使用 AWS CloudTrail 記錄 API 呼叫 - AWS WAF、AWS Firewall Manager 與 AWS Shield Advanced

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 AWS CloudTrail 記錄 API 呼叫

AWS WAFAWS Shield Advanced、與服務整AWS Firewall Manager合AWS CloudTrail,可提供使用者、角色或服務所採取之動作記錄的AWS服務。 CloudTrail 擷取這些服務的 API 呼叫子集作為事件,包括來自「AWS WAFShield 牌進階」或「Firewall Manager 員」主控台的呼叫AWS WAF,以及從「Shield 牌進階」或「Firewall Manager 員」API 的程式碼呼叫。如果您建立追蹤,您可以啟用持續傳遞 CloudTrail 事件到 Amazon S3 儲存貯體,包括事件AWS WAF、防 Shield 進階或 Firewall Manager 員。如果您未設定追蹤,您仍然可以在 [事件歷程記錄] 中檢視 CloudTrail 主控台中最近的事件。使用收集的資訊 CloudTrail,您可以判斷對這些服務提出的要求、提出要求的來源 IP 位址、提出要求的人員、提出要求的時間以及其他詳細資訊。

若要進一步了解 CloudTrail,包括如何設定和啟用它,請參閱AWS CloudTrail使用者指南

CloudTrail 在您創建帳戶AWS 帳戶時啟用。當「Shield 牌進階」或「Firewall Manager 員」中AWS WAF發生受支援的事件活動時,該活動會與 CloudTrail事件歷史記錄中的其他AWS服務事件一起記錄在事件中。您可以檢視、搜尋和下載 AWS 帳戶 的最新事件。如需詳細資訊,請參閱檢視具有事 CloudTrail 件記錄的事件

如需持續記錄您AWS 帳戶的事件 (包括「Shield 牌進階」或「Firewall Manager 員」的事件),請AWS WAF建立追蹤。追蹤可 CloudTrail 將日誌檔交付到 Amazon S3 儲存貯體。在主控台建立追蹤記錄時,該追蹤記錄預設會套用到所有區域。該追蹤會記錄來自 AWS 分割區中所有區域的事件,並將日誌檔案交付到您指定的 Amazon S3 儲存貯體。此外,您還可以設定其他AWS服務,以進一步分析 CloudTrail 記錄中收集的事件資料並採取行動。如需詳細資訊,請參閱下列內容:

AWS CloudTrail 中的 AWS WAF 資訊

AWS CloudTrail 會記錄所有 AWS WAF 動作,列在 AWS WAF API 參考中。例如,對 ListWebACLUpdateWebACLDeleteWebACL 的呼叫,會在 CloudTrail 日誌檔中產生項目。

每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:

  • 要求是否使用 root 使用者認證提出

  • 提出該請求時,是否使用了特定角色或聯合身分使用者的臨時安全憑證

  • 該請求是否由另一項 AWS 服務提出

如需詳細資訊,請參閱 CloudTrail userIdentity 元素

範例:AWS WAF 日誌檔案項目

追蹤是一種組態,可讓事件以日誌檔的形式傳遞到您指定的 Amazon S3 儲存貯體。 AWS CloudTrail記錄檔包含一或多個記錄項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。 CloudTrail 日誌文件不是公共 API 調用的有序堆棧跟踪,因此它們不會以任何特定順序顯示。

以下是 AWS WAF Web ACL 作業的 CloudTrail 記錄項目範例。

範例:的 CloudTrail 記錄項目 CreateWebACL

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T03:43:07Z" } } }, "eventTime": "2019-11-06T03:44:21Z", "eventSource": "wafv2.amazonaws.com", "eventName": "CreateWebACL", "awsRegion": "us-east-1", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "defaultAction": { "block": {} }, "description": "foo", "rules": [ { "name": "foo", "priority": 1, "statement": { "geoMatchStatement": { "countryCodes": [ "AF", "AF" ] } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } }, "responseElements": { "summary": { "name": "foo", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "description": "foo", "lockToken": "67551e73-49d8-4363-be48-244deea72ea9", "aRN": "arn:aws:wafv2:us-east-1:112233445566:global/webacl/foo/ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b" } }, "requestID": "c51521ba-3911-45ca-ba77-43aba50471ca", "eventID": "afd1a60a-7d84-417f-bc9c-7116cf029065", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }

範例:的 CloudTrail 記錄項目 GetWebACL

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AssumedRole", "arn": "arn:aws:sts::112233445566:assumed-role/Admin/admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AssumedRole", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:18:28Z", "eventSource": "wafv2.amazonaws.com", "eventName": "GetWebACL", "awsRegion": "us-east-1", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "webacl" }, "responseElements": null, "requestID": "f2db4884-4eeb-490c-afe7-67cbb494ce3b", "eventID": "7d563cd6-4123-4082-8880-c2d1fda4d90b", "readOnly": true, "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }

範例:的 CloudTrail 記錄項目 UpdateWebACL

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:20:56Z", "eventSource": "wafv2.amazonaws.com", "eventName": "UpdateWebACL", "awsRegion": ""us-east-1, "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "defaultAction": { "block": {} }, "description": "foo", "rules": [ { "name": "foo", "priority": 1, "statement": { "geoMatchStatement": { "countryCodes": [ "AF" ] } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" }, "lockToken": "67551e73-49d8-4363-be48-244deea72ea9" }, "responseElements": { "nextLockToken": "a6b54c01-7975-4e6d-b7d0-2653cb6e231d" }, "requestID": "41c96e12-9790-46ab-b145-a230f358f2c2", "eventID": "517a10e6-4ca9-4828-af90-a5cff9756594", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }

範例:的 CloudTrail 記錄項目 DeleteWebACL

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin/sheqiang-Isengard", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:25:17Z", "eventSource": "wafv2.amazonaws.com", "eventName": "DeleteWebACL", "awsRegion": "us-east-1", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "lockToken": "a6b54c01-7975-4e6d-b7d0-2653cb6e231d" }, "responseElements": null, "requestID": "71703f89-e139-440c-96d4-9c77f4cd7565", "eventID": "2f976624-b6a5-4a09-a8d0-aa3e9f4e5187", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }

範例:AWS WAF Classic 日誌檔項目

AWS WAF Classic 是舊版的 AWS WAF。如需相關資訊,請參閱 AWS WAF Classic

日誌項目會示範 CreateRuleGetRuleUpdateRuleDeleteRule 操作:

{ "Records": [ { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:14Z", "eventSource": "waf.amazonaws.com", "eventName": "CreateRule", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "name": "0923ab32-7229-49f0-a0e3-66c81example", "changeToken": "l9434322-8685-4ed2-9c5b-9410bexample", "metricName": "0923ab32722949f0a0e366c81example" }, "responseElements": { "rule": { "metricName": "0923ab32722949f0a0e366c81example", "ruleId": "12132e64-6750-4725-b714-e7544example", "predicates": [ ], "name": "0923ab32-7229-49f0-a0e3-66c81example" }, "changeToken": "l9434322-8685-4ed2-9c5b-9410bexample" }, "requestID": "4e6b66f9-d548-11e3-a8a9-73e33example", "eventID": "923f4321-d378-4619-9b72-4605bexample", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:22Z", "eventSource": "waf.amazonaws.com", "eventName": "GetRule", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "ruleId": "723c2943-82dc-4bc1-a29b-c7d73example" }, "responseElements": null, "requestID": "8e4f3211-d548-11e3-a8a9-73e33example", "eventID": "an236542-d1f9-4639-bb3d-8d2bbexample", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:13Z", "eventSource": "waf.amazonaws.com", "eventName": "UpdateRule", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "ruleId": "7237b123-7903-4d9e-8176-9d71dexample", "changeToken": "32343a11-35e2-4dab-81d8-6d408example", "updates": [ { "predicate": { "type": "SizeConstraint", "dataId": "9239c032-bbbe-4b80-909b-782c0example", "negated": false }, "action": "INSERT" } ] }, "responseElements": { "changeToken": "32343a11-35e2-4dab-81d8-6d408example" }, "requestID": "11918283-0b2d-11e6-9ccc-f9921example", "eventID": "00032abc-5bce-4237-a8ee-5f1a9example", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:28Z", "eventSource": "waf.amazonaws.com", "eventName": "DeleteRule", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "changeToken": "fd232003-62de-4ea3-853d-52932example", "ruleId": "3e3e2d11-fd8b-4333-8b03-1da95example" }, "responseElements": { "changeToken": "fd232003-62de-4ea3-853d-52932example" }, "requestID": "b23458a1-0b2d-11e6-9ccc-f9928example", "eventID": "a3236565-1a1a-4475-978e-81c12example", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" } ] }

