# Amazon S3 CloudTrail 事件 CloudTrail 事件 **重要** Amazon S3 现在将具有 Amazon S3 托管密钥的服务器端加密(SSE-S3)作为 Amazon S3 中每个存储桶的基本加密级别。从 2023 年 1 月 5 日起,上传到 Amazon S3 的所有新对象都将自动加密,不会产生额外费用,也不会影响性能。S3 存储桶默认加密配置和上传的新对象的自动加密状态可在 CloudTrail 日志、S3 清单、S3 Storage Lens 存储统计管理工具和 Amazon S3 控制台中查看,并可用作 AWS CLI 和 AWS SDK 中的附加 Amazon S3 API 响应标头。有关更多信息,请参阅[默认加密常见问题解答](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html)。 本节提供有关 S3 记录到 CloudTrail 的事件的信息。 ## CloudTrail 中的 Amazon S3 数据事件 [数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events)可提供对资源或在资源中所执行资源操作(例如,读取或写入 Amazon S3 对象)的相关信息。这些也称为数据面板操作。数据事件通常是高容量活动。默认情况下,CloudTrail 不记录数据事件。CloudTrail **事件历史记录**不记录数据事件。 记录数据事件将收取额外费用。有关 CloudTrail 定价的更多信息,请参阅 [AWS CloudTrail 定价](https://aws.amazon.com/cloudtrail/pricing/)。 您可以使用 CloudTrail 控制台、AWS CLI 或 CloudTrail API 操作记录 Amazon S3 资源类型的数据事件。有关如何记录数据事件的更多信息,请参阅《AWS CloudTrail 用户指南》**中的[使用 AWS 管理控制台 记录数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console)和[使用 AWS Command Line Interface 记录数据事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-with-the-AWS-CLI)。 下表列出了您可以为其记录数据事件的 Amazon S3 资源类型。**数据事件类型(控制台)**列显示可从 CloudTrail 控制台上的**数据事件类型**列表中选择的值。**resources.type 值**列显示了您在使用 AWS CLI 或 CloudTrail API 配置高级事件选择器时需要指定的 `resources.type` 值。**记录到 CloudTrail 的数据 API** 列显示了针对该资源类型记录到 CloudTrail 的 API 调用。 | 数据事件类型(控制台) | resources.type 值 | 记录至 CloudTrail 的数据 API | | --- | --- | --- | | S3 | AWS::S3::Object | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html) | | S3 Express One Zone | AWS::S3Express::Object | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html) | | S3 接入点 | AWS::S3::Access Point | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html) | | S3 对象 Lambda | AWS::S3ObjectLambda::AccessPoint | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html) | | S3 Outposts | AWS::S3Outposts::Object | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html) | 您可以将高级事件选择器配置为在 `eventName`、`readOnly` 和 `resources.ARN` 字段上进行筛选,从而仅记录那些对您很重要的事件。有关这些字段的更多信息,请参阅《AWS CloudTrail API 参考》**中的 [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html)。 ## CloudTrail 中的 Amazon S3 管理事件 Amazon S3 将所有控制面板操作记录为管理事件。有关 S3 API 操作的更多信息,请参阅 [Amazon S3 API Reference](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html)。 ## CloudTrail 如何捕获向 Amazon S3 发出的请求 识别 Amazon S3 请求 默认情况下,CloudTrail 会记录在过去 90 天内进行的 S3 存储桶级别 API 调用,但不会记录向对象发出的请求。存储桶级调用包括诸如 `CreateBucket`、`DeleteBucket`、`PutBucketLifecycle`、`PutBucketPolicy` 等事件。您可以在 CloudTrail 控制台上看到存储桶级事件。但是,您无法在此查看数据事件(Amazon S3 对象级调用),您必须解析或查询它们的 CloudTrail 日志。 如果您使用 AWS CloudTrail 记录数据活动,则 Amazon S3 `DeleteObjects` 数据事件的事件记录同时包括 `DeleteObjects` 事件和作为该操作的一部分删除的每个对象的 `DeleteObject` 事件。您可以从事件记录中排除有关已删除对象的额外可见性。有关更多信息,请参阅《AWS CloudTrail User Guide》**中的 [AWS CLI examples for filtering data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-deleteobjects)。 ## CloudTrail 日志记录跟踪的 Amazon S3 账户级操作 CloudTrail 会记录账户级操作。Amazon S3 记录与其他 AWS 服务记录一起写入日志文件。CloudTrail 基于时间段和文件大小来确定何时创建并写入新文件。 本节中的表格列出了可用于 CloudTrail 日志记录的 Amazon S3 账户级操作。 CloudTrail 日志记录跟踪的 Amazon S3 账户级 API 操作显示为以下事件名称。CloudTrail 事件名称与 API 操作名称不同。例如,DeletePublicAccessBlock 是 DeleteAccountPublicAccessBlock。 + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeletePublicAccessBlock.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeletePublicAccessBlock.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetPublicAccessBlock.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetPublicAccessBlock.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutPublicAccessBlock.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutPublicAccessBlock.html) ## CloudTrail 日志记录跟踪的 Amazon S3 存储桶级操作 默认情况下,CloudTrail 将记录通用存储桶的存储桶级操作。Amazon S3 记录与其他 AWS 服务记录一起写入日志文件。CloudTrail 基于时间段和文件大小来确定何时创建并写入新文件。 此部分列出了可用于 CloudTrail 日志记录的 Amazon S3 存储桶级操作。 CloudTrail 日志记录跟踪的 Amazon S3 存储桶级 API 操作显示为以下事件名称。在某些情况下,CloudTrail 事件名称与 API 操作名称不同。例如,`PutBucketLifecycleConfiguration` 为 `PutBucketLifecycle`。 + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucketMetadataConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucketMetadataConfiguration.html)(V2 API 操作) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucketMetadataTableConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucketMetadataTableConfiguration.html)(V1 API 操作) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketAnalyticsConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketAnalyticsConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketIntelligentTieringConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketIntelligentTieringConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketInventoryConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketInventoryConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketMetadataConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketMetadataConfiguration.html)(V2 API 操作) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketMetadataTableConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketMetadataTableConfiguration.html)(V1 API 操作) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketMetricsConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketMetricsConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketOwnershipControls.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketOwnershipControls.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeletePublicAccessBlock.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeletePublicAccessBlock.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketTagging.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAccelerateConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAccelerateConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAnalyticsConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAnalyticsConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketCors.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketCors.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketIntelligentTieringConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketIntelligentTieringConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketInventoryConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketInventoryConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLifecycle.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLifecycle.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLocation.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLocation.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLogging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLogging.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketMetadataConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketMetadataConfiguration.html)(V2 API 操作) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketMetadataTableConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketMetadataTableConfiguration.html)(V1 API 操作) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketMetricsConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketMetricsConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketNotification.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketNotification.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketOwnershipControls.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketOwnershipControls.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicyStatus.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicyStatus.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketReplication.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketReplication.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketRequestPayment.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketRequestPayment.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketTagging.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketVersioning.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketVersioning.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketWebsite.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketWebsite.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAccelerateConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAccelerateConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAnalyticsConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAnalyticsConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketIntelligentTieringConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketIntelligentTieringConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketInventoryConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketInventoryConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketMetricsConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketMetricsConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketNotification.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketNotification.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLockConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLockConfiguration.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketOwnershipControls.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketOwnershipControls.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutPublicAccessBlock.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutPublicAccessBlock.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketRequestPayment.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketRequestPayment.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketTagging.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateBucketMetadataJournalTableConfiguratione.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateBucketMetadataJournalTableConfiguratione.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateBucketMetadataInventoryTableConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateBucketMetadataInventoryTableConfiguration.html) 除了这些 API 操作之外,还可以使用 [OPTIONS object](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTOPTIONSobject.html) 对象级操作。由于此操作将检查存储桶的 CORS 配置,因此它被视为 CloudTrail 日志记录中的存储桶级操作。 **注意** CloudTrail 支持将 HeadBucket API 作为 Amazon S3 数据事件。 ## CloudTrail 日志记录跟踪的 Amazon S3 Express One Zone 存储类存储桶级别(区域 API 端点)操作 默认情况下,CloudTrail 将目录存储桶的存储桶级操作记录为管理事件。S3 Express One Zone 的 CloudTrail 管理事件的 `eventsource` 为 `s3express.amazonaws.com`。 以下区域端点 API 操作将记录到 CloudTrail 中。 + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListDirectoryBuckets.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListDirectoryBuckets.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html) + [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html) 有关更多信息,请参阅[使用 AWS CloudTrail 为 S3 Express One Zone 记录日志](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-one-zone-logging.html) ## 跨账户情形中的 Amazon S3 对象级操作 下面是涉及跨账户情形中的对象级 API 调用的特殊使用案例以及报告 CloudTrail 日志的方法。CloudTrail 会将日志提供给申请方(进行 API 调用的账户),除非在某些拒绝访问的情况下,其中日志条目被编辑或省略。在设置跨账户访问时,请考虑本部分中的示例。 **注意** 这些示例假定 CloudTrail 日志已适当配置。 ### 示例 1:CloudTrail 将日志提供给存储桶拥有者 即使存储桶拥有者不具有执行相同对象 API 操作的权限,CloudTrail 也会将日志传递给存储桶拥有者。请考虑以下跨账户情形: + 账户 A 拥有该存储桶。 + 账户 B(请求者)尝试访问该存储桶中的对象。 + 账户 C 拥有该对象。账户 C 可能与账户 A 是同一个账户,也可能不是同一个账户。 **注意** CloudTrail 始终将对象级 API 日志提供给请求者(账户 B)。此外,即使存储桶拥有者不拥有该对象(账户 C)或对该对象不具有执行相同 API 操作的权限,CloudTrail 也会向存储桶拥有者(账户 A)提供相同的日志。 ### 示例 2:CloudTrail 没有使设置对象 ACL 时使用的电子邮件地址激增 请考虑以下跨账户情形: + 账户 A 拥有该存储桶。 + 账户 B(请求者)使用电子邮件地址发送了一个设置对象 ACL 授权的请求。有关 ACL 的更多信息,请参阅 [访问控制列表 (ACL) 概述](acl-overview.md)。 该请求方将获取日志以及电子邮件信息。但是,存储桶拥有者(如果他们像在示例 1 中一样有资格接收日志)将获取报告该事件的 CloudTrail 日志。但是,存储桶拥有者不会获取 ACL 配置信息,尤其是被授权者电子邮件地址和授权。日志为存储桶拥有者提供的唯一信息是账户 B 进行了 ACL API 调用。