本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用记录亚马逊 MQ API 调用 AWS CloudTrail
Amazon MQ 与一项服务集成 AWS CloudTrail,该服务提供用户、角色或服务发起的 Amazon MQ 调用的记录。 AWS CloudTrail 捕获与亚马逊 MQ 代理和配置相关的 API 调用作为事件,包括来自亚马逊 MQ 控制台的调用和来自亚马逊 MQ 的代码调用。 APIs有关的更多信息 CloudTrail,请参阅《*[AWS CloudTrail 用户指南》](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/)*。
**注意**
CloudTrail 不记录与 ActiveMQ 操作(例如,发送和接收消息)或 ActiveMQ Web 控制台相关的 API 调用。要记录与 ActiveMQ 操作相关的信息,您可以将 [Amazon MQ 配置为向亚马逊日志发布一般日志和审核](security-logging-monitoring.md)日志。 CloudWatch
使用 CloudTrail 收集到的信息,您可以识别对 Amazon MQ API 的特定请求、请求者的 IP 地址、请求者的身份、请求的日期和时间等。如果您配置了*跟踪*,则可以将 CloudTrail 事件持续传输到 Amazon S3 存储桶。如果您未配置跟踪,则可以在 CloudTrail 控制台中查看事件历史记录中的最新事件。有关更多信息,请参阅《AWS CloudTrail 用户指南》[https://docs.aws.amazon.com/awscloudtrail/latest/userguide/](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/)**中的[创建跟踪概述](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)。
## 中的亚马逊 MQ 信息 CloudTrail
当您创建 AWS 账户时,已启 CloudTrail 用。当支持的 Amazon MQ 事件活动发生时,会将其与其他 AWS 服务 CloudTrail 事件一起记录在事件历史记录中。您可以查看、搜索和下载 AWS 账户的最新事件。有关更多信息,请参阅《*AWS CloudTrail 用户指南》*中的[使用 CloudTrail 事件历史记录查看事件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。
跟踪允许 CloudTrail 将日志文件传输到 Amazon S3 存储桶。您可以创建跟踪,以便在您的 AWS 账户中持续记录事件。默认情况下,当您使用创建跟踪时 AWS 管理控制台,该跟踪将应用于所有 AWS 区域。该跟踪记录来自所有 AWS 区域的事件,并将日志文件传输到指定的 Amazon S3 存储桶。您还可以配置其他 AWS 服务,以进一步分析和处理 CloudTrail 日志中收集的事件数据。有关更多信息,请参阅《AWS CloudTrail 用户指南》**中的以下主题:
+ [CloudTrail 支持的服务和集成](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [配置 Amazon SNS 通知 CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [接收来自多个区域的 CloudTrail 日志文件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html)
+ [从多个账户接收 CloudTrail 日志文件](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
Amazon MQ 支持将以下内容的请求参数和响应 APIs 作为事件记录在 CloudTrail 日志文件中:
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html#rest-api-configurations-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html#rest-api-configurations-methods-post)
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-delete](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-delete)
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-delete](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-delete)
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker-reboot.html#rest-api-broker-reboot-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker-reboot.html#rest-api-broker-reboot-methods-post)
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-put](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-put)
**注意**
RebootBroker 当您重新启动代理时,日志文件会被记录下来。在维护时段内,服务会自动重新启动,并且不会记录 RebootBroker 日志文件。
**重要**
对于以下`GET`方法 APIs,会记录请求参数,但会对响应进行编辑:
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html#rest-api-configuration-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html#rest-api-configuration-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revision.html#rest-api-configuration-revision-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revision.html#rest-api-configuration-revision-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#rest-api-configuration-revisions-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#rest-api-configuration-revisions-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html#rest-api-configurations-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html#rest-api-configurations-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-users.html#rest-api-users-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-users.html#rest-api-users-methods-get)
对于以下情况 APIs,`data`和`password`请求参数由星号 () `***` 隐藏:
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-post) (`POST`)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-post) (`POST`)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html#rest-api-configuration-methods-put](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html#rest-api-configuration-methods-put) (`PUT`)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-put](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-put) (`PUT`)
每个事件或日志条目都包含有关请求者的信息。此信息可帮助您确定以下内容:
+ 请求是使用根用户凭证还是 用户凭证发出的?
+ 请求是使用角色还是联合身份用户的临时安全凭证发出的?
+ 请求是由其他 AWS 服务机构发出的?
有关更多信息,请参阅《[CloudTrail用户指南》中的 “*AWS CloudTrail 用户*身份元素](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)”。
## 示例 Amazon MQ 日志文件条目
*跟踪*是一种配置,允许将事件作为日志文件传输到指定的 Amazon S3 存储桶。 CloudTrail 日志文件包含一个或多个日志条目。
*事件*表示来自任何源的单个请求,其中包括有关对 Amazon MQ API 的请求、请求者的 IP 地址、请求者的身份、请求的日期和时间等的信息。
以下示例显示了 [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-post)API 调用的 CloudTrail 日志条目。
**注意**
由于 CloudTrail 日志文件不是公开的有序堆栈跟踪 APIs,因此它们不会按任何特定顺序列出信息。
```
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AKIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/AmazonMqConsole",
"accountId": "111122223333",
"accessKeyId": "AKIAI44QH8DHBEXAMPLE",
"userName": "AmazonMqConsole"
},
"eventTime": "2018-06-28T22:23:46Z",
"eventSource": "amazonmq.amazonaws.com",
"eventName": "CreateBroker",
"awsRegion": "us-west-2",
"sourceIPAddress": "203.0.113.0",
"userAgent": "PostmanRuntime/7.1.5",
"requestParameters": {
"engineVersion": "5.15.9",
"deploymentMode": "ACTIVE_STANDBY_MULTI_AZ",
"maintenanceWindowStartTime": {
"dayOfWeek": "THURSDAY",
"timeOfDay": "22:45",
"timeZone": "America/Los_Angeles"
},
"engineType": "ActiveMQ",
"hostInstanceType": "mq.m5.large",
"users": [
{
"username": "MyUsername123",
"password": "***",
"consoleAccess": true,
"groups": [
"admins",
"support"
]
},
{
"username": "MyUsername456",
"password": "***",
"groups": [
"admins"
]
}
],
"creatorRequestId": "1",
"publiclyAccessible": true,
"securityGroups": [
"sg-a1b234cd"
],
"brokerName": "MyBroker",
"autoMinorVersionUpgrade": false,
"subnetIds": [
"subnet-12a3b45c",
"subnet-67d8e90f"
]
},
"responseElements": {
"brokerId": "b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9",
"brokerArn": "arn:aws:mq:us-east-2:123456789012:broker:MyBroker:b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9"
},
"requestID": "a1b2c345-6d78-90e1-f2g3-4hi56jk7l890",
"eventID": "a12bcd3e-fg45-67h8-ij90-12k34d5l16mn",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```