本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 在 中記錄和監控 AWS Organizations
最佳實務是應該監控您的組織,以確保所做的變更都會記錄。這可協助您確保可以調查任何非預期的變更,也可以復原不需要的變更。 AWS Organizations 目前支援兩個 AWS 服務 ,可讓您監控組織及其內發生的活動。
**Topics**
+ [AWS CloudTrail](orgs_cloudtrail-integration.md)
+ [Amazon EventBridge](orgs_cloudwatch-integration.md)
# 使用 的 記錄 API AWS CloudTrail 呼叫 AWS Organizations
AWS Organizations 已與 服務整合 AWS CloudTrail,此服務可提供使用者、角色或 AWS 服務在其中採取之動作的記錄 AWS Organizations。CloudTrail 會將 的所有 API 呼叫擷取 AWS Organizations 為事件,包括來自 AWS Organizations 主控台的呼叫,以及來自對 AWS Organizations APIs的程式碼呼叫。如果您建立線索,您可以將 CloudTrail 事件持續交付至 Amazon S3 儲存貯體,包括 的事件 AWS Organizations。即使您未設定追蹤,依然可以透過 CloudTrail 主控台中的**事件歷史記錄**檢視最新事件。使用 CloudTrail 所收集的資訊,您可以判斷提出的請求 AWS Organizations、提出請求的 IP 地址、提出請求的人員、提出請求的時間,以及其他詳細資訊。
若要進一步了解 CloudTrail,請參閱*「AWS CloudTrail 使用者指南」*。
**重要**
AWS Organizations 您只能在美國東部 (維吉尼亞北部) 區域檢視 的所有 CloudTrail 資訊。如果您在 CloudTrail 主控台中看不到 AWS Organizations 活動,請使用右上角的選單將主控台設為**美國東部 (維吉尼亞北部)**。如果您使用 AWS CLI 或 SDK 工具查詢 CloudTrail,請將您的查詢導向美國東部 (維吉尼亞北部) 端點。
## AWS Organizations CloudTrail 中的資訊
當您建立帳戶 AWS 帳戶 時,您的 上會啟用 CloudTrail。當活動在 中發生時 AWS Organizations,該活動會與**事件歷史記錄**中的其他服務 AWS 事件一起記錄在 CloudTrail 事件中。您可以在 中檢視、搜尋和下載最近的事件 AWS 帳戶。如需詳細資訊,請參閱《使用 CloudTrail 事件歷史記錄檢視事件》[https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)。
如需您 AWS 帳戶帳戶中正在進行事件的記錄 (包含 AWS Organizations的事件),請建立追蹤。線索能讓 CloudTrail 將日誌檔案交付至 Amazon S3 儲存貯體。當您的 中啟用 CloudTrail 記錄時 AWS 帳戶,對 AWS Organizations 動作發出的 API 呼叫會在 CloudTrail 日誌檔案中追蹤,並在其中與其他 AWS 服務記錄一起寫入。您可以設定其他 AWS 服務 來進一步分析和處理 CloudTrail 日誌中收集的事件資料。如需詳細資訊,請參閱下列內容:
+ [建立追蹤的概觀](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail 支援的服務和整合](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [設定 CloudTrail 的 Amazon SNS 通知](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
CloudTrail 會記錄所有 AWS Organizations 動作,並記錄在 [AWS Organizations API 參考](https://docs.aws.amazon.com/organizations/latest/APIReference/)中。例如,對 `CreateAccount` (包括 `CreateAccountResult` 事件)、`ListHandshakesForAccount`、`CreatePolicy` 及 `InviteAccountToOrganization` 的呼叫,都會在 CloudTrail 日誌檔案中產生項目。
每個日誌項目都會包含產生要求之人員的資訊。日誌記錄中的使用者身分資訊,可協助您判斷下列事項:
+ 該請求是否使用根使用者或 IAM 使用者憑證提出
+ 提出該請求時,是否使用了特定 [IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)或[聯合身分使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html)的暫時安全憑證
+ 請求是否由其他 AWS 服務提出
如需詳細資訊,請參閱 [CloudTrail userIdentity 元素](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)。
**注意**
CloudTrail 會在帳戶中記錄採取指定動作的事件 (即成員帳戶中的事件,而不是成員帳戶採取該動作時的管理帳戶中的事件)。例如,離開組織的成員帳戶將記錄在成員帳戶追蹤中,而移除成員帳戶的管理帳戶將記錄在管理帳戶追蹤中。
## 了解 AWS Organizations 日誌檔案項目
追蹤是一種組態,能讓事件以日誌檔案的形式交付到您指定的 Amazon S3 儲存貯體。CloudTrail 日誌檔案包含一或多個日誌專案。一個事件為任何來源提出的單一請求,並包含請求動作、請求的日期和時間、請求參數等資訊。CloudTrail 日誌檔並非依公有 API 呼叫的堆疊追蹤排序,因此不會以任何特定順序出現。
### 範例日誌項目:CloseAccount
下列範例顯示在呼叫 API 並且關閉帳戶的工作流程在後台開始處理時,所產生範例 `CloseAccount` 呼叫的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
"arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/my-admin-role",
"accountId": "111122223333",
"userName": "my-session-id"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2022-03-18T18:17:06Z"
}
}
},
"eventTime": "2022-03-18T18:17:06Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CloseAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": {
"accountId": "555555555555"
},
"responseElements": null,
"requestID": "e28932f8-d5da-4d7a-8238-ef74f3d5c09a",
"eventID": "19fe4c10-f57e-4cb7-a2bc-6b5c30233592",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
下列範例顯示關閉帳戶的後台工作流程成功完成後,`CloseAccountResult` 呼叫的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "organizations.amazonaws.com"
},
"eventTime": "2022-03-18T18:17:06Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CloseAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "organizations.amazonaws.com",
"userAgent": "organizations.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"closeAccountStatus": {
