Action Trail支援查詢存取控制IMS(Identity Management Service)相關事件。您可以快速查詢IMS事件並擷取事件發生的時間、地區、RAM使用者等資訊。本文為您舉例說明IMS相關事件。
阿里雲帳號通過控制台建立RAM使用者
以下樣本表示,在北京時間2021年08月05日14:59:52,阿里雲帳號調用CreateUser介面建立了一個RAM使用者Alice@163205818484****.onaliyun.com。
{
"eventId": "80648075-F89C-555D-974B-78E436FE4331",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:59:52Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "21284212814679*****",
"LastLoginDate": "",
"DisplayName": "Alice",
"UserPrincipalName": "Alice@163205818484****.onaliyun.com",
"CreateDate": "2021-08-05T06:59:52Z",
"MobilePhone": "1381111****"
},
"RequestId": "80648075-F89C-555D-974B-78E436FE4331"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "80648075-F89C-555D-974B-78E436FE4331",
"DisplayName": "Alice",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "Alice@163205818484****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"Alice@163205818484****.onaliyun.com"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:59:52Z"
}
},
"accountId": "163205818484****",
"principalId": "163205818484****",
"type": "root-account",
"userName": "root"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26888"
},
"apiVersion": "2019-08-15",
"requestId": "80648075-F89C-555D-974B-78E436FE4331",
"eventTime": "2021-08-05T06:59:52Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}樣本中關鍵字段含義如下:
userIdentity.type:要求者的身份類型。取值為root-account,表示阿里雲帳號。serviceName:事件相關的阿里雲服務名稱。取值為Ims,表示IMS。eventName:事件名稱。取值為CreateUser,表示建立RAM使用者。referencedResources:事件影響的資源清單。取值為{"ACS::RAM::User": ["Alice@163205818484****.onaliyun.com"]},表示RAM使用者Alice@163205818484****.onaliyun.com。eventTime:事件發生的時間(UTC格式)。取值為2021-08-05T06:59:52Z,表示北京時間2021年08月05日14:59:52。
RAM使用者通過控制台建立RAM使用者
以下樣本表示,在北京時間2021年08月05日14:44:37,RAM使用者Alice調用CreateUser介面建立了一個RAM使用者test@189217171671****.onaliyun.com。
{
"eventId": "BB774582-E706-5B89-8540-84D9490D0F11",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:44:37Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "27688052814587****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"CreateDate": "2021-08-05T06:44:37Z",
"MobilePhone": "1381111****"
},
"RequestId": "BB774582-E706-5B89-8540-84D9490D0F11"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "BB774582-E706-5B89-8540-84D9490D0F11",
"DisplayName": "test",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@189217171671****.onaliyun.com"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:44:37Z"
}
},
"accountId": "189217171671****",
"principalId": "26135379175722****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "BB774582-E706-5B89-8540-84D9490D0F11",
"eventTime": "2021-08-05T06:44:37Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}樣本中關鍵字段含義如下:
userIdentity.type:要求者的身份類型。取值為ram-user,表示RAM使用者。userIdentity.userName:要求者的RAM使用者名稱稱。serviceName:事件相關的阿里雲服務名稱。取值為Ims,表示IMS。eventName:事件名稱。取值為CreateUser,表示建立RAM使用者。referencedResources:事件影響的資源清單。取值為{"ACS::RAM::User": ["test@189217171671****.onaliyun.com"]},表示RAM使用者test@189217171671****.onaliyun.com。eventTime:事件發生的時間(UTC格式)。取值為2021-08-05T06:44:37Z,表示北京時間2021年08月05日14:44:37。
RAM使用者通過AK調用API建立RAM使用者
以下樣本表示,在北京時間2021年08月05日14:52:21,RAM使用者Alice通過AK LTAI4Fz1ykT4qxgNMvN6****調用CreateUser介面建立了一個RAM使用者test@example.onaliyun.com。
{
"eventId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:52:21Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "23705482814634****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@example.onaliyun.com",
"CreateDate": "2021-08-05T06:52:21Z",
"MobilePhone": "1381111****"
},
"RequestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3"
},
"eventSource": "ims.aliyuncs.com",
"requestParameters": {
"AcsHost": "ims.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"DisplayName": "test",
"UserPrincipalName": "test@example.onaliyun.com",
"HostId": "ims.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Mac OS X; x86_64) Java/1.8.0_151-b12 tea-util/0.2.6 TeaDSL/1",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@example.onaliyun.com"
]
},
"userIdentity": {
"accessKeyId": "LTAI4Fz1ykT4qxgNMvN6****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:52:21Z"
}
},
"accountId": "121410627017****",
"principalId": "29041080637456****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"eventTime": "2021-08-05T06:52:21Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}樣本中關鍵字段含義如下:
userIdentity.accessKeyId:發起API調用的AccessKey ID。取值為LTAI4Fz1ykT4qxgNMvN6****。userIdentity.principalId:AK所屬的帳號ID。取值為29041080637456****。userIdentity.type:要求者的身份類型。取值為ram-user,表示RAM使用者。serviceName:事件相關的阿里雲服務名稱。取值為Ims,表示IMS。eventName:事件名稱。取值為CreateUser,表示建立RAM使用者。referencedResources:事件影響的資源清單。取值為{"ACS::RAM::User": ["test@example.onaliyun.com"]},表示RAM使用者test@example.onaliyun.com。eventTime:事件發生的時間(UTC格式)。取值為2021-08-05T06:52:21Z,表示北京時間2021年08月05日14:52:21。
RAM使用者通過角色扮演建立RAM使用者
以下樣本表示,在北京時間2021年08月05日14:50:12,阿里雲帳號189217171671****中的RAM使用者通過扮演自己帳號下的ram-role角色建立了一個RAM使用者test@189217171671****.onaliyun.com。
{
"eventId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:50:12Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "20560232814621****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"CreateDate": "2021-08-05T06:50:12Z",
"MobilePhone": "1381111****"
},
"RequestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"stsTokenPrincipalName": "ram-role/roleTest123",
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"DisplayName": "test",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com",
"stsTokenPlayerUid": 189217171671****
},
"sourceIpAddress": "Internal",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@189217171671****.onaliyun.com"
]
},
"userIdentity": {
"accessKeyId": "STS.NTGje1eLLVFMNcgRsLVic****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:50:12Z"
}
},
"accountId": "189217171671****",
"principalId": "37177545076791****:roleTest123",
"type": "assumed-role",
"userName": "ram-role:roleTest123"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"eventTime": "2021-08-05T06:50:12Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}樣本中關鍵字段含義如下:
userIdentity.type:要求者的身份類型。取值為assumed-role,表示RAM角色。userIdentity.userName:要求者的使用者名稱。格式為{roleName}:{sessionName},roleName表示被扮演的角色名稱,sessionName表示進行角色扮演時指定的名稱。取值為ram-role:roleTest123,表示被扮演的RAM角色名稱是ram-role,進行角色扮演時指定的名稱為roleTest123。requestParameters.stsTokenPlayerUid:扮演者的阿里雲帳號ID。取值為189217171671****。referencedResources:事件影響的資源清單。取值為{"ACS::RAM::User": ["test@189217171671****.onaliyun.com"]},表示RAM使用者test@189217171671****.onaliyun.com。serviceName:事件相關的阿里雲服務名稱。取值為Ims,表示IMS。eventName:事件名稱。取值為CreateUser,表示建立RAM使用者。eventTime:事件發生的時間(UTC格式)。取值為2021-08-05T06:50:12Z,表示北京時間2021年08月05日14:50:12。