本文介绍了亚马逊 s3/其他 AWS 服务上的操作日志的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试查看哪个用户负责 S3 中的更改(在存储桶级别).我找不到在 S3 存储桶级别或创建实例的 EC2 上完成的操作的审计跟踪.Beanstalk 有机器执行操作的日志,但没有记录哪个用户.

I am trying to see which user was responsible for changes in S3 (at buckets level).I could not find a audit trail for actions done at S3 bucket level or EC2 who created instances. Beanstalk has a log of the actions the machine performed, but not which user.

是否有办法绕过 AWS,让我们可以在 IAM 或任何其他位置查看此信息?

Is there a way around AWS that we can see this information in IAM or any other location ?

P.S:我对提供访问日志的 S3 日志存储桶不感兴趣

P.S: I am not interested to know about S3 log buckets which provide access logs

推荐答案

更新

AWS 刚刚宣布了 AWS CloudTrail,终于在今天开始提供审计 API 调用(以及用于免费),请参阅介绍性文章 AWS CloudTrail- 捕获 AWS API 活动了解详情:

Update

AWS has just announced AWS CloudTrail, finally making auditing API calls available as of today (and for free), see the introductory post AWS CloudTrail - Capture AWS API Activity for details:

您是否需要跟踪一个或多个 AWS 的 API 调用?帐户?如果是这样,新的 AWS CloudTrail 服务适合您.

启用后,AWS CloudTrail 会记录对 AWS API 的调用使用 AWS 管理控制台AWS 命令​​行界面(CLI)、您自己的应用程序和第三方软件并发布生成的日志文件到您选择的 Amazon S3 存储桶.CloudTrail 还可以向 Amazon SNS 主题发出通知每次发布文件时您的选择.每个调用都记录在 JSON 中便于解析和处理的格式.

Once enabled, AWS CloudTrail records the calls made to the AWS APIs using the AWS Management Console, the AWS Command Line Interface (CLI), your own applications, and third-party software and publishes the resulting log files to the Amazon S3 bucket of your choice. CloudTrail can also issue a notification to an Amazon SNS topic of your choice each time a file is published. Each call is logged in JSON format for easy parsing and processing.

请注意以下(临时)限制:

Please note the following (temporary) constraints:

  • 尚未涵盖所有服务,但最重要的服务已包含在初始版本中,并且 AWS 计划随着时间的推移添加对其他服务的支持.
    • 更新:AWS 最近添加了 七项新服务,以及今天的另一项服务,见下文.
    • Not all services are covered yet, though the most important ones are included in the initial release already and AWS plans to add support for additional services over time.
      • Update: AWS has recently added Seven New Services, and another one today, see below.
      • Update: AWS has just added More Locations and Services, quickly approaching coverage of their entire Global Infrastructure indeed.

      这是一个长期存在的功能请求,但不幸的是,AWS 截至今天还没有提供(公共)审计跟踪 - 添加此功能的最合理方法可能是对 AWS 身份和访问管理 (IAM),这是越来越普遍的身份验证和授权层,用于访问所有现有(几乎可以肯定是未来)的 AWS 资源) 产品&服务.

      This is a long standing feature request, but unfortunately AWS does not provide (public) audit trails as of today - the most reasonable way to add this feature would probably be a respective extension to AWS Identity and Access Management (IAM), which is the increasingly ubiquitous authentication and authorization layer for access to AWS resources across all existing (and almost certainly future) Products & Services.

      相应地,IAM 常见问题中提供了一些相应的答案:

      Accordingly there are a few respective answers provided within the IAM FAQs along these lines:

      这篇关于亚马逊 s3/其他 AWS 服务上的操作日志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-15 03:15