"accountId": "555555555555",
"state": "SUCCEEDED",
"requestedTimestamp": "Mar 18, 2022 6:16:58 PM",
"completedTimestamp": "Mar 18, 2022 6:16:58 PM"
}
},
"eventCategory": "Management"
}
```
### 範例日誌項目:CreateAccount
下列範例顯示在呼叫 API 並且建立帳戶的工作流程在後台開始處理時,產生的範例 `CreateAccount` 呼叫的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
"arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/my-admin-role",
"accountId": "111122223333",
"userName": "my-session-id"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-09-16T21:16:45Z"
}
}
},
"eventTime": "2018-06-21T22:06:27Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
"requestParameters": {
"tags": [],
"email": "****",
"accountName": "****"
},
"responseElements": {
"createAccountStatus": {
"accountName": "****",
"state": "IN_PROGRESS",
"id": "car-examplecreateaccountrequestid111",
"requestedTimestamp": "Sep 16, 2020 9:20:50 PM"
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
下列範例顯示了建立帳戶的後台工作流程成功完成後,`CreateAccount` 呼叫的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.05",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "..."
},
"eventTime": "2020-09-16T21:20:53Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "....",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"createAccountStatus": {
"id": "car-examplecreateaccountrequestid111",
"state": "SUCCEEDED",
"accountName": "****",
"accountId": "444455556666",
"requestedTimestamp": "Sep 16, 2020 9:20:50 PM",
"completedTimestamp": "Sep 16, 2020 9:20:53 PM"
}
}
}
```
下列範例顯示了建立帳戶的 `CreateAccount` 後台工作流程失敗後,產生的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.06",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-06-21T22:06:27Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"createAccountStatus": {
"id": "car-examplecreateaccountrequestid111",
"state": "FAILED",
"accountName": "****",
"failureReason": "EMAIL_ALREADY_EXISTS",
"requestedTimestamp": Jun 21, 2018 10:06:27 PM,
"completedTimestamp": Jun 21, 2018 10:07:15 PM
}
}
}
```
### 範例日誌項目:CreateOrganizationalUnit
下列範例顯示了範例 `CreateOrganizationalUnit` 呼叫的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:40:11Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"requestParameters": {
"name": "OU-Developers-1",
"parentId": "r-a1b2"
},
"responseElements": {
"organizationalUnit": {
"arn": "arn:aws:organizations::111111111111:ou/o-aa111bb222/ou-examplerootid111-exampleouid111",
"id": "ou-examplerootid111-exampleouid111",
"name": "test-cloud-trail",
"path": "o-aa111bb222/r-a1b2/ou-examplerootid111-exampleouid111/"
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### 範例日誌項目:InviteAccountToOrganization
下列範例顯示了範例 `InviteAccountToOrganization` 呼叫的 CloudTrail 日誌項目。
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:41:17Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "InviteAccountToOrganization",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"requestParameters": {
"notes": "This is a request for Mary's account to join Diego's organization.",
"target": {
"type": "ACCOUNT",
"id": "111111111111"
}
},
"responseElements": {
"handshake": {
"requestedTimestamp": "Jan 18, 2017 9:41:16 PM",
"state": "OPEN",
"arn": "arn:aws:organizations::111111111111:handshake/o-aa111bb222/invite/h-examplehandshakeid111",
"id": "h-examplehandshakeid111",
"parties": [
{
"type": "ORGANIZATION",
"id": "o-aa111bb222"
},
{
"type": "ACCOUNT",
"id": "222222222222"
}
],
"action": "invite",
"expirationTimestamp": "Feb 2, 2017 9:41:16 PM",
"resources": [
{
"resources": [
{
"type": "MASTER_EMAIL",
"value": "diego@example.com"
},
{
"type": "MASTER_NAME",
"value": "Management account for organization"
},
{
"type": "ORGANIZATION_FEATURE_SET",
"value": "ALL"
}
],
"type": "ORGANIZATION",
"value": "o-aa111bb222"
},
{
"type": "ACCOUNT",
"value": "222222222222"
},
{
"type": "NOTES",
"value": "This is a request for Mary's account to join Diego's organization."
