global::event/CONFIG/AWS_CONFIG_OPERATIONAL_NOTIFICATION/AWS_CONFIG_OPERATIONAL_NOTIFICATION_88a43e8a-e419-4ca7-9baa-56bcde4dba3, 
Service=CONFIG, EventTypeCode=AWS_CONFIG_OPERATIONAL_NOTIFICATION, EventTypeCategory=accountNotification, Region=global, StartTime=2020-09-11T02:55:49.899Z, LastUpdatedTime=2020-09-11T03:46:31.764Z, 
StatusCode=open, EventScopeCode=ACCOUNT_SPECIFIC), EventDescription=EventDescription(LatestDescription=As part of our ongoing efforts to optimize costs associated with recording changes related to certain ephemeral workloads, 
AWS Config is scheduled to release an update to relationships modeled within ConfigurationItems (CI) for 7 EC2 resource types on August 1, 2021. 
Examples of ephemeral workloads include changes to Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon Elastic MapReduce jobs, and Amazon EC2 Autoscaling. 
This update will optimize CI models for EC2 Instance, SecurityGroup, Network Interface, Subnet, VPC, VPN Gateway, and Customer Gateway resource types to record direct relationships and deprecate indirect relationships.
 
A direct relationship is defined as a one-way relationship (A->B) between a resource (A) and another resource (B), and is typically derived from the Describe API response of resource (A). 
An indirect relationship, on the other hand, is a relationship that AWS Config infers (B->A), in order to create a bidirectional relationship. 
For example, EC2 instance -> Security Group is a direct relationship, since security groups are returned as part of the describe API response for an EC2 instance. 
But Security Group -> EC2 instance is an indirect relationship, since EC2 instances are not returned when describing an EC2 Security group.
 
Until now, AWS Config has recorded both direct and indirect relationships. With the launch of Advanced queries in March 2019, indirect relationships can easily be answered by running Structured Query Language (SQL) queries such as:
 
SELECT
 resourceId,
 resourceType
WHERE
 resourceType ='AWS::EC2::Instance'
AND
 relationships.resourceId = 'sg-234213'
 
By deprecating indirect relationships, we can optimize the information contained within a
Configuration Item while reducing AWS Config costs related to relationship changes. 
This is especially useful in case of ephemeral workloads where there is a high volume of configuration changes for EC2 resource types.
 
Which resource relationships are being removed?
 
Resource Type: Related Resource Type
1 AWS::EC2::CustomerGateway: AWS::VPN::Connection
2 AWS::EC2::Instance: AWS::EC2::EIP, AWS::EC2::RouteTable
3 AWS::EC2::NetworkInterface: AWS::EC2::EIP, AWS::EC2::RouteTable
4 AWS::EC2::SecurityGroup: AWS::EC2::Instance, AWS::EC2::NetworkInterface
5 AWS::EC2::Subnet: AWS::EC2::Instance, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable
6 AWS::EC2::VPC: AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::Subnet, AWS::EC2::VPNGateway, AWS::EC2::SecurityGroup
7 AWS::EC2::VPNGateway: AWS::EC2::RouteTable, AWS::EC2::VPNConnection
 
Alternate mechanism to retrieve this relationship information:
The SelectResourceConfig API accepts a SQL SELECT command, performs the corresponding search, and returns resource configurations matching the properties. You can use this API to retrieve the same relationship information. 
For example, to retrieve the list of all EC2 Instances related to a particular VPC vpc-1234abc, you can use the following query:
 
SELECT
 resourceId,
 resourceType
WHERE
 resourceType ='AWS::EC2::Instance'
AND
 relationships.resourceId = 'vpc-1234abc'
 
If you have any questions regarding this deprecation plan, please contact AWS Support [1]. Additional sample queries to retrieve the relationship information for the resources listed above is provided in [2].
 
[1] https://aws.amazon.com/support
[2] https://docs.aws.amazon.com/config/latest/developerguide/examplerelationshipqueries.html),
EventMetadata={})

Java 資源

  • 有關更多信息,請參閱 AWS SDK for JavaAPI 參考 HealthClient中的口和源代碼

  • 如需此示範中針對 DNS 查閱所使用之程式庫的詳細資訊,請參閱中的 dnsjava GitHub。

使用 Python

先決條件

您必須安裝蟒 3

若要使用 Python 範例

  1. 從下載AWS Health高可用性端點示範 GitHub。

  2. 導覽至示範專案high-availability-endpoint/python目錄。

  3. 在命令行視窗中,請輸入下列命令。

    pip3 install virtualenv 
virtualenv -p python3 v-aws-health-env
    注意

    對於 Python 3.3 及更高版本,您可以使用內置venv模塊創建虛擬環境,而不是安裝virtualenv。如需詳細資訊,請參閱 venv-在 Python 網站上建立虛擬環境

    python3 -m venv v-aws-health-env

  4. 輸入下列命令以啟動虛擬環境。

    source v-aws-health-env/bin/activate

  5. 輸入下列命令以安裝相依性。

    pip install -r requirements.txt

  6. 輸入下列命令以指定您的AWS憑證。

    export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_SESSION_TOKEN="your-aws-token"

