使用 AWS CloudTrail 記錄 API 呼叫 - AWS WAF、AWS Firewall Manager 與 AWS Shield Advanced

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 AWS CloudTrail 記錄 API 呼叫

AWS WAF、AWS Shield Advanced,以及AWS Firewall Manager已與整合AWS CloudTrail、提供使用者、角色或角色所採取之動作的服務AWS服務。 CloudTrail 會將這些服務的 API 呼叫子集擷取為事件,包括來自的呼叫AWS WAF、防 Shield 進階或 Firewall Manager 主控台,以及對AWS WAF、防 Shield 進階或 Firewall Manager API。若您建立追蹤,您可以啟用的持續交付 CloudTrail Amazon S3 儲存貯體的事件,包括的事件AWS WAF、防 Shield 進階或 Firewall Manager。如果您不設定追蹤,仍然可以透過檢視最新的事件 CloudTrail 中的 console事件歷史記錄。使用收集的資訊 CloudTrail,您可以判斷已對這些服務提出的請求、提出請求的 IP 地址、提出請求的對象、何人出要求、何人出要求、何人出要求、何人出要求、何人出要求、何人出要求、何人出要求、何人出要求

進一步了解 CloudTrail,包括如何設定及啟用,請參閱。AWS CloudTrail使用者指南

CloudTrail 已在啟用AWS 帳戶當您創建帳戶時。當支援的事件活動發生於AWS WAF,Shield 高級或 Firewall Manager,該活動記錄在 CloudTrail與其他一起事件AWS中的服務事件事件歷史記錄。您可以檢視、搜尋和下載 AWS 帳戶 的最新事件。如需詳細資訊,請參閱「」使用檢視事件 CloudTrail 事件歷史記錄

持續記錄中的事件AWS 帳戶,包括以下項目的活動AWS WAF「防 Shield 進階」或「Firewall Manager」建立追蹤。軌跡啟用 CloudTrail 將日誌檔案交付至 Amazon S3 儲存貯體。在主控台建立追蹤記錄時,該追蹤記錄預設會套用到所有區域。該追蹤會記錄來自 AWS 分割區中所有區域的事件,並將日誌檔案交付到您指定的 Amazon S3 儲存貯體。此外,您可以配置其他AWS進一步分析和處理以下服務的事件資料 CloudTrail 日誌。如需詳細資訊,請參閱下列內容:

AWS CloudTrail 中的 AWS WAF 資訊

AWS CloudTrail 會記錄所有 AWS WAF 動作,列在 AWS WAF API 參考中。例如,對 ListWebACLUpdateWebACLDeleteWebACL 的呼叫,會在 CloudTrail 日誌檔中產生項目。

每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:

  • 該請求是否使用根或 IAM 使用者憑證提出

  • 提出該請求時,是否使用了特定角色或聯合身分使用者的臨時安全憑證

  • 該請求是否由另一項 AWS 服務提出

如需詳細資訊,請參閱 CloudTrail userIdentity 元素

AWS WAF 日誌檔案項目範例

追蹤是一種組態,能讓事件以日誌檔案的形式交付到您指定的 Amazon S3 儲存貯體。AWS CloudTrail日誌檔案包含一個或多個日誌項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。 CloudTrail 日誌檔案並非依公有 API 呼叫追蹤記錄的堆疊排序,因此不會以任何特定順序出現。

以下範例 CloudTrail 適用於的日誌項目AWS WAFWeb ACL 操作。

範例: CloudTrail 適用於的日誌項目CreateWebACL

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T03:43:07Z" } } }, "eventTime": "2019-11-06T03:44:21Z", "eventSource": "wafv2.amazonaws.com", "eventName": "CreateWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "defaultAction": { "block": {} }, "description": "foo", "rules": [ { "name": "foo", "priority": 1, "statement": { "geoMatchStatement": { "countryCodes": [ "AF", "AF" ] } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } }, "responseElements": { "summary": { "name": "foo", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "description": "foo", "lockToken": "67551e73-49d8-4363-be48-244deea72ea9", "aRN": "arn:aws:wafv2:us-west-2:112233445566:global/webacl/foo/ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b" } }, "requestID": "c51521ba-3911-45ca-ba77-43aba50471ca", "eventID": "afd1a60a-7d84-417f-bc9c-7116cf029065", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }

範例: CloudTrail 適用於的日誌項目GetWebACL

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AssumedRole", "arn": "arn:aws:sts::112233445566:assumed-role/Admin/admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AssumedRole", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:18:28Z", "eventSource": "wafv2.amazonaws.com", "eventName": "GetWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "webacl" }, "responseElements": null, "requestID": "f2db4884-4eeb-490c-afe7-67cbb494ce3b", "eventID": "7d563cd6-4123-4082-8880-c2d1fda4d90b", "readOnly": true, "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }

範例: CloudTrail 適用於的日誌項目UpdateWebACL

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:20:56Z", "eventSource": "wafv2.amazonaws.com", "eventName": "UpdateWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "defaultAction": { "block": {} }, "description": "foo", "rules": [ { "name": "foo", "priority": 1, "statement": { "geoMatchStatement": { "countryCodes": [ "AF" ] } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" }, "lockToken": "67551e73-49d8-4363-be48-244deea72ea9" }, "responseElements": { "nextLockToken": "a6b54c01-7975-4e6d-b7d0-2653cb6e231d" }, "requestID": "41c96e12-9790-46ab-b145-a230f358f2c2", "eventID": "517a10e6-4ca9-4828-af90-a5cff9756594", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }

範例: CloudTrail 適用於的日誌項目DeleteWebACL

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin/sheqiang-Isengard", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:25:17Z", "eventSource": "wafv2.amazonaws.com", "eventName": "DeleteWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "lockToken": "a6b54c01-7975-4e6d-b7d0-2653cb6e231d" }, "responseElements": null, "requestID": "71703f89-e139-440c-96d4-9c77f4cd7565", "eventID": "2f976624-b6a5-4a09-a8d0-aa3e9f4e5187", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }

範例:AWS WAF Classic 日誌檔項目

AWS WAF Classic 是舊版的 AWS WAF。如需相關資訊,請參閱 AWS WAF Classic

日誌項目會示範 CreateRuleGetRuleUpdateRuleDeleteRule 操作:

{ "Records": [ { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:14Z", "eventSource": "waf.amazonaws.com", "eventName": "CreateRule", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "name": "0923ab32-7229-49f0-a0e3-66c81example", "changeToken": "l9434322-8685-4ed2-9c5b-9410bexample", "metricName": "0923ab32722949f0a0e366c81example" }, "responseElements": { "rule": { "metricName": "0923ab32722949f0a0e366c81example", "ruleId": "12132e64-6750-4725-b714-e7544example", "predicates": [ ], "name": "0923ab32-7229-49f0-a0e3-66c81example" }, "changeToken": "l9434322-8685-4ed2-9c5b-9410bexample" }, "requestID": "4e6b66f9-d548-11e3-a8a9-73e33example", "eventID": "923f4321-d378-4619-9b72-4605bexample", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:22Z", "eventSource": "waf.amazonaws.com", "eventName": "GetRule", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "ruleId": "723c2943-82dc-4bc1-a29b-c7d73example" }, "responseElements": null, "requestID": "8e4f3211"-d548-11e3-a8a9-73e33example", "eventID": "an236542-d1f9-4639-bb3d-8d2bbexample", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:13Z", "eventSource": "waf.amazonaws.com", "eventName": "UpdateRule", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "ruleId": "7237b123-7903-4d9e-8176-9d71dexample", "changeToken": "32343a11-35e2-4dab-81d8-6d408example", "updates": [ { "predicate": { "type": "SizeConstraint", "dataId": "9239c032-bbbe-4b80-909b-782c0example", "negated": false }, "action": "INSERT" } ] }, "responseElements": { "changeToken": "32343a11-35e2-4dab-81d8-6d408example" }, "requestID": "11918283-0b2d-11e6-9ccc-f9921example", "eventID": "00032abc-5bce-4237-a8ee-5f1a9example", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:28Z", "eventSource": "waf.amazonaws.com", "eventName": "DeleteRule", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "changeToken": "fd232003-62de-4ea3-853d-52932example", "ruleId": "3e3e2d11-fd8b-4333-8b03-1da95example" }, "responseElements": { "changeToken": "fd232003-62de-4ea3-853d-52932example" }, "requestID": "b23458a1-0b2d-11e6-9ccc-f9928example", "eventID": "a3236565-1a1a-4475-978e-81c12example", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" } ] }

