操作审计支持查询操作审计(ActionTrail)自身相关事件。您可以快速查询ActionTrail事件并获取事件发生的时间、地域和跟踪等信息。本文为您举例说明操作审计相关事件。
阿里云账号通过控制台更新跟踪
以下示例表示,在北京时间2021年08月05日08:25:26,阿里云账号调用UpdateTrail接口在杭州地域更新了跟踪alicetest。
{
"eventId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
"eventVersion": 1,
"responseElements": {
"SlsProjectArn": "acs:log:cn-hangzhou:196813227629****:project/limansls",
"EventRW": "Write",
"RequestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
"HomeRegion": "cn-hangzhou",
"OssKeyPrefix": "",
"OssBucketName": "",
"SlsWriteRoleArn": "acs:ram::196813227629****:role/aliyunserviceroleforactiontrail",
"OssWriteRoleArn": "",
"TrailRegion": "All",
"Name": "alicetest"
},
"eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"SlsLogStore": "actiontrail_test",
"charset": "UTF-8",
"AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"RequestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
"HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"TrailRegion": "All",
"Name": "limantest",
"SlsProjectArn": "acs:log:cn-hangzhou:196813227629****:project/Alicesls",
"EventRW": "Write",
"AcsProduct": "Actiontrail",
"OssKeyPrefix": "",
"AcceptLanguage": "zh-CN",
"Region": "cn-hangzhou",
"OssBucketName": ""
},
"sourceIpAddress": "2409:8a20:4d15:e150:90f5:26ed:cc45:6922",
"userAgent": "actiontrail.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ActionTrail::Trail": [
"alicetest"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T00:25:25Z"
}
},
"accountId": "196813227629****",
"principalId": "196813227629****",
"type": "root-account",
"userName": "root"
},
"serviceName": "Actiontrail",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2020-07-06",
"requestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
"eventTime": "2021-08-05T00:25:26Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "UpdateTrail"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为root-account,表示阿里云账号。serviceName:事件相关的阿里云服务名称。取值为Actiontrail,表示操作审计。eventName:事件名称。取值为UpdateTrail,表示更新跟踪。referencedResources:事件影响的资源列表。取值为{"ACS::ActionTrail::Trail": ["alicetest"},表示跟踪名称为alicetest。acsRegion:事件发生的地域。取值为cn-hangzhou,表示杭州地域。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T00:25:26Z,表示北京时间2021年08月05日08:25:26。
RAM用户通过控制台更新跟踪
以下示例表示,在北京时间2021年08月05日17:57:32,RAM用户Alice调用UpdateTrail接口在杭州地域更新了跟踪test-trail。
{
"eventId": "86045124-4D86-5AD3-8848-CF78A20402AC",
"eventVersion": 1,
"responseElements": {
"SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
"EventRW": "Write",
"RequestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
"HomeRegion": "cn-hangzhou",
"OssKeyPrefix": "",
"OssBucketName": "",
"SlsWriteRoleArn": "acs:ram::189217171671****:role/aliyunserviceroleforactiontrail",
"OssWriteRoleArn": "",
"TrailRegion": "All",
"Name": "test-trail"
},
"eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"SlsLogStore": "actiontrail_test-trail",
"charset": "UTF-8",
"AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"RequestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
"HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"TrailRegion": "All",
"Name": "test-nnn",
"SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
"EventRW": "Write",
"AcsProduct": "Actiontrail",
"OssKeyPrefix": "",
"AcceptLanguage": "zh-CN",
"Region": "cn-hangzhou",
"OssBucketName": ""
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "actiontrail.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ActionTrail::Trail": [
"test-trail"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T09:57:32Z"
}
},
"accountId": "189217171671****",
"principalId": "26135379175722****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Actiontrail",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2020-07-06",
"requestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
"eventTime": "2021-08-05T09:57:32Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "UpdateTrail"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。userIdentity.userName:请求者的RAM用户名称。serviceName:事件相关的阿里云服务名称。取值为Actiontrail,表示操作审计。eventName:事件名称。取值为UpdateTrail,表示更新跟踪。referencedResources:事件影响的资源列表。取值为{"ACS::ActionTrail::Trail": ["test-trail"]},表示跟踪名称为test-trail。acsRegion:事件发生的地域。取值为cn-hangzhou,表示杭州地域。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T09:57:32Z,表示北京时间2021年08月05日17:57:32。
RAM用户通过AK调用API更新跟踪
以下示例表示,在北京时间2021年08月04日10:29:37,RAM用户Alice通过AK LTAIcgRmWRaj****调用UpdateTrail接口在杭州地域更新了跟踪tf-testaccactiontrail。
{
"eventId": "86C37F50-950C-599D-B07A-88C0493784A9",
"eventVersion": 1,
"responseElements": {
"SlsProjectArn": "",
"EventRW": "Write",
"RequestId": "86C37F50-950C-599D-B07A-88C0493784A9",
