操作审计支持查询阿里云临时安全令牌STS(Security Token Service)相关事件。您可以快速查询STS事件并获取事件发生的时间、地域、临时身份等信息。本文为您举例说明STS相关事件。

RAM用户通过控制台调用STS切换角色身份

以下示例表示,在北京时间2021年08月05日15:59:47,RAM用户Alice调用AssumeRole接口通过扮演阿里云账号127812487797****下的cna-manager-test-role角色获取了一个临时身份。

{
  "eventId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
    "AssumedRoleUser": {
      "Arn": "acs:ram::127812487797****:role/cna-manager-test-role/169074",
      "AssumedRoleId": "33618118978621****:169074"
    },
    "Credentials": {
      "AccessKeyId": "STS.NUQ79dzjpMPxYesi1YY5U****",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T08:59:47Z"
    }
  },
  "eventSource": "sts.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "sts.aliyuncs.com",
    "AcsProduct": "Sts",
    "RequestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
    "RoleSessionName": 169074,
    "RegionId": "cn-hangzhou",
    "HostId": "sts.aliyuncs.com",
    "RoleArn": "acs:ram::127812487797****:role/cna-manager-test-role"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_152-b187 Core/4.5.17 HTTPClient/ApacheHttpClient",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NUQ79dzjpMPxYesi1YY5U****"
    ]
  },
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T07:59:46Z"
      }
    },
    "accountId": "146411043369****",
    "principalId": "21336811218169****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "FC410992-13D4-5D33-89A7-D8F4100CEE6B",
  "eventTime": "2021-08-05T07:59:47Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "AssumeRole"
}

示例中关键字段含义如下:

  • userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。
  • userIdentity.userName:请求者的RAM用户名称。
  • serviceName:事件相关的阿里云服务名称。取值为Sts,表示STS。
  • eventName:事件名称。取值为AssumeRole,表示获取一个扮演该角色的临时身份,此处RAM用户扮演的是受信实体为阿里云账号类型的RAM角色。
  • requestParameters.RoleArn:扮演角色的ARN信息。取值为acs:ram::127812487797****:role/cna-manager-test-role127812487797****表示角色所属的阿里云账号ID,cna-manager-test-role表示角色名称。
  • referencedResources:事件影响的资源列表。取值为{"ACS::RAM::AccessKey": ["STS.NUQ79dzjpMPxYesi1YY5U****"]},表示扮演角色获取的临时身份凭证STS.NUQ79dzjpMPxYesi1YY5U****
  • eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T07:59:47Z,表示北京时间2021年08月05日15:59:47。

RAM用户通过调用SDK获取临时访问令牌

以下示例表示,在北京时间2021年08月05日16:03:31,RAM用户Alice调用AssumeRole接口通过扮演阿里云账号193875730500****下的aliyunosstokengeneratorrole角色获取了一个临时身份。

{
  "eventId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
    "AssumedRoleUser": {
      "Arn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole/X5wpmS6EgkM080aE0Kym****",
      "AssumedRoleId": "30815480203992****:X5wpmS6EgkM080aE0Kym****"
    },
    "Credentials": {
      "AccessKeyId": "STS.NTobFuYYn6EBxAVhC18ta****",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T09:03:31Z"
    }
  },
  "eventSource": "sts.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "Policy": {
      "Version": "1",
      "Statement": [
        {
          "Condition": {},
          "Action": [
            "oss:PutObject"
          ],
          "Resource": [
            "acs:oss:*:*:taowo/image/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
            "acs:oss:*:*:taowo/video/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*",
            "acs:oss:*:*:taowo/sound/disucss/2021/8/5/xNodqHMtGkX9arNrAkrz4d****/*"
          ],
          "Effect": "Allow"
        }
      ]
    },
    "AcsHost": "sts.cn-hangzhou.aliyuncs.com",
    "AcsProduct": "Sts",
    "RequestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
    "RoleSessionName": "X5wpmS6EgkM080aE0Kym****",
    "Region": "cn-hangzhou",
    "SignatureType": "",
    "RegionId": "cn-hangzhou",
    "HostId": "sts.cn-hangzhou.aliyuncs.com",
    "RoleArn": "acs:ram::193875730500****:role/aliyunosstokengeneratorrole"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AlibabaCloud (Linux 3.10.0-1127.19.1.el7.x86_64;x86_64) Python/3.8.8 Core/2.13.32 python-requests/2.18.3",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NTobFuYYn6EBxAVhC18ta****"
    ]
  },
  "userIdentity": {
    "accessKeyId": "LTAI2jP0BF0f****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T08:03:31Z"
      }
    },
    "accountId": "193875730500****",
    "principalId": "21365465900895****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "B936D2EE-05DC-5AC1-9163-48F0DE28B963",
  "eventTime": "2021-08-05T08:03:31Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "AssumeRole"
}