AWS Shield Advanced中的 資訊 CloudTrail

AWS Shield Advanced支援將下列動作記錄為中的事件 CloudTrail 日誌檔:

每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:

  • 該請求是否使用根或 IAM 使用者憑證提出。

  • 提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。

  • 該請求是否由另一項 AWS 服務提出。

如需詳細資訊,請參閱 CloudTrail 使用者身分元素

範例:Shield Advanced 記錄檔項目

追蹤是一種組態,能讓事件以日誌檔案的形式交付到您指定的 Amazon S3 儲存貯體。 CloudTrail 日誌檔案包含一個或多個日誌項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。 CloudTrail 日誌檔案並非依公有 API 呼叫追蹤記錄的堆疊排序,因此不會以任何特定順序出現。

以下範例顯示 CloudTrail 日誌項目DeleteProtectionListProtections動作。

[ { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "1234567890987654321231", "arn": "arn:aws:iam::123456789012:user/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "userName": "SampleUser" }, "eventTime": "2018-01-10T21:31:14Z", "eventSource": "shield.amazonaws.com", "eventName": "DeleteProtection", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "aws-cli/1.14.10 Python/3.6.4 Darwin/16.7.0 botocore/1.8.14", "requestParameters": { "protectionId": "12345678-5104-46eb-bd03-agh4j8rh3b6n" }, "responseElements": null, "requestID": "95bc0042-f64d-11e7-abd1-1babdc7aa857", "eventID": "85263bf4-17h4-43bb-b405-fh84jhd8urhg", "eventType": "AwsApiCall", "apiVersion": "AWSShield_20160616", "recipientAccountId": "123456789012" }, { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "123456789098765432123", "arn": "arn:aws:iam::123456789012:user/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "userName": "SampleUser" }, "eventTime": "2018-01-10T21:30:03Z", "eventSource": "shield.amazonaws.com", "eventName": "ListProtections", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "aws-cli/1.14.10 Python/3.6.4 Darwin/16.7.0 botocore/1.8.14", "requestParameters": null, "responseElements": null, "requestID": "6accca40-f64d-11e7-abd1-1bjfi8urhj47", "eventID": "ac0570bd-8dbc-41ac-a2c2-987j90j3h78f", "eventType": "AwsApiCall", "apiVersion": "AWSShield_20160616", "recipientAccountId": "123456789012" } ]

AWS Firewall Manager中的 資訊 CloudTrail

AWS Firewall Manager支援將下列動作記錄為中的事件 CloudTrail 日誌檔:

每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:

  • 該請求是否使用根或 IAM 使用者憑證提出。

  • 提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。

  • 該請求是否由另一項 AWS 服務提出。

如需詳細資訊,請參閱 CloudTrail 使用者身分元素

範例:Firewall Manager 記錄檔項目

追蹤是一種組態,能讓事件以日誌檔案的形式交付到您指定的 Amazon S3 儲存貯體。 CloudTrail 日誌檔案包含一個或多個日誌項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。 CloudTrail 日誌檔案並非依公有 API 呼叫追蹤記錄的堆疊排序,因此不會以任何特定順序出現。

以下範例顯示 CloudTrail 日誌項目GetAdminAccount—> 動作。

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "1234567890987654321231", "arn": "arn:aws:sts::123456789012:assumed-role/Admin/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-04-14T02:51:50Z" }, "sessionIssuer": { "type": "Role", "principalId": "1234567890987654321231", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" } } }, "eventTime": "2018-04-14T03:12:35Z", "eventSource": "fms.amazonaws.com", "eventName": "GetAdminAccount", "awsRegion": "us-east-1", "sourceIPAddress": "72.21.198.65", "userAgent": "console.amazonaws.com", "requestParameters": null, "responseElements": null, "requestID": "ae244f41-3f91-11e8-787b-dfaafef95fc1", "eventID": "5769af1e-14b1-4bd1-ba75-f023981d0a4a", "eventType": "AwsApiCall", "apiVersion": "2018-01-01", "recipientAccountId": "123456789012" }