aws-cloudtrail
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS CloudTrail
AWS CloudTrail
Audit AWS account activity with CloudTrail.
使用CloudTrail审计AWS账户活动。
Create Trail
创建追踪
bash
undefinedbash
undefinedCreate organization trail
创建组织追踪
aws cloudtrail create-trail
--name org-audit-trail
--s3-bucket-name audit-logs-bucket
--is-organization-trail
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id arn:aws:kms:...
--name org-audit-trail
--s3-bucket-name audit-logs-bucket
--is-organization-trail
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id arn:aws:kms:...
aws cloudtrail create-trail
--name org-audit-trail
--s3-bucket-name audit-logs-bucket
--is-organization-trail
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id arn:aws:kms:...
--name org-audit-trail
--s3-bucket-name audit-logs-bucket
--is-organization-trail
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id arn:aws:kms:...
Start logging
启动日志记录
aws cloudtrail start-logging --name org-audit-trail
undefinedaws cloudtrail start-logging --name org-audit-trail
undefinedEvent Selectors
事件选择器
bash
undefinedbash
undefinedLog all management and data events
记录所有管理和数据事件
aws cloudtrail put-event-selectors
--trail-name org-audit-trail
--event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::sensitive-bucket/"] }] }]'
--trail-name org-audit-trail
--event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::sensitive-bucket/"] }] }]'
undefinedaws cloudtrail put-event-selectors
--trail-name org-audit-trail
--event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::sensitive-bucket/"] }] }]'
--trail-name org-audit-trail
--event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::sensitive-bucket/"] }] }]'
undefinedCloudTrail Lake
CloudTrail Lake
sql
-- Query events
SELECT eventTime, userIdentity.userName, eventName, sourceIPAddress
FROM cloudtrail_logs
WHERE eventTime > '2024-01-01'
AND eventName LIKE '%Delete%'
ORDER BY eventTime DESC
LIMIT 100sql
-- 查询事件
SELECT eventTime, userIdentity.userName, eventName, sourceIPAddress
FROM cloudtrail_logs
WHERE eventTime > '2024-01-01'
AND eventName LIKE '%Delete%'
ORDER BY eventTime DESC
LIMIT 100Best Practices
最佳实践
- Organization-wide trails
- Enable log file validation
- Encrypt with KMS
- CloudWatch Logs integration
- Event alerting
- 组织级追踪
- 启用日志文件验证
- 使用KMS加密
- 集成CloudWatch Logs
- 事件告警