"HomeRegion": "cn-hangzhou",
"OssKeyPrefix": "",
"OssBucketName": "tf-testaccactiontrail",
"SlsWriteRoleArn": "",
"OssWriteRoleArn": "acs:ram::118272523431****:role/aliyunactiontraildefaultrole",
"TrailRegion": "All",
"Name": "tf-testaccactiontrail"
},
"eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
"EventRW": "Write",
"AcsProduct": "Actiontrail",
"RequestId": "86C37F50-950C-599D-B07A-88C0493784A9",
"Region": "cn-hangzhou",
"OssBucketName": "tf-testaccactiontrail",
"OssWriteRoleArn": "acs:ram::118272523431****:role/aliyunactiontraildefaultrole",
"RegionId": "cn-hangzhou",
"HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
"TrailRegion": "All",
"Name": "tf-testaccactiontrail"
},
"sourceIpAddress": "Internal",
"userAgent": "AlibabaCloud (linux; amd64) Golang/1.12.10 Core/0.01 TeaDSL/1 HashiCorp-Terraform/ Terraform-Provider/1.129.0 Terraform-Module/Default/LTAIcgRmWRaj****:41d6e7ac-9fd7-4b05-b80d-9cf147e9fb4f",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ActionTrail::Trail": [
"tf-testaccactiontrail"
]
},
"userIdentity": {
"accessKeyId": "LTAIcgRmWRaj****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-04T23:09:19Z"
}
},
"accountId": "118272523431****",
"principalId": "28544203916248****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Actiontrail",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2020-07-06",
"requestId": "86C37F50-950C-599D-B07A-88C0493784A9",
"eventTime": "2021-08-04T02:29:37Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "UpdateTrail"
}示例中关键字段含义如下:
userIdentity.accessKeyId:发起API调用的AccessKey ID。取值为LTAIcgRmWRaj****。userIdentity.principalId:AK所属的账号ID。取值为28544203916248****。userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。serviceName:事件相关的阿里云服务名称。取值为Actiontrail,表示操作审计。eventName:事件名称。取值为UpdateTrail,表示更新跟踪。referencedResources:事件影响的资源列表。取值为{"ACS::ActionTrail::Trail": ["tf-testaccactiontrail"]},表示跟踪名称为tf-testaccactiontrail。acsRegion:事件发生的地域。取值为cn-hangzhou,表示杭州地域。eventTime:事件发生的时间(UTC格式)。取值为2021-08-04T02:29:37Z,表示北京时间2021年08月04日10:29:37。
RAM用户通过角色扮演更新跟踪
以下示例表示,在北京时间2021年08月05日17:59:02,阿里云账号189217171671****中的RAM用户通过扮演账号189217171671****下的RAM角色trail-role,调用UpdateTrail接口在杭州地域更新了跟踪test-trail。
{
"eventId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
"eventVersion": 1,
"responseElements": {
"SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
"EventRW": "All",
"RequestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
"HomeRegion": "cn-hangzhou",
"OssKeyPrefix": "",
"OssBucketName": "",
"SlsWriteRoleArn": "acs:ram::189217171671****:role/aliyunserviceroleforactiontrail",
"OssWriteRoleArn": "",
"TrailRegion": "All",
"Name": "test-trail"
},
"eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"SlsLogStore": "actiontrail_test-trail",
"charset": "UTF-8",
"AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"RequestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
"HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"TrailRegion": "All",
"Name": "test-nnn",
"stsTokenPrincipalName": "trail-role/roleTest123",
"SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
"EventRW": "All",
"AcsProduct": "Actiontrail",
"OssKeyPrefix": "",
"AcceptLanguage": "zh-CN",
"Region": "cn-hangzhou",
"OssBucketName": "",
"stsTokenPlayerUid": 189217171671****
},
"sourceIpAddress": "Internal",
"userAgent": "actiontrail.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ActionTrail::Trail": [
"test-trail"
]
},
"userIdentity": {
"accessKeyId": "STS.NTZxJ8V63CNgtAbsutWVs****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T09:59:02Z"
}
},
"accountId": "189217171671****",
"principalId": "39484351102463****:roleTest123",
"type": "assumed-role",
"userName": "trail-role:roleTest123"
},
"serviceName": "Actiontrail",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2020-07-06",
"requestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
"eventTime": "2021-08-05T09:59:02Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "UpdateTrail"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为assumed-role,表示RAM角色。userIdentity.userName:请求者的用户名。格式为{roleName}:{sessionName},roleName表示被扮演的角色名称,sessionName表示进行角色扮演时指定的名称。取值为trail-role:roleTest123,表示被扮演的RAM角色名称是trail-role,进行角色扮演时指定的名称为roleTest123。requestParameters.stsTokenPlayerUid:扮演者的阿里云账号ID。取值为189217171671****。referencedResources:事件影响的资源列表。取值为{"ACS::ActionTrail::Trail": ["test-trail"]},表示跟踪名称为test-trail。serviceName:事件相关的阿里云服务名称。取值为Actiontrail,表示操作审计。eventName:事件名称。取值为UpdateTrail,表示更新跟踪。acsRegion:事件发生的地域。取值为cn-hangzhou,表示杭州地域。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T09:59:02Z,表示北京时间2021年08月05日17:59:02。
- 本页导读 (1)