操作审计支持查询阿里云关系型数据库RDS(Relational Database Service)相关事件。您可以快速查询RDS事件并获取事件发生的时间、地域、RDS实例等信息。本文为您举例说明RDS相关事件。

阿里云账号通过控制台重启RDS实例

以下示例表示,在北京时间2021年08月04日15:34:58,阿里云账号调用RestartDBInstance接口重启了杭州地域ID为rm-bp18vn5itslhw****的RDS实例。

{
  "eventId": "4EC856C0-A735-52D0-A7E6-E5CD09A5BCD4",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "4EC856C0-A735-52D0-A7E6-E5CD09A5BCD4"
  },
  "eventSource": "rds-inc-share.aliyuncs.com",
  "requestParameters": {
    "charset": "UTF-8",
    "AcsHost": "rds-inc-share.aliyuncs.com",
    "AcsProduct": "Rds",
    "RequestId": "4EC856C0-A735-52D0-A7E6-E5CD09A5BCD4",
    "DBInstanceId": "rm-bp18vn5itslhw****",
    "AcceptLanguage": "zh-CN",
    "HostId": "rds-inc-share.aliyuncs.com"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "rdsnext.console.aliyun.com",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RDS::DBInstance": [
      "rm-bp18vn5itslhw****"
    ]
  },
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-04T07:34:58Z"
      }
    },
    "accountId": "147395807376****",
    "principalId": "147395807376****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "Rds",
  "additionalEventData": {
    "Scheme": "http",
    "CallerBid": "26842"
  },
  "apiVersion": "2014-08-15",
  "requestId": "4EC856C0-A735-52D0-A7E6-E5CD09A5BCD4",
  "eventTime": "2021-08-04T07:34:58Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "RestartDBInstance"
}

示例中关键字段含义如下:

  • userIdentity.type:请求者的身份类型。取值为root-account,表示阿里云账号。
  • serviceName:事件相关的阿里云服务名称。取值为Rds,表示RDS。
  • eventName:事件名称。取值为RestartDBInstance,表示重启实例。
  • referencedResources:事件影响的资源列表。取值为{"ACS::RDS::DBInstance": ["rm-bp18vn5itslhw****"},表示RDS实例rm-bp18vn5itslhw****
  • acsRegion:事件发生的地域。取值为cn-hangzhou,表示杭州地域。
  • eventTime:事件发生的时间(UTC格式)。取值为2021-08-04T07:34:58Z,表示北京时间2021年08月04日15:34:58。

RAM用户通过控制台重启RDS实例

以下示例表示,在北京时间2021年08月04日10:54:38,RAM用户Alice调用RestartDBInstance接口重启了杭州地域ID为rm-bp15hkr5tb57v****的RDS实例。

{
  "apiVersion": "2014-08-15",
  "requestId": "532F2CED-F931-57FC-B08E-5AF8FF443DD5",
  "eventType": "ApiCall",
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-04T02:54:38Z"
      }
    },
    "accountId": "183080612160****",
    "principalId": "20816241517167****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "acsRegion": "cn-hangzhou",
  "eventName": "RestartDBInstance",
  "requestParameters": {
    "charset": "UTF-8",
    "AcsHost": "rds-inc-share.aliyuncs.com",
    "AcsProduct": "Rds",
    "RequestId": "532F2CED-F931-57FC-B08E-5AF8FF443DD5",
    "DBInstanceId": "rm-bp15hkr5tb57v****",
    "AcceptLanguage": "zh-CN",
    "HostId": "rds-inc-share.aliyuncs.com"
  },
  "eventSource": "rds-inc-share.aliyuncs.com",
  "serviceName": "Rds",
  "eventTime": "2021-08-04T02:54:38Z",
  "referencedResources": {
    "DBInstance": [
      "rm-bp15hkr5tb57v****"
    ],
    "ACS::RDS::DBInstance": [
      "rm-bp15hkr5tb57v****"
    ]
  },
  "userAgent": "rdsnext.console.aliyun.com",
  "eventId": "532F2CED-F931-57FC-B08E-5AF8FF443DD5",
  "additionalEventData": {
    "Scheme": "http"
  },
  "responseElements": {
    "RequestId": "532F2CED-F931-57FC-B08E-5AF8FF443DD5"
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

示例中关键字段含义如下:

  • userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。
  • userIdentity.userName:请求者的RAM用户名称。
  • serviceName:事件相关的阿里云服务名称。取值为Rds,表示RDS。
  • eventName:事件名称。取值为RestartDBInstance,表示重启实例。
  • referencedResources:事件影响的资源列表。取值为{"DBInstance": ["rm-bp15hkr5tb57v****"],"ACS::RDS::DBInstance": ["rm-bp15hkr5tb57v****"]},表示RDS实例rm-bp15hkr5tb57v****
  • acsRegion:事件发生的地域。取值为cn-hangzhou,表示杭州地域。
  • eventTime:事件发生的时间(UTC格式)。取值为2021-08-04T02:54:38Z,表示北京时间2021年08月04日10:54:38。

阿里云账号通过AK调用API重启RDS实例

以下示例表示,在北京时间2021年08月04日10:29:37,阿里云账号通过AK LTAICy8jSBYN****调用RestartDBInstance接口重启了上海地域ID为rm-1udt95gm98274****的RDS实例。

