我已经使用AWS管理控制台启用了CloudTrail,Amazon S3 Bucket策略是在启用CloudTrail时自动创建的默认策略。在AWS CloudTrail中获取用户登录和注销信息
我可以找到有关我的登录以及所有其他偶数日志的日志,但没有关于注销的信息。有什么我需要为它做或者根本就不在那里?不会将注销分类为事件?
编辑1
我是新来CloudTrail,并试图了解什么是可能的,什么不是。我有一个IAM用户,它只能读写一个存储桶并列出所有存储桶。当使用它时,我调用aws ec2 describe-instances
我可以在日志中看到errorCode: "Client.UnauthorizedOperation"
,但是当我执行aws s3 cp
或aws s3 ls
并且它成功时,它不会被记录。这是创建的默认存储桶策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::903692715234:root",
"arn:aws:iam::859597730677:root",
"arn:aws:iam::814480443879:root",
"arn:aws:iam::216624486486:root",
"arn:aws:iam::086441151436:root",
"arn:aws:iam::388731089494:root",
"arn:aws:iam::284668455005:root",
"arn:aws:iam::113285607260:root"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::MY_BUCKET"
},
{
"Sid": "AWSCloudTrailWrite20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::903692715234:root",
"arn:aws:iam::859597730677:root",
"arn:aws:iam::814480443879:root",
"arn:aws:iam::216624486486:root",
"arn:aws:iam::086441151436:root",
"arn:aws:iam::388731089494:root",
"arn:aws:iam::284668455005:root",
"arn:aws:iam::113285607260:root"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MY_BUCKET/MY_PREFIX/AWSLogs/MY_ACCOUNT_ID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
在哪里?为什么有这么可能Principal
来自 - 他们不是我的账户,他们是由AWS当我启用CloudTrail创建。这些AWS账户是否将日志传送到我的存储桶中,是否应该在那里?
编辑2
从typepad's post,日志记录,S3还没有出现。我看到的登录实际上是由于AWS安全令牌服务(STS)GetSessionToken
调用。在从控制台注销的情况下,似乎没有对STS的呼叫,因此没有生成日志。