操作审计支持查询云服务器ECS(Elastic Compute Service)相关事件。当ECS操作出现异常时,您可以快速查询事件并获取事件发生的时间、地域、ECS实例等信息。本文为您举例说明ECS相关事件。
阿里云账号通过控制台停止ECS实例
以下示例表示,在北京时间2021年08月04日14:11:36,阿里云账号调用StopInstance接口停止了北京地域ID为i-2zeip56clb391fpf****的ECS实例。
{
"eventId": "239EB588-CD24-522E-B0B5-174A1A588BE0",
"eventVersion": 1,
"eventSource": "ecs-cn-hangzhou-share.aliyuncs.com",
"requestParameters": {
"charset": "UTF-8",
"AcsHost": "ecs-cn-hangzhou-share.aliyuncs.com",
"AcsProduct": "Ecs",
"RequestId": "239EB588-CD24-522E-B0B5-174A1A588BE0",
"InstanceId": "i-2zeip56clb391fpf****",
"ForceStop": false,
"AcceptLanguage": "zh-CN"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "Apache-HttpClient/4.5.7 (Java/1.8.0_275)",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ECS::Instance": [
"i-2zeip56clb391fpf****"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-04T06:11:36Z"
}
},
"accountId": "154735325685****",
"principalId": "154735325685****",
"type": "root-account",
"userName": "root"
},
"serviceName": "Ecs",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2014-05-26",
"requestId": "239EB588-CD24-522E-B0B5-174A1A588BE0",
"eventTime": "2021-08-04T06:11:36Z",
"isGlobal": false,
"acsRegion": "cn-beijing",
"eventName": "StopInstance"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为root-account,表示阿里云账号。serviceName:事件相关的阿里云服务名称。取值为Ecs,表示ECS。eventName:事件名称。取值为StopInstance,表示停止实例。referencedResources:事件影响的资源列表。取值为{"ACS::ECS::Instance": ["i-2zeip56clb391fpf****"]},表示ECS实例i-2zeip56clb391fpf****。acsRegion:事件发生的地域。取值为cn-beijing,表示北京地域。eventTime:事件发生的时间(UTC格式)。取值为2021-08-04T06:11:36Z,表示北京时间2021年08月04日14:11:36。
RAM用户通过控制台停止ECS实例
以下示例表示,在北京时间2021年08月04日13:29:30,RAM用户ecs_operator3调用StopInstance接口停止了北京地域ID为i-2zegxcy8f0htnq1o****的ECS实例。
{
"eventId": "5E197C8B-081F-5A0C-A86A-4B6F266CA80B",
"eventVersion": 1,
"eventSource": "ecs-cn-hangzhou.aliyuncs.com",
"requestParameters": {
"AcsHost": "ecs-cn-hangzhou.aliyuncs.com",
"AcsProduct": "Ecs",
"RequestId": "5E197C8B-081F-5A0C-A86A-4B6F266CA80B",
"InstanceId": "i-2zegxcy8f0htnq1o****",
"ForceStop": "True",
"https": "False"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "ros.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ECS::Instance": [
"i-2zegxcy8f0htnq1o****"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-04T05:29:30Z"
}
},
"accountId": "182872313731****",
"principalId": "20499042382297****",
"type": "ram-user",
"userName": "ecs_operator3"
},
"serviceName": "Ecs",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2014-05-26",
"requestId": "5E197C8B-081F-5A0C-A86A-4B6F266CA80B",
"eventTime": "2021-08-04T05:29:30Z",
"isGlobal": false,
"acsRegion": "cn-beijing",
"eventName": "StopInstance"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。userIdentity.userName:请求者的RAM用户名称。serviceName:事件相关的阿里云服务名称。取值为Ecs,表示ECS。eventName:事件名称。取值为StopInstance,表示停止实例。referencedResources:事件影响的资源列表。取值为{"ACS::ECS::Instance": ["i-2zegxcy8f0htnq1o****"]},表示ECS实例i-2zegxcy8f0htnq1o****。acsRegion:事件发生的地域。取值为cn-beijing,表示北京地域。eventTime:事件发生的时间(UTC格式)。取值为2021-08-04T05:29:30Z,表示北京时间2021年08月04日13:29:30。
RAM用户通过AK调用API停止ECS实例
以下示例表示,在北京时间2021年08月04日11:42:20,RAM用户通过AK LTAIIzSdydLc****调用StopInstance接口停止了杭州地域ID为i-bp1buct0j6jywbfp****的ECS实例。
{
"eventId": "A9171DC9-638E-5561-BA2E-69B1B956C8F4",
"eventVersion": 1,
"eventSource": "ecs.aliyuncs.com",
"requestParameters": {
"AcsHost": "ecs.aliyuncs.com",
"AcsProduct": "Ecs",
"RequestId": "A9171DC9-638E-5561-BA2E-69B1B956C8F4",
"InstanceId": "i-bp1buct0j6jywbfp****",
"ForceStop": true
},
"sourceIpAddress": "192.168.XX.XX",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ECS::Instance": [
"i-bp1buct0j6jywbfp****"
]
},
"userIdentity": {
