操作审计支持查询访问控制IMS(Identity Management Service)相关事件。您可以快速查询IMS事件并获取事件发生的时间、地域、RAM用户等信息。本文为您举例说明IMS相关事件。
阿里云账号通过控制台创建RAM用户
以下示例表示,在北京时间2021年08月05日14:59:52,阿里云账号调用CreateUser接口创建了一个RAM用户Alice@163205818484****.onaliyun.com。
{
"eventId": "80648075-F89C-555D-974B-78E436FE4331",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:59:52Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "21284212814679*****",
"LastLoginDate": "",
"DisplayName": "Alice",
"UserPrincipalName": "Alice@163205818484****.onaliyun.com",
"CreateDate": "2021-08-05T06:59:52Z",
"MobilePhone": "1381111****"
},
"RequestId": "80648075-F89C-555D-974B-78E436FE4331"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "80648075-F89C-555D-974B-78E436FE4331",
"DisplayName": "Alice",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "Alice@163205818484****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"Alice@163205818484****.onaliyun.com"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:59:52Z"
}
},
"accountId": "163205818484****",
"principalId": "163205818484****",
"type": "root-account",
"userName": "root"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26888"
},
"apiVersion": "2019-08-15",
"requestId": "80648075-F89C-555D-974B-78E436FE4331",
"eventTime": "2021-08-05T06:59:52Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为root-account,表示阿里云账号。serviceName:事件相关的阿里云服务名称。取值为Ims,表示IMS。eventName:事件名称。取值为CreateUser,表示创建RAM用户。referencedResources:事件影响的资源列表。取值为{"ACS::RAM::User": ["Alice@163205818484****.onaliyun.com"]},表示RAM用户Alice@163205818484****.onaliyun.com。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T06:59:52Z,表示北京时间2021年08月05日14:59:52。
RAM用户通过控制台创建RAM用户
以下示例表示,在北京时间2021年08月05日14:44:37,RAM用户Alice调用CreateUser接口创建了一个RAM用户test@189217171671****.onaliyun.com。
{
"eventId": "BB774582-E706-5B89-8540-84D9490D0F11",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:44:37Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "27688052814587****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"CreateDate": "2021-08-05T06:44:37Z",
"MobilePhone": "1381111****"
},
"RequestId": "BB774582-E706-5B89-8540-84D9490D0F11"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "BB774582-E706-5B89-8540-84D9490D0F11",
"DisplayName": "test",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@189217171671****.onaliyun.com"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:44:37Z"
}
},
"accountId": "189217171671****",
"principalId": "26135379175722****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "BB774582-E706-5B89-8540-84D9490D0F11",
"eventTime": "2021-08-05T06:44:37Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。userIdentity.userName:请求者的RAM用户名称。serviceName:事件相关的阿里云服务名称。取值为Ims,表示IMS。eventName:事件名称。取值为CreateUser,表示创建RAM用户。referencedResources:事件影响的资源列表。取值为{"ACS::RAM::User": ["test@189217171671****.onaliyun.com"]},表示RAM用户test@189217171671****.onaliyun.com。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T06:44:37Z,表示北京时间2021年08月05日14:44:37。
RAM用户通过AK调用API创建RAM用户
以下示例表示,在北京时间2021年08月05日14:52:21,RAM用户Alice通过AK LTAI4Fz1ykT4qxgNMvN6****调用CreateUser接口创建了一个RAM用户test@example.onaliyun.com。
{
"eventId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:52:21Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "23705482814634****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@example.onaliyun.com",
"CreateDate": "2021-08-05T06:52:21Z",
"MobilePhone": "1381111****"
},
"RequestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3"
},
"eventSource": "ims.aliyuncs.com",
"requestParameters": {