AWS Shield Advanced中的資訊 CloudTrail

AWS Shield Advanced支援將下列動作記錄為記 CloudTrail 錄檔中的事件:

每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:

  • 要求是否使用 root 使用者認證提出

  • 提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。

  • 該請求是否由另一項 AWS 服務提出。

如需詳細資訊,請參閱 CloudTrail 使用者身分元素

範例:Shield 進階記錄檔項目

追蹤是一種組態,可讓事件以日誌檔的形式傳遞到您指定的 Amazon S3 儲存貯體。 CloudTrail 記錄檔包含一或多個記錄項目。事件代表來自任何來源的單一請求,包括有關請求的操作,動作的日期和時間,請求參數等信息。 CloudTrail 日誌文件不是公共 API 調用的有序堆棧跟踪,因此它們不會以任何特定順序顯示。

下列範例顯示示範DeleteProtectionListProtections動作的 CloudTrail 記錄項目。

[ { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "1234567890987654321231", "arn": "arn:aws:iam::123456789012:user/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "userName": "SampleUser" }, "eventTime": "2018-01-10T21:31:14Z", "eventSource": "shield.amazonaws.com", "eventName": "DeleteProtection", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "aws-cli/1.14.10 Python/3.6.4 Darwin/16.7.0 botocore/1.8.14", "requestParameters": { "protectionId": "12345678-5104-46eb-bd03-agh4j8rh3b6n" }, "responseElements": null, "requestID": "95bc0042-f64d-11e7-abd1-1babdc7aa857", "eventID": "85263bf4-17h4-43bb-b405-fh84jhd8urhg", "eventType": "AwsApiCall", "apiVersion": "AWSShield_20160616", "recipientAccountId": "123456789012" }, { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "123456789098765432123", "arn": "arn:aws:iam::123456789012:user/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "userName": "SampleUser" }, "eventTime": "2018-01-10T21:30:03Z", "eventSource": "shield.amazonaws.com", "eventName": "ListProtections", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "aws-cli/1.14.10 Python/3.6.4 Darwin/16.7.0 botocore/1.8.14", "requestParameters": null, "responseElements": null, "requestID": "6accca40-f64d-11e7-abd1-1bjfi8urhj47", "eventID": "ac0570bd-8dbc-41ac-a2c2-987j90j3h78f", "eventType": "AwsApiCall", "apiVersion": "AWSShield_20160616", "recipientAccountId": "123456789012" } ]

AWS Firewall Manager中的資訊 CloudTrail

AWS Firewall Manager支援將下列動作記錄為記 CloudTrail 錄檔中的事件:

每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:

  • 要求是否使用 root 使用者認證提出

  • 提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。

  • 該請求是否由另一項 AWS 服務提出。

如需詳細資訊,請參閱 CloudTrail 使用者身分元素

範例:Firewall Manager 員記錄檔項目

追蹤是一種組態,可讓事件以日誌檔的形式傳遞到您指定的 Amazon S3 儲存貯體。 CloudTrail 記錄檔包含一或多個記錄項目。事件代表來自任何來源的單一請求,包括有關請求的操作,動作的日期和時間,請求參數等信息。 CloudTrail 日誌文件不是公共 API 調用的有序堆棧跟踪,因此它們不會以任何特定順序顯示。

下列範例顯示示範 GetAdminAccount--> 動作的 CloudTrail 記錄項目。

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "1234567890987654321231", "arn": "arn:aws:sts::123456789012:assumed-role/Admin/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-04-14T02:51:50Z" }, "sessionIssuer": { "type": "Role", "principalId": "1234567890987654321231", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" } } }, "eventTime": "2018-04-14T03:12:35Z", "eventSource": "fms.amazonaws.com", "eventName": "GetAdminAccount", "awsRegion": "us-east-1", "sourceIPAddress": "72.21.198.65", "userAgent": "console.amazonaws.com", "requestParameters": null, "responseElements": null, "requestID": "ae244f41-3f91-11e8-787b-dfaafef95fc1", "eventID": "5769af1e-14b1-4bd1-ba75-f023981d0a4a", "eventType": "AwsApiCall", "apiVersion": "2018-01-01", "recipientAccountId": "123456789012" }