示例中关键字段含义如下:

  • userIdentity.accessKeyId:发起API调用的AccessKey ID。取值为LTAI2jP0BF0f****
  • userIdentity.principalId:AK所属的账号ID。取值为21365465900895****
  • userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。
  • serviceName:事件相关的阿里云服务名称。取值为Sts,表示STS。
  • eventName:事件名称。取值为AssumeRole,表示获取一个扮演该角色的临时身份,此处RAM用户扮演的是受信实体为阿里云账号类型的RAM角色。
  • requestParameters.RoleArn:扮演角色的ARN信息。取值为acs:ram::193875730500****:role/aliyunosstokengeneratorrole193875730500****表示角色所属的阿里云账号ID,aliyunosstokengeneratorrole表示角色名称。
  • referencedResources:事件影响的资源列表。取值为{"ACS::RAM::AccessKey": ["STS.NTobFuYYn6EBxAVhC18ta****"]},表示扮演角色获取的临时身份凭证为test@example.onaliyun.com
  • eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T08:03:31Z,表示北京时间2021年08月05日16:03:31。

企业用户通过角色SSO获取阿里云角色身份

以下示例表示,在北京时间2021年08月05日16:04:56,企业用户Alice调用AssumeRoleWithSAML接口通过角色SSO扮演189186630579****账号下的cruisetestrole角色获取了一个临时身份。

{
  "eventId": "66FDD0F9-3546-567A-8964-2BD734198356",
  "eventVersion": 1,
  "responseElements": {
    "RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
    "SAMLAssertionInfo": {
      "SubjectType": "transient",
      "Issuer": "https://testidp/saml",
      "Recipient": "https://signin.aliyun.com/saml-role/sso",
      "Subject": "Alice"
    },
    "AssumedRoleUser": {
      "Arn": "acs:ram::189186630579****:role/cruisetestrole/cruisetest",
      "AssumedRoleId": "37924473051351****:cruisetest"
    },
    "Credentials": {
      "AccessKeyId": "STS.NUTNKhGR8BR3QL9sJkSHp****",
      "AccessKeySecret": "gS09k8a8fDwwgR0ey9IeCFuNfr****",
      "Expiration": "2021-08-05T09:04:56Z"
    }
  },
  "eventSource": "sts.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "sts.aliyuncs.com",
    "SAMLAssertion": "***",
    "AcsProduct": "Sts",
    "RequestId": "66FDD0F9-3546-567A-8964-2BD734198356",
    "DurationSeconds": 3600,
    "HostId": "sts.aliyuncs.com",
    "SAMLProviderArn": "acs:ram::189186630579****:saml-provider/mockedIdp",
    "RoleArn": "acs:ram::189186630579****:role/cruisetestrole"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Jakarta Commons-HttpClient/3.1",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NUTNKhGR8BR3QL9sJkSHp****"
    ]
  },
  "userIdentity": {
    "accountId": "189186630579****",
    "samlProviderName": "mockedIdp",
    "type": "saml-user",
    "userName": "Alice",
    "samlIssuer": "https://testidp/saml"
  },
  "serviceName": "Sts",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2015-04-01",
  "requestId": "66FDD0F9-3546-567A-8964-2BD734198356",
  "eventTime": "2021-08-05T08:04:56Z",
  "isGlobal": false,
  "acsRegion": "cn-shanghai",
  "eventName": "AssumeRoleWithSAML"
}

示例中关键字段含义如下:

  • userIdentity.type:请求者的身份类型。取值为saml-user,表示企业自有身份的用户。
  • userIdentity.userName:发起角色SSO的企业用户的用户名。
  • requestParameters.RoleArn:扮演角色的ARN信息。取值为cs:ram::189186630579****:role/cruisetestrole189186630579****表示角色所属的阿里云账号ID,cruisetestrole表示角色名称。
  • referencedResources:事件影响的资源列表。取值为{"ACS::RAM::AccessKey": ["STS.NUTNKhGR8BR3QL9sJkSHp****"]},表示扮演角色获取的临时身份凭证为STS.NUTNKhGR8BR3QL9sJkSHp****
  • serviceName:事件相关的阿里云服务名称。取值为Sts,表示STS。
  • eventName:事件名称。取值为AssumeRoleWithSAML,表示通过角色SSO获取阿里云角色身份。
  • eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T08:04:56Z,表示北京时间2021年08月05日16:04:56。