总体对比
下表从不同的角度对比了一下AWS和Azure审计功能的差异。
| AWS | Azure | |
|---|---|---|
| 接口风格 | RPC,审计围绕接口来做。 | RESTful,审计围绕资源来做。 |
| 认证方式 | AK/STS | OAuth 2.0 |
| 审计产品 | CloudTrail支持所有OpenAPI的审计。不走OpenAPI的产品需要产品自己提供审计功能。 | Activity Logs负责基础设施资源的审计;Diagnostic Logs和产品自己的Audit功能负责云产品资源的审计。 |
| Region化支持 | 历史事件和跟踪都区分Region | 每个Subscription有一个Activity Logs,每个Activity Logs会收集所有Region的日志。 |
| 事件格式 | 增改删操作记录返回结果 | Activity Logs不记录返回结果 |
| 历史事件 | 包含读写事件,数据保存三个月。 | 包括针对资源的Create、Update、Delete等写操作,不包含GET操作,数据保存一个月。 |
| 持久存储 | Trail+OSS/CloudWatch。每个账号最多可创建5个跟踪。 | Log Profile+Storage Account/Event Hubs。每个Subscription只能创建一个Log Profile。 |
| 安全保护 | 写OSS Bucket支持CMK加密和完整性验证。但是OSS Bucket和CloudWatch不能防止被删除。 | Storage Account支持delete lock,不过也可以被删除。 |
| 数据分析 | OSS Bucket可以导入Athena,也可以通过函数计算导入到各种分析平台;CloudWatch的查询功能非常强大。 | Event Hubs可将数据导入Power BI做分析 |
| 监控报警 | 支持 | 支持 |
AWS审计事件实例
AWS创建一台虚机日志如下所示。
{
"eventVersion": "1.05",
"userIdentity": {
"type": "Root",
"principalId": "978343370577",
"arn": "arn:aws:iam::978343370577:root",
"accountId": "978343370577",
"accessKeyId": "AKIAICYCQ4IVL5QIDKUQ"
},
"eventTime": "2018-05-30T07:25:29Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "us-west-2",
"sourceIPAddress": "42.120.74.88",
"userAgent": "aws-cli/1.15.5 Python/2.7.10 Darwin/17.5.0 botocore/1.10.5",
"requestParameters": {
"instancesSet": {
"items": [
{
"imageId": "ami-c636c6be",
"minCount": 1,
"maxCount": 1
}
]
},
"instanceType": "t2.micro",
"blockDeviceMapping": {},
"monitoring": {
"enabled": false
},
"disableApiTermination": false
},
"responseElements": {
"requestId": "7efffacc-139b-470b-a4f2-df3d6cef7707",
"reservationId": "r-031f9eacfbe733073",
"ownerId": "978343370577",
"groupSet": {},
"instancesSet": {
"items": [
{
"instanceId": "i-0a05bf603be8ea691",
"imageId": "ami-c636c6be",
"instanceState": {
"code": 0,
"name": "pending"
},
"privateDnsName": "ip-172-31-19-125.us-west-2.compute.internal",
"amiLaunchIndex": 0,
"productCodes": {},
"instanceType": "t2.micro",
"launchTime": 1527665129000,
"placement": {
"availabilityZone": "us-west-2b",
"tenancy": "default"
},
"monitoring": {
"state": "disabled"
},
"subnetId": "subnet-bc163ddb",
"vpcId": "vpc-c4adb2a3",
"privateIpAddress": "172.31.19.125",
"stateReason": {
"code": "pending",
"message": "pending"
},
"architecture": "x86_64",
"rootDeviceType": "ebs",
"rootDeviceName": "/dev/sda1",
"blockDeviceMapping": {},
"virtualizationType": "hvm",
"hypervisor": "xen",
"groupSet": {
"items": [
{
"groupId": "sg-e85b7893",
"groupName": "default"
}
]
},
"sourceDestCheck": true,
"networkInterfaceSet": {
"items": [
{
"networkInterfaceId": "eni-505c8168",
"subnetId": "subnet-bc163ddb",
"vpcId": "vpc-c4adb2a3",
"ownerId": "978343370577",
"status": "in-use",
"macAddress": "02:28:ab:7d:f6:f6",
"privateIpAddress": "172.31.19.125",
"privateDnsName": "ip-172-31-19-125.us-west-2.compute.internal",
"sourceDestCheck": true,
"groupSet": {
"items": [
{
"groupId": "sg-e85b7893",
"groupName": "default"
}
]
},
"attachment": {
"attachmentId": "eni-attach-e7356599",
"deviceIndex": 0,
"status": "attaching",
"attachTime": 1527665129000,
"deleteOnTermination": true
},
"privateIpAddressesSet": {
"item": [
{
"privateIpAddress": "172.31.19.125",
"privateDnsName": "ip-172-31-19-125.us-west-2.compute.internal",
"primary": true
}
]
},
"ipv6AddressesSet": {},
"tagSet": {}
}
]
},
"ebsOptimized": false,
"cpuOptions": {
"coreCount": 1,
"threadsPerCore": 1
}
}
]
}
},
"requestID": "7efffacc-139b-470b-a4f2-df3d6cef7707",
"eventID": "59f36b4f-