AWS学习笔记--启用CloudTrail记录AWS 账户操作日志

Posted 2020-10-25

AWS 账户的操作日志去哪里查看？默认是没有记录的，需要启用CloudTrail才能记录日志。
启用CloudTrail非常简单，可以使用AWS CloudTrail Console或AWS CLI。

AWS CloudTrail Console

登录到AWS Management Console，然后打开CloudTrail console，点击Get Stared Now按钮，填充表单即可。CloudTail将日志保存在S3中，建议使用新的S3 Buket。Advanced中还有log file prefix,log file validation,Amazon SNS notifications选项。CloudTrail存储多个事件在一个日志文件中，SNS notification每个文件发送一次通知，而不是每个事件。
启用后就可以从CloudTrail console查看日志，增加、更新、删除、停用trail了。

AWS CLI

Create a trail

# Create a single-region trail
# The specified S3 bucket must already exist and have the appropriate CloudTrail permissions applied.

$ aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket

# Create a trail that applies to all regions

$ aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket --is-multi-region-trail

Start logging

After the create-trail command completes, run the start-logging command to start logging for that trail.When you create a trail with the CloudTrail console or the create-subscription command, logging is turned on automatically.

$ aws cloudtrail start-logging --name my-trail

Stop logging

$ aws cloudtrail stop-logging --name my-trail

Update Trail

# Converting a multi-region trail to a single-region trail

$ aws cloudtrail update-trail --name my-trail --no-is-multi-region-trail

# Enabling log file validation

$ aws cloudtrail update-trail --name my-trail --enable-log-file-validation

Get trail status

$ aws cloudtrail get-trail-status --name my-trail

Retrieve trail settings

$ aws cloudtrail describe-trails

Delete a trail

$ aws cloudtrail delete-trail --name my-trail

删除trail不会删除S3和SNS topic

Creating and Updating a Trail with the CloudTrail Console
Creating and Updating a Trail with the AWS Command Line Interface