ALIYUN::ACTIONTRAIL::Trail类型用于跟踪,帮助用户将审计数据保存到指定的OSS Bucket中。
语法
{
"Type": "ALIYUN::ACTIONTRAIL::Trail",
"Properties": {
"Name": String,
"OssBucketName": String,
"RoleName": String,
"OssKeyPrefix": String,
"EventRW": String,
"SlsProjectArn": String,
"SlsWriteRoleArn": String
}
} 属性
| 属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
|---|---|---|---|---|---|
| Name | String | 是 | 否 | 创建的跟踪名称。 | 同一个账户内跟踪名称不可重复。 |
| OssBucketName | String | 是 | 是 | 跟踪写入的OSS Bucket。 | 创建跟踪时必须保证该Bucket已经存在。 |
| RoleName | String | 是 | 是 | 用户允许操作审计扮演的RAM角色名称。 | 请对RAM角色授权相应的策略,详情请参见示例。 |
| OssKeyPrefix | String | 否 | 是 | 写入的OSS Bucket文件名的前缀。 | 取值可为空。 |
| EventRW | String | 否 | 是 | 投递事件的读写类型。 | 取值:
|
| SlsProjectArn | String | 否 | 是 | 跟踪投递目标的日志服务项目在阿里云唯一的资源名称(Aliyun Resource Name,ARN)。 | 需要在SLS的Project中创建一个以actiontrail_开头,加上跟踪名称的Logstore。
|
| SlsWriteRoleArn | String | 否 | 是 | 操作审计向目标日志服务项目投递日志时,扮演的角色在阿里云唯一的资源名称(Aliyun Resource Name,ARN)。 | 无 |
返回值
Fn::GetAtt
Name:创建的跟踪名称。
示例
JSON格式
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"RoleName": {
"Type": "String",
"MinLength": 1,
"MaxLength": 64
},
"EventRW": {
"Type": "String",
"AllowedValues": [
"Write",
"Read",
"All"
]
},
"SlsProjectName": {
"Type": "String"
},
"OssKeyPrefix": {
"Type": "String",
"Default": ""
},
"OssBucketName": {
"Type": "String"
},
"TrailName": {
"Type": "String"
}
},
"Resources": {
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": {
"Ref": "RoleName"
},
"Policies": [
{
"PolicyName": {
"Fn::Sub": "ActionTrailPolicy-${ALIYUN::StackId}"
},
"PolicyDocument": {
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketLocation",
"oss:ListObjects",
"oss:PutObject"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:CreateLogstore",
"Log:GetLogstore"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"mns:PublishMessage"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
}
],
"AssumeRolePolicyDocument": {
"Version": "1",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"actiontrail.aliyuncs.com"
]
}
}
]
}
}
},
"Bucket": {
"Type": "ALIYUN::OSS::Bucket",
"Properties": {
"AccessControl": "private",
"BucketName": {
"Ref": "OssBucketName"
},
"DeletionForce": true
}
},
"SlsProject": {
"Type": "ALIYUN::SLS::Project",
"Properties": {
"Name": {
"Ref": "SlsProjectName"
}
}
},
"SlsLogStore": {
"Type": "ALIYUN::SLS::Logstore",
"DependsOn": "SlsProject",
"Properties": {
"LogstoreName": {
"Fn::Sub": "actiontrail_${TrailName}"
},
"PreserveStorage": true,
"ProjectName": {
"Fn::GetAtt": [
"SlsProject",
"Name"
]
},
"AppendMeta": true,
"MaxSplitShard": 64,
"AutoSplit": true,
"EnableTracking": false,
"ShardCount": 2
}
},
"Trail": {
"DependsOn": [
"Role",
"Bucket",
"SlsLogStore"
],
"Type": "ALIYUN::ACTIONTRAIL::Trail",
"Properties": {
"SlsProjectArn": {
"Fn::Sub": "acs:log:${ALIYUN::Region}::project/${SlsProjectName}"
},
"RoleName": {
"Fn::GetAtt": [
"Role",
"RoleName"
]
},
"EventRW": {
"Ref": "EventRW"
},
"OssKeyPrefix": {
"Ref": "OssKeyPrefix"
},
"OssBucketName": {
"Fn::GetAtt": [
"Bucket",
"Name"
]
},
"SlsWriteRoleArn": {
"Fn::Sub": "acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}"
},
"Name": {
"Ref": "TrailName"
}
}
},
"TrailLogging": {
"Type": "ALIYUN::ACTIONTRAIL::TrailLogging",
"Properties": {
"Name": {
"Fn::GetAtt": [
"Trail",
"Name"
]
},
"Enable": {
"Ref": "Enable"
}
}
}
},
"Outputs": {
"Name": {
"Value": {
"Fn::GetAtt": [
"Trail",
"Name"
]
}
}
}
}YAML格式
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
RoleName:
Type: String
MinLength: 1
MaxLength: 64
EventRW:
Type: String
AllowedValues:
- Write
- Read
- All
SlsProjectName:
Type: String
OssKeyPrefix:
Type: String
Default: ''
OssBucketName:
Type: String
TrailName:
Type: String
Resources:
Role:
Type: 'ALIYUN::RAM::Role'
Properties:
RoleName:
Ref: RoleName
Policies:
- PolicyName:
'Fn::Sub': 'ActionTrailPolicy-${ALIYUN::StackId}'
PolicyDocument:
Version: '1'
Statement:
- Action:
- 'oss:GetBucketLocation'
- 'oss:ListObjects'
- 'oss:PutObject'
Resource:
- '*'
Effect: Allow
- Action:
- 'log:PostLogStoreLogs'
- 'log:CreateLogstore'
- 'Log:GetLogstore'
Resource:
- '*'
Effect: Allow
- Action:
- 'mns:PublishMessage'
Resource:
- '*'
Effect: Allow
AssumeRolePolicyDocument:
Version: '1'
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service:
- actiontrail.aliyuncs.com
Bucket:
Type: 'ALIYUN::OSS::Bucket'
Properties:
AccessControl: private
BucketName:
Ref: OssBucketName
DeletionForce: true
SlsProject:
Type: 'ALIYUN::SLS::Project'
Properties:
Name:
Ref: SlsProjectName
SlsLogStore:
Type: 'ALIYUN::SLS::Logstore'
DependsOn: SlsProject
Properties:
LogstoreName:
'Fn::Sub': 'actiontrail_${TrailName}'
PreserveStorage: true
ProjectName:
'Fn::GetAtt':
- SlsProject
- Name
AppendMeta: true
MaxSplitShard: 64
AutoSplit: true
EnableTracking: false
ShardCount: 2
Trail:
DependsOn:
- Role
- Bucket
- SlsLogStore
Type: 'ALIYUN::ACTIONTRAIL::Trail'
Properties:
SlsProjectArn:
'Fn::Sub': 'acs:log:${ALIYUN::Region}::project/${SlsProjectName}'
RoleName:
'Fn::GetAtt':
- Role
- RoleName
EventRW:
Ref: EventRW
OssKeyPrefix:
Ref: OssKeyPrefix
OssBucketName:
'Fn::GetAtt':
- Bucket
- Name
SlsWriteRoleArn:
'Fn::Sub': 'acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}'
Name:
Ref: TrailName
TrailLogging:
Type: 'ALIYUN::ACTIONTRAIL::TrailLogging'
Properties:
Name:
'Fn::GetAtt':
- Trail
- Name
Enable:
Ref: Enable
Outputs:
Name:
Value:
'Fn::GetAtt':
- Trail
- Name
在文档使用中是否遇到以下问题
更多建议
匿名提交