本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 EventBridge 自動化適用於 SCEP 的連接器
您可以使用 [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cwe-now-eb.html) 自動化您的 AWS 服務,並自動回應系統事件,例如應用程式可用性問題或資源變更。 AWS 服務的事件會以接近即時的方式傳送到 EventBridge。您可撰寫簡單的規則,指出您在意的事件,以及當事件符合規則時所要自動執行的動作。EventBridge 至少發佈一次。如需詳細資訊,請參閱[建立對 EventBridge 中的事件做出反應的規則](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html)。
CloudWatch Events 會使用 EventBridge 轉換為動作。使用 EventBridge,您可以使用事件來觸發目標。如需詳細資訊,請參閱[什麼是 Amazon EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html)
## Connector for SCEP 事件類型
### 憑證發行成功
當我們發出憑證以回應`PkiOperationPost`請求時,Connector for SCEP 會將`Certificate Issuance Succeeded`事件傳送至 EventBridge。
以下是事件的範例資料。
```
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Issuance Succeeded",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "success",
"requestType": "PkiOperationPost",
"certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
}
}
```
### 憑證發行失敗
當我們無法發出憑證以回應`PkiOperationPost`請求時,Connector for SCEP 會將`Certificate Issuance Failed`事件傳送至 EventBridge。
以下是事件的範例資料。
```
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Issuance Failed",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "failure",
"requestType": "PkiOperationPost",
"reason": "The certificate authority is not active."
}
}
```
### 憑證授權單位憑證擷取成功
當我們收到`GetCACert`請求並成功擷取連接器的私有 CA 憑證時,Connector for SCEP 會將`Certificate Authority Certificate Retrieval Succeeded`事件傳送至 EventBridge。
以下是事件的範例資料。
```
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Authority Certificate Retrieval Succeeded",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "success",
"requestType": "GetCACert"
}
}
```
### 憑證授權單位憑證擷取失敗
Connector for SCEP 會在我們收到`GetCACert`請求且無法擷取連接器的私有 CA 憑證時,將`Certificate Authority Certificate Retrieval Failed`事件傳送至 EventBridge。事件包含失敗的原因。
以下是事件的範例資料。
```
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Authority Certificate Retrieval Failed",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "failure",
"requestType": "GetCACert",
"reason": "The certificate authority certificate validity must be at least one year from today."
}
}
```
### 憑證授權單位憑證擷取成功
當我們收到`GetCACert`請求並成功擷取連接器的私有 CA 憑證時,Connector for SCEP 會將`Certificate Authority Certificate Retrieval Succeeded`事件傳送至 EventBridge。
以下是事件的範例資料。
```
{
"version": "0",
"id": "event_ID",
"detail-type": "Certificate Authority Certificate Retrieval Succeeded",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {
"result": "success",
"requestType": "GetCACert"
}
}
```
### 憑證授權單位功能擷取成功
當我們收到 SCEP `GetCACaps`請求並成功擷取 CA 的功能時,Connector for SCEP 會將`Certificate Authority Capabilities Retrieval Succeeded`事件傳送至 EventBridge。
以下是事件的範例資料。
```
```
### 憑證授權機構功能擷取失敗
當我們收到 SCEP `GetCACaps`請求且無法擷取 CA 的功能時,Connector for SCEP 會將`Certificate Authority Capabilities Retrieval Failed`事件傳送至 EventBridge。我們在事件中包含失敗的原因。
以下是事件的範例資料。
```
{
"resources":
[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector11223344-1234-1122-2233-112233445566"
],
"detailType":"Certificate Authority Capabilities Retrieval Failed",
"detail": {
"result":"failure",
"requestType":"GetCACaps",
"reason":"The request was denied due to request throttling."
},
"source":"aws.pca-connector-scep","accountId":"111122223333"
}
```
### 叫用不支援的操作
**叫用不支援的操作**
如果傳送至連接器端點的操作不受支援或未知,Connector for SCEP 會將`Unsupported Operation Invoked`事件傳送至 EventBridge。
```
{
"version": "0",
"id": "event_ID",
"detail-type": "Unsupported Operation Invoked",
"source": "aws.pca-connector-scep",
"account": "account",
"time": "2024-09-12T19:14:56Z",
"region": "region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:pca-connector-scep:us-east-1:111122223333:connector/11223344-1234-1122-2233-112233445566"
],
"detail": {}
}
```
## 建立 EventBridge 規則
在 EventBridge 中,您可以建立回應 CloudTrail 記錄之事件的規則。若要建立包含 Connector for SCEP 記錄的所有事件的規則,請將來源設定為 `aws.pca-connector-scep`。如需規則的詳細資訊,請參閱[在 Amazon EventBridge 中建立規則](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html#eb-gs-create-rule)。