}
]
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### 範例日誌項目:AttachPolicy
下列範例顯示了範例 `AttachPolicy` 呼叫的 CloudTrail 日誌項目。回應表示呼叫失敗,因為請求的政策類型未於嘗試連接請求的根帳戶中啟用。
```
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:42:44Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "AttachPolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"errorCode": "PolicyTypeNotEnabledException",
"errorMessage": "The given policy type ServiceControlPolicy is not enabled on the current view",
"requestParameters": {
"policyId": "p-examplepolicyid111",
"targetId": "ou-examplerootid111-exampleouid111"
},
"responseElements": null,
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### 日誌項目範例:無效的有效政策
下列範例顯示範例`EffectivePolicyValidation`事件的 CloudTrail 日誌項目。每當組織中的更新在任何帳戶上建立無效的有效政策時,就會將此事件發送到組織的管理帳戶。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-07-17T14:53:40Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "EffectivePolicyValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"accountId": "111111111111",
"policyType": "BACKUP_POLICY",
"state": "INVALID",
"requestTimestamp": "Jul 17, 2025, 2:53:40 PM",
"info": "All validation errors listed",
"validationErrors": [
{
"accountPath": "o-aa111bb222/r-a1b2/111111111111/",
"evaluationTimestamp": "Jul 17, 2025, 2:53:40 PM",
"errorCode": "ELEMENTS_TOO_MANY",
"errorMessage": "'hourly_rule' exceeds the allowed maximum limit 10",
"pathToError": "plans/hourly-backup/rules/hourly_rule",
"contributingPolicies": [
"p-examplepolicyid111"
]
}
]
},
"eventCategory": "Management"
}
```
### 日誌項目範例:有效的有效政策
下列範例顯示範例`EffectivePolicyValidation`事件的 CloudTrail 日誌項目。只要組織中的更新修正先前無效的帳戶的有效政策,此事件就會發出到組織的管理帳戶。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111111111111",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-07-17T14:54:40Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "EffectivePolicyValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"accountId": "111111111111",
"policyType": "BACKUP_POLICY",
"state": "VALID",
"requestTimestamp": "Jul 17, 2025, 2:54:40 PM",
"info": "Previous effective policy validation error(s) resolved for this account/policyType"
},
"eventCategory": "Management"
}
```
# Amazon EventBridge 和 AWS Organizations
AWS Organizations 可以使用先前稱為 Amazon CloudWatch Events 的 Amazon EventBridge,在組織中發生管理員指定的動作時引發事件。例如,由於這類動作的靈敏度,多數管理員會想要在每次有人在組織中建立新帳戶,或在成員帳戶的管理員嘗試離開組織時收到警告。您可以設定尋找這些動作的 EventBridge 規則,然後將產生的事件傳送到管理員定義的目標。目標可以是傳送電子郵件或文字訊息給其訂閱者的 Amazon SNS 主題。您也可以建立 AWS Lambda 函式,記錄動作的詳細資訊以供日後審閱。
如需示範如何啟用 EventBridge 來監控組織內關鍵活動的教學資訊,請參閱[教學課程:使用 Amazon EventBridge 監控您組織的重要變更](orgs_tutorials_cwe.md)。
**重要**
目前, AWS Organizations 僅託管在美國東部 (維吉尼亞北部) 區域 (即使全球皆可使用)。若要執行本教學課程中的步驟,您必須 AWS 管理主控台 將 設定為使用該區域。
若要進一步了解 EventBridge (包括如何配置及啟用 CloudWatch Events),請參閱 *[Amazon EventBridge 使用者指南](https://docs.aws.amazon.com/eventbridge/latest/userguide/)*。