{
  "eventId": "55149DB3-9B17-5F96-99D7-10BCEC5A669D",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "55149DB3-9B17-5F96-99D7-10BCEC5A669D"
  },
  "eventSource": "rds.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "rds.aliyuncs.com",
    "AcsProduct": "Rds",
    "RequestId": "55149DB3-9B17-5F96-99D7-10BCEC5A669D",
    "DBInstanceId": "rm-1udt95gm98274****",
    "HostId": "rds.aliyuncs.com",
    "ClientToken": "4d31085d-8403-4f43-a600-41294335****"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Apache-HttpClient/4.5.2 (Java/1.8.0_191)",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RDS::DBInstance": [
      "rm-1udt95gm98274****"
    ]
  },
  "userIdentity": {
    "accessKeyId": "LTAICy8jSBYN****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-04T02:29:37Z"
      }
    },
    "accountId": "514024858446****",
    "principalId": "514024858446****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "Rds",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26888"
  },
  "apiVersion": "2014-08-15",
  "requestId": "55149DB3-9B17-5F96-99D7-10BCEC5A669D",
  "eventTime": "2021-08-04T02:29:37Z",
  "isGlobal": false,
  "acsRegion": "cn-shanghai",
  "eventName": "RestartDBInstance"
}

示例中关键字段含义如下:

  • userIdentity.accessKeyId:发起API调用的AccessKey ID。取值为LTAICy8jSBYN****
  • userIdentity.principalId:AK所属的账号ID。取值为514024858446****
  • userIdentity.type:请求者的身份类型。取值为root-account,表示阿里云账号。
  • serviceName:事件相关的阿里云服务名称。取值为Rds,表示RDS。
  • eventName:事件名称。取值为RestartDBInstance,表示重启实例。
  • referencedResources:事件影响的资源列表。取值为{"ACS::RDS::DBInstance": ["rm-1udt95gm98274****"]},表示RDS实例rm-1udt95gm98274****
  • acsRegion:事件发生的地域。取值为cn-shanghai,表示上海地域。
  • eventTime:事件发生的时间(UTC格式)。取值为2021-08-04T02:29:37Z,表示北京时间2021年08月04日10:29:37。

RAM用户通过角色扮演重启RDS实例

以下示例表示,在北京时间2021年08月02日14:15:46,阿里云账号165367888785****中的RAM用户通过扮演账号109052579984****下的RAM角色aliyunid-ag-ram-role-admin,重启了杭州地域ID为rm-bp1cw83fsi6j3****的RDS实例。

{
  "eventId": "191D3EE5-82C7-48BC-B128-37A0BE30FF38",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "191D3EE5-82C7-48BC-B128-37A0BE30FF38"
  },
  "eventSource": "rds-inc-share.aliyuncs.com",
  "requestParameters": {
    "stsTokenPrincipalName": "aliyunid-ag-ram-role-admin/default",
    "charset": "UTF-8",
    "AcsHost": "rds-inc-share.aliyuncs.com",
    "AcsProduct": "Rds",
    "RequestId": "191D3EE5-82C7-48BC-B128-37A0BE30FF38",
    "DBInstanceId": "rm-bp1cw83fsi6j3****",
    "AcceptLanguage": "zh-CN",
    "HostId": "rds-inc-share.aliyuncs.com",
    "stsTokenPlayerUid": 165367888785****
  },
  "sourceIpAddress": "Internal",
  "userAgent": "rdsnext.console.aliyun.com",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RDS::DBInstance": [
      "rm-bp1cw83fsi6j3****"
    ]
  },
  "userIdentity": {
    "accessKeyId": "STS.NTXdTaxSSKZv3dNhvXZcT****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-02T06:15:46Z"
      }
    },
    "accountId": "109052579984****",
    "principalId": "36661865364550****:default",
    "type": "assumed-role",
    "userName": "aliyunid-ag-ram-role-admin:default"
  },
  "serviceName": "Rds",
  "additionalEventData": {
    "Scheme": "http",
    "CallerBid": "26842"
  },
  "apiVersion": "2014-08-15",
  "requestId": "191D3EE5-82C7-48BC-B128-37A0BE30FF38",
  "eventTime": "2021-08-02T06:15:46Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "RestartDBInstance"
}

示例中关键字段含义如下:

  • userIdentity.type:请求者的身份类型。取值为assumed-role,表示RAM角色。
  • userIdentity.userName:请求者的用户名。格式为{roleName}:{sessionName}roleName表示被扮演的角色名称,sessionName表示进行角色扮演时指定的名称。取值为aliyunid-ag-ram-role-admin:default,表示被扮演的RAM角色名称是aliyunid-ag-ram-role-admin,进行角色扮演时指定的名称为default
  • requestParameters.stsTokenPlayerUid:扮演者的阿里云账号ID。取值为165367888785****
  • referencedResources:事件影响的资源列表。取值为{"ACS::RDS::DBInstance": ["rm-bp1cw83fsi6j3****"]},表示RDS实例rm-bp1cw83fsi6j3****
  • serviceName:事件相关的阿里云服务名称。取值为Rds,表示RDS。
  • eventName:事件名称。取值为RestartDBInstance,表示重启实例。
  • acsRegion:事件发生的地域。取值为cn-hangzhou,表示杭州地域。
  • eventTime:事件发生的时间(UTC格式)。取值为2021-08-02T06:15:46Z,表示北京时间2021年08月02日14:15:46。