"accessKeyId": "LTAIIzSdydLc****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-04T03:42:20Z"
}
},
"accountId": "122196828764****",
"principalId": "23079124770506****",
"type": "ram-user",
"userName": "hz-perf-cluster"
},
"serviceName": "Ecs",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2014-05-26",
"requestId": "A9171DC9-638E-5561-BA2E-69B1B956C8F4",
"eventTime": "2021-08-04T03:42:20Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "StopInstance"
}示例中关键字段含义如下:
userIdentity.accessKeyId:发起API调用的AccessKey ID。取值为LTAIIzSdydLc****。userIdentity.principalId:AK所属的账号ID。取值为23079124770506****。serviceName:事件相关的阿里云服务名称。取值为Ecs,表示ECS。eventName:事件名称。取值为StopInstance,表示停止实例。referencedResources:事件影响的资源列表。取值为{"ACS::ECS::Instance": ["i-bp1buct0j6jywbfp****"]},表示ECS实例i-bp1buct0j6jywbfp****。acsRegion:事件发生的地域。取值为cn-hangzhou,表示杭州地域。eventTime:事件发生的时间(UTC格式)。取值为2021-08-04T03:42:20Z,表示北京时间2021年08月04日11:42:20。
RAM角色通过角色扮演停止ECS实例
以下示例表示,在北京时间2021年08月04日14:50:10,阿里云服务弹性伸缩通过扮演服务关联角色aliyunserviceroleforautoscaling,停止了北京地域ID为i-2zeeryqubk6402qw****的ECS实例。
{
"eventId": "E7233050-120B-5684-93E4-49A6754D8252",
"eventVersion": 1,
"eventSource": "ecs-cn-hangzhou-inner.aliyuncs.com",
"requestParameters": {
"securityToken": "CAISlQJ1q6Ft5B2yfSjIr5beG4322+YZ0baYaVWElTksTe4VtfD8szz2IH9NenVoA+wetPg+mmtT6/welr5+UIQAXkHfdsp36NFa+hiWb4fPstGx8eThLDMywS/BZSTg1er+Ps/bLrqECNrPBnnAkihsu8iYERypQ12iN7CQlJdjda55dwKkbD1Adrw0T0kY3618D3bKMuu3ORPHm3fZCFES2jBxkmRi86+ysKb+g1j89AShmrJJ9tqoc8P7NpU2Z8xFPo3rjLAsRM3oyzVN7hVGzqBygZFf9C3P1tPnWAYIvUneabaMqIE+clQiO/JmAdlNqPntiPtjt/bNlo/60RFJMO9SSS3CWIe7y8LAGeWmJgLCqWAjiPSnGoABEJShxrqPitmfV2/wirLqZhYsiElHL0LIma0PRByFDMqa3Jo5O1xeeGvbhnLnHiqdTYUjap8X/fiew+pgNlLmjPwZ7AjWKFZVuO3yedhEpUE7aE14PJ2asbOw2b5T1CVH9FHYNWaCUliWBTIjAqI3UYkRktOiecZ2ZExp8g3+****=",
"stsTokenPrincipalName": "aliyunserviceroleforautoscaling/ess-session-ecs_default",
"AcsHost": "ecs-cn-hangzhou-inner.aliyuncs.com",
"ServiceCode": "ecs",
"AcsProduct": "Ecs",
"RequestId": "E7233050-120B-5684-93E4-49A6754D8252",
"InstanceId": "i-2zeeryqubk6402qw****",
"RegionId": "cn-beijing",
"stsTokenPlayerUid": 158643649596****
},
"sourceIpAddress": "Internal",
"userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_102-b52 Core/4.5.3 HTTPClient/InternalHttpClient",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ECS::Instance": [
"i-2zeeryqubk6402qw****"
]
},
"userIdentity": {
"accessKeyId": "STS.NUkP7B698ftsks5q9yAa9****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-04T06:50:10Z"
}
},
"accountId": "138549619371****",
"principalId": "37164024024963****:ess-session-ecs_default",
"type": "assumed-role",
"userName": "aliyunserviceroleforautoscaling:ess-session-ecs_default"
},
"serviceName": "Ecs",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2014-05-26",
"requestId": "E7233050-120B-5684-93E4-49A6754D8252",
"eventTime": "2021-08-04T06:50:10Z",
"isGlobal": false,
"acsRegion": "cn-beijing",
"eventName": "StopInstance"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为assumed-role,表示RAM角色。userIdentity.userName:请求者的用户名。格式为{roleName}:{sessionName},roleName表示被扮演的角色名称,sessionName表示进行角色扮演时指定的名称。取值为aliyunserviceroleforautoscaling:ess-session-ecs_default,表示被扮演的RAM角色名称是aliyunserviceroleforautoscaling,进行角色扮演时指定的名称为ess-session-ecs_default。说明aliyunserviceroleforautoscaling是弹性伸缩服务的服务关联角色,用于授权弹性伸缩服务访问关联云资源。requestParameters.stsTokenPlayerUid:扮演者的阿里云账号ID。取值为158643649596****。referencedResources:事件影响的资源列表。取值为{"ACS::ECS::Instance": ["i-2zeeryqubk6402qw****"]},表示ECS实例i-2zeeryqubk6402qw****。serviceName:事件相关的阿里云服务名称。取值为Ecs,表示ECS。eventName:事件名称。取值为StopInstance,表示停止实例。acsRegion:事件发生的地域。取值为cn-beijing,表示北京地域。eventTime:事件发生的时间(UTC格式)。取值为2021-08-04T06:50:10Z,表示北京时间2021年08月04日14:50:10。