本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用 AWS CloudTrail 記錄 API 呼叫
AWS WAFAWS Shield Advanced、AWS Firewall Manager且已與整合AWS CloudTrail,提供由使用者、角色或服AWS務所採取之動作的記錄。 CloudTrail 將這些服務的 API 呼叫子集擷取為事件 Shield 包括 Firewall Manager 自AWS WAF、以及來自對AWS WAF、Shield 行 Firewall Manager 式碼呼叫。如果您建立追蹤,就可以持續傳送 CloudTrail 事件至 Amazon S3 儲存貯體,包括的事件AWS WAF、Shield Advanced 或 Firewall Manager 員。如果未設定追蹤,您依然可以在事件歷史記錄中檢視最新的事件。 CloudTrail 您可以利用收集的資訊來 CloudTrail判斷向這些服務發出的請求,以及提出請求的 IP 地址、提出請求的對象、時間和其他詳細資訊。
若要進一步了解該服務 CloudTrail,包括如何設定及啟用,請參閱《AWS CloudTrail使用者指南》。
CloudTrail 當您建立帳戶AWS 帳戶時,系統即會在中啟用。當「Shield 牌進階」或「Firewall Manager 員」中AWS WAF發生支援的事件活動時,系統會將該活動與 CloudTrail事件歷史記錄中的其他AWS服務事件一併記錄在事件中。您可以檢視、搜尋和下載 AWS 帳戶 的最新事件。如需詳細資訊,請參閱使用 CloudTrail 事件歷程記錄檢視事件。
若要持續記錄您的事件AWS 帳戶,包括的事件AWS WAF、Shield Advanced 或 Firewall Manager 員,請建立追蹤。線索能 CloudTrail 讓日誌檔案交付至 Amazon S3 儲存貯體。在主控台建立追蹤記錄時,該追蹤記錄預設會套用到所有區域。該追蹤會記錄來自 AWS 分割區中所有區域的事件,並將日誌檔案交付到您指定的 Amazon S3 儲存貯體。此外,您可以設定其他AWS服務,以進一步分析 CloudTrail 日誌中收集的事件資料,並採取相應動作。如需詳細資訊,請參閱下列內容:
AWS CloudTrail 中的 AWS WAF 資訊
AWS CloudTrail 會記錄所有 AWS WAF 動作,列在 AWS WAF API 參考中。例如,對 ListWebACL
、UpdateWebACL
和 DeleteWebACL
的呼叫,會在 CloudTrail 日誌檔中產生項目。
每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:
-
該請求是否使用者使用者根使用者使用者
-
提出該請求時,是否使用了特定角色或聯合身分使用者的臨時安全憑證
-
該請求是否由另一項 AWS 服務提出
如需詳細資訊,請參閱 CloudTrail userIdentity 元素。
AWS WAF 日誌檔案項目範例
追蹤是一種組態,能讓事件以日誌檔案的形式交付至您指定的 Amazon S3 儲存貯體。 AWS CloudTrail日誌檔案包含一個或多個日誌項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。 CloudTrail 日誌檔案並非依公有 API 呼叫追蹤記錄的堆疊排序,因此不會以任何特定順序出現。
以下是AWS WAF Web ACL 作業的 CloudTrail 記錄項目範例。
範例:的 CloudTrail 記錄項目CreateWebACL
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T03:43:07Z" } } }, "eventTime": "2019-11-06T03:44:21Z", "eventSource": "wafv2.amazonaws.com", "eventName": "CreateWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "defaultAction": { "block": {} }, "description": "foo", "rules": [ { "name": "foo", "priority": 1, "statement": { "geoMatchStatement": { "countryCodes": [ "AF", "AF" ] } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } }, "responseElements": { "summary": { "name": "foo", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "description": "foo", "lockToken": "67551e73-49d8-4363-be48-244deea72ea9", "aRN": "arn:aws:wafv2:us-west-2:112233445566:global/webacl/foo/ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b" } }, "requestID": "c51521ba-3911-45ca-ba77-43aba50471ca", "eventID": "afd1a60a-7d84-417f-bc9c-7116cf029065", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }
範例:的 CloudTrail 記錄項目GetWebACL
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AssumedRole", "arn": "arn:aws:sts::112233445566:assumed-role/Admin/admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AssumedRole", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:18:28Z", "eventSource": "wafv2.amazonaws.com", "eventName": "GetWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "webacl" }, "responseElements": null, "requestID": "f2db4884-4eeb-490c-afe7-67cbb494ce3b", "eventID": "7d563cd6-4123-4082-8880-c2d1fda4d90b", "readOnly": true, "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }
範例:的 CloudTrail 記錄項目UpdateWebACL
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:20:56Z", "eventSource": "wafv2.amazonaws.com", "eventName": "UpdateWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "defaultAction": { "block": {} }, "description": "foo", "rules": [ { "name": "foo", "priority": 1, "statement": { "geoMatchStatement": { "countryCodes": [ "AF" ] } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "foo" }, "lockToken": "67551e73-49d8-4363-be48-244deea72ea9" }, "responseElements": { "nextLockToken": "a6b54c01-7975-4e6d-b7d0-2653cb6e231d" }, "requestID": "41c96e12-9790-46ab-b145-a230f358f2c2", "eventID": "517a10e6-4ca9-4828-af90-a5cff9756594", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }
範例:的 CloudTrail 記錄項目DeleteWebACL
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "principalId", "arn": "arn:aws:sts::112233445566:assumed-role/Admin/sheqiang-Isengard", "accountId": "112233445566", "accessKeyId": "accessKeyId", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "principalId", "arn": "arn:aws:iam::112233445566:role/Admin", "accountId": "112233445566", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2019-11-06T19:17:20Z" } } }, "eventTime": "2019-11-06T19:25:17Z", "eventSource": "wafv2.amazonaws.com", "eventName": "DeleteWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "10.0.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "requestParameters": { "name": "foo", "scope": "CLOUDFRONT", "id": "ebbcb976-8d59-4d20-8ca8-4ab2f6b7c07b", "lockToken": "a6b54c01-7975-4e6d-b7d0-2653cb6e231d" }, "responseElements": null, "requestID": "71703f89-e139-440c-96d4-9c77f4cd7565", "eventID": "2f976624-b6a5-4a09-a8d0-aa3e9f4e5187", "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "recipientAccountId": "112233445566" }
範例:AWS WAF Classic 日誌檔項目
AWS WAF Classic 是舊版的 AWS WAF。如需相關資訊,請參閱 AWS WAF Classic。
日誌項目會示範 CreateRule
、GetRule
、UpdateRule
和 DeleteRule
操作:
{ "Records": [ { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:14Z", "eventSource": "waf.amazonaws.com", "eventName": "CreateRule", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "name": "0923ab32-7229-49f0-a0e3-66c81example", "changeToken": "l9434322-8685-4ed2-9c5b-9410bexample", "metricName": "0923ab32722949f0a0e366c81example" }, "responseElements": { "rule": { "metricName": "0923ab32722949f0a0e366c81example", "ruleId": "12132e64-6750-4725-b714-e7544example", "predicates": [ ], "name": "0923ab32-7229-49f0-a0e3-66c81example" }, "changeToken": "l9434322-8685-4ed2-9c5b-9410bexample" }, "requestID": "4e6b66f9-d548-11e3-a8a9-73e33example", "eventID": "923f4321-d378-4619-9b72-4605bexample", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:22Z", "eventSource": "waf.amazonaws.com", "eventName": "GetRule", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "ruleId": "723c2943-82dc-4bc1-a29b-c7d73example" }, "responseElements": null, "requestID": "8e4f3211-d548-11e3-a8a9-73e33example", "eventID": "an236542-d1f9-4639-bb3d-8d2bbexample", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:13Z", "eventSource": "waf.amazonaws.com", "eventName": "UpdateRule", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "ruleId": "7237b123-7903-4d9e-8176-9d71dexample", "changeToken": "32343a11-35e2-4dab-81d8-6d408example", "updates": [ { "predicate": { "type": "SizeConstraint", "dataId": "9239c032-bbbe-4b80-909b-782c0example", "negated": false }, "action": "INSERT" } ] }, "responseElements": { "changeToken": "32343a11-35e2-4dab-81d8-6d408example" }, "requestID": "11918283-0b2d-11e6-9ccc-f9921example", "eventID": "00032abc-5bce-4237-a8ee-5f1a9example", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "AIDAIEP4IT4TPDEXAMPLE", "arn": "arn:aws:iam::777777777777:user/nate", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "nate" }, "eventTime": "2016-04-25T21:35:28Z", "eventSource": "waf.amazonaws.com", "eventName": "DeleteRule", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "console.amazonaws.com", "requestParameters": { "changeToken": "fd232003-62de-4ea3-853d-52932example", "ruleId": "3e3e2d11-fd8b-4333-8b03-1da95example" }, "responseElements": { "changeToken": "fd232003-62de-4ea3-853d-52932example" }, "requestID": "b23458a1-0b2d-11e6-9ccc-f9928example", "eventID": "a3236565-1a1a-4475-978e-81c12example", "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "recipientAccountId": "777777777777" } ] }