"AcsHost": "ims.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"DisplayName": "test",
"UserPrincipalName": "test@example.onaliyun.com",
"HostId": "ims.aliyuncs.com"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Mac OS X; x86_64) Java/1.8.0_151-b12 tea-util/0.2.6 TeaDSL/1",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@example.onaliyun.com"
]
},
"userIdentity": {
"accessKeyId": "LTAI4Fz1ykT4qxgNMvN6****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:52:21Z"
}
},
"accountId": "121410627017****",
"principalId": "29041080637456****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "ED377CCF-2F1E-542D-96E6-25ACD4C866E3",
"eventTime": "2021-08-05T06:52:21Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}示例中关键字段含义如下:
userIdentity.accessKeyId:发起API调用的AccessKey ID。取值为LTAI4Fz1ykT4qxgNMvN6****。userIdentity.principalId:AK所属的账号ID。取值为29041080637456****。userIdentity.type:请求者的身份类型。取值为ram-user,表示RAM用户。serviceName:事件相关的阿里云服务名称。取值为Ims,表示IMS。eventName:事件名称。取值为CreateUser,表示创建RAM用户。referencedResources:事件影响的资源列表。取值为{"ACS::RAM::User": ["test@example.onaliyun.com"]},表示RAM用户test@example.onaliyun.com。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T06:52:21Z,表示北京时间2021年08月05日14:52:21。
RAM用户通过角色扮演创建RAM用户
以下示例表示,在北京时间2021年08月05日14:50:12,阿里云账号189217171671****中的RAM用户通过扮演自己账号下的ram-role角色创建了一个RAM用户test@189217171671****.onaliyun.com。
{
"eventId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"eventVersion": 1,
"responseElements": {
"User": {
"UpdateDate": "2021-08-05T06:50:12Z",
"Email": "username@example.com",
"Comments": "",
"UserId": "20560232814621****",
"LastLoginDate": "",
"DisplayName": "test",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"CreateDate": "2021-08-05T06:50:12Z",
"MobilePhone": "1381111****"
},
"RequestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0"
},
"eventSource": "ims-share.aliyuncs.com",
"requestParameters": {
"stsTokenPrincipalName": "ram-role/roleTest123",
"charset": "UTF-8",
"AcsHost": "ims-share.aliyuncs.com",
"AcsProduct": "Ims",
"RequestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"DisplayName": "test",
"AcceptLanguage": "zh-CN",
"AkProxySuffix": "ram",
"UserPrincipalName": "test@189217171671****.onaliyun.com",
"HostId": "ims-share.aliyuncs.com",
"stsTokenPlayerUid": 189217171671****
},
"sourceIpAddress": "Internal",
"userAgent": "ram.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RAM::User": [
"test@189217171671****.onaliyun.com"
]
},
"userIdentity": {
"accessKeyId": "STS.NTGje1eLLVFMNcgRsLVic****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T06:50:12Z"
}
},
"accountId": "189217171671****",
"principalId": "37177545076791****:roleTest123",
"type": "assumed-role",
"userName": "ram-role:roleTest123"
},
"serviceName": "Ims",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2019-08-15",
"requestId": "7831E25F-2AAF-522B-A6A8-228ED41396C0",
"eventTime": "2021-08-05T06:50:12Z",
"isGlobal": true,
"acsRegion": "cn-shanghai",
"eventName": "CreateUser"
}示例中关键字段含义如下:
userIdentity.type:请求者的身份类型。取值为assumed-role,表示RAM角色。userIdentity.userName:请求者的用户名。格式为{roleName}:{sessionName},roleName表示被扮演的角色名称,sessionName表示进行角色扮演时指定的名称。取值为ram-role:roleTest123,表示被扮演的RAM角色名称是ram-role,进行角色扮演时指定的名称为roleTest123。requestParameters.stsTokenPlayerUid:扮演者的阿里云账号ID。取值为189217171671****。referencedResources:事件影响的资源列表。取值为{"ACS::RAM::User": ["test@189217171671****.onaliyun.com"]},表示RAM用户test@189217171671****.onaliyun.com。serviceName:事件相关的阿里云服务名称。取值为Ims,表示IMS。eventName:事件名称。取值为CreateUser,表示创建RAM用户。eventTime:事件发生的时间(UTC格式)。取值为2021-08-05T06:50:12Z,表示北京时间2021年08月05日14:50:12。