  7. 輸入下列命令來執行示範。

    python3 main.py
    範例 :AWS Health事件輸出

    程式碼範例會傳回您AWS帳戶中過去七天內最近發生的AWS Health事件。下列輸出會傳回安AWS全性通知的AWS Health事件。

    INFO:botocore.credentials:Found credentials in environment variables.
INFO:root:Details: {'arn': 'arn:aws:health:global::event/SECURITY/AWS_SECURITY_NOTIFICATION/AWS_SECURITY_NOTIFICATION_0e35e47e-2247-47c4-a9a5-876544042721', 
'service': 'SECURITY', 'eventTypeCode': 'AWS_SECURITY_NOTIFICATION', 'eventTypeCategory': 'accountNotification', 'region': 'global', 'startTime': datetime.datetime(2020, 8, 19, 23, 30, 42, 476000, 
tzinfo=tzlocal()), 'lastUpdatedTime': datetime.datetime(2020, 8, 20, 20, 44, 9, 547000, tzinfo=tzlocal()), 'statusCode': 'open', 'eventScopeCode': 'PUBLIC'}, description: 
{'latestDescription': 'This is the second notice regarding TLS requirements on FIPS endpoints.\n\nWe
are in the process of updating all AWS Federal Information Processing Standard (FIPS) endpoints across all AWS regions 
to Transport Layer Security (TLS) version 1.2 by March 31, 2021 . In order to avoid an interruption in service, we encourage you to act now, by ensuring that you connect to AWS FIPS endpoints at a TLS version of 1.2. 
If your client applications fail to support TLS 1.2 it will result in connection failures when TLS versions below 1.2 are no longer supported.\n\nBetween now and March 31, 2021 AWS will remove TLS 1.0 and TLS 1.1 support from each FIPS endpoint where no connections below TLS 1.2 are detected over a 30-day period. 
After March 31, 2021 we may deploy this change to all AWS FIPS endpoints, even if there continue
to be customer connections detected at TLS versions below 1.2. \n\nWe will provide additional updates and reminders on the AWS Security Blog, with a ‘TLS’ tag [1]. If you need further guidance or assistance, please contact AWS Support [2] or your Technical Account Manager (TAM). 
Additional information is below.\n\nHow can I identify clients that are connecting with TLS
1.0/1.1?\nFor customers using S3 [3], Cloudfront [4] or Application Load Balancer [5] you can use
your access logs to view the TLS connection information for these services, and identify client
connections that are not at TLS 1.2. If you are using the AWS Developer Tools on your clients, 
you can find information on how to properly configure your client’s TLS versions by visiting Tools to Build on AWS [7] or our associated AWS Security Blog has a link for each unique code language [7].\n\nWhat is Transport Layer Security (TLS)?\nTransport Layer Security (TLS Protocols) are cryptographic protocols designed to provide secure communication across a computer network 
[6].\n\nWhat are AWS FIPS endpoints? \nAll AWS services offer Transport Layer Security (TLS) 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer FIPS 140-2 endpoints [9] for customers that require use of FIPS validated cryptographic libraries. \n\n[1] https://aws.amazon.com/blogs/security/tag/tls/\n[2] https://aws.amazon.com/support\n[3] 
https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html\n[4] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html\n[5] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html\n[6] https://aws.amazon.com/tools\n[7] https://aws.amazon.com/blogs/security/tls-1-2-to-become-the-minimum-for-all-aws-fips-endpoints\n[8] 
https://en.wikipedia.org/wiki/Transport_Layer_Security\n[9] https://aws.amazon.com/compliance/fips'}

  8. 完成後,請輸入下列命令以停用虛擬機器。

    deactivate

Python 資源

簽署 AWS Health API 請求

在使用AWS軟體開發套件或AWS Command Line Interface (AWS CLI) 對提出請求時AWS,這些工具會自動使用您設定工具時指定的存取金鑰,替您簽署請求。例如,如果您使用先前AWS SDK for Java的高可用性端點示範例,您不必自行簽署請求。

Java 程式碼範例

如需有關如何搭配使用AWS Health API 的更多範例AWS SDK for Java,請參閱此範例程式碼

在提出請求時,我們強烈建議您不要使用AWS根帳戶憑證來定期存取AWS Health。您可以使用 IAM 使用者的登入資料。如需詳細資訊,請參閱 IAM 使用者指南中的鎖定AWS帳戶根使用者存取金鑰

如果您未使用AWS軟體開發套件或AWS CLI,您必須自行簽署請求。我們建議您使用AWS簽章第 4 版。如需詳細資訊,請參閱《AWS 一般參考》AWS中的簽署 API 請求