AWS Shield Advanced中的資訊 CloudTrail
AWS Shield Advanced支援將下列 API 動作記錄為 CloudTrail 日誌檔案中的事件:
每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:
-
該請求是否使用者使用者根使用者使用者
-
提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。
-
該請求是否由另一項 AWS 服務提出。
如需詳細資訊,請參閱 CloudTrail 使用者身分元素。
範例:Shield 進階日誌檔案項目
追蹤是一種組態,能讓事件以日誌檔案的形式交付至您指定的 Amazon S3 儲存貯體。 CloudTrail 日誌檔案包含一個或多個日誌項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。 CloudTrail 日誌檔案並非依公有 API 呼叫追蹤記錄的堆疊排序,因此不會以任何特定順序出現。
以下範例顯示的是展示DeleteProtection
和ListProtections
動作的 CloudTrail 日誌項目。
[ { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "1234567890987654321231", "arn": "arn:aws:iam::123456789012:user/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "userName": "SampleUser" }, "eventTime": "2018-01-10T21:31:14Z", "eventSource": "shield.amazonaws.com", "eventName": "DeleteProtection", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "aws-cli/1.14.10 Python/3.6.4 Darwin/16.7.0 botocore/1.8.14", "requestParameters": { "protectionId": "12345678-5104-46eb-bd03-agh4j8rh3b6n" }, "responseElements": null, "requestID": "95bc0042-f64d-11e7-abd1-1babdc7aa857", "eventID": "85263bf4-17h4-43bb-b405-fh84jhd8urhg", "eventType": "AwsApiCall", "apiVersion": "AWSShield_20160616", "recipientAccountId": "123456789012" }, { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "123456789098765432123", "arn": "arn:aws:iam::123456789012:user/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "userName": "SampleUser" }, "eventTime": "2018-01-10T21:30:03Z", "eventSource": "shield.amazonaws.com", "eventName": "ListProtections", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "aws-cli/1.14.10 Python/3.6.4 Darwin/16.7.0 botocore/1.8.14", "requestParameters": null, "responseElements": null, "requestID": "6accca40-f64d-11e7-abd1-1bjfi8urhj47", "eventID": "ac0570bd-8dbc-41ac-a2c2-987j90j3h78f", "eventType": "AwsApiCall", "apiVersion": "AWSShield_20160616", "recipientAccountId": "123456789012" } ]
AWS Firewall Manager中的資訊 CloudTrail
AWS Firewall Manager支援將下列 API 動作記錄為 CloudTrail 日誌檔案中的事件:
每一筆事件或日誌項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項:
-
該請求是否使用者使用者根使用者使用者
-
提出該請求時,是否使用了特定角色或聯合身分使用者的暫時安全憑證。
-
該請求是否由另一項 AWS 服務提出。
如需詳細資訊,請參閱 CloudTrail 使用者身分元素。
範例:Firewall Manager 日誌檔案項目
追蹤是一種組態,能讓事件以日誌檔案的形式交付至您指定的 Amazon S3 儲存貯體。 CloudTrail 日誌檔案包含一個或多個日誌項目。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。 CloudTrail 日誌檔案並非依公有 API 呼叫追蹤記錄的堆疊排序,因此不會以任何特定順序出現。
以下範例顯示的是展示GetAdminAccount
--> 動作的 CloudTrail 日誌項目。
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "1234567890987654321231", "arn": "arn:aws:sts::123456789012:assumed-role/Admin/SampleUser", "accountId": "123456789012", "accessKeyId": "1AFGDT647FHU83JHFI81H", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-04-14T02:51:50Z" }, "sessionIssuer": { "type": "Role", "principalId": "1234567890987654321231", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" } } }, "eventTime": "2018-04-14T03:12:35Z", "eventSource": "fms.amazonaws.com", "eventName": "GetAdminAccount", "awsRegion": "us-east-1", "sourceIPAddress": "72.21.198.65", "userAgent": "console.amazonaws.com", "requestParameters": null, "responseElements": null, "requestID": "ae244f41-3f91-11e8-787b-dfaafef95fc1", "eventID": "5769af1e-14b1-4bd1-ba75-f023981d0a4a", "eventType": "AwsApiCall", "apiVersion": "2018-01-01", "recipientAccountId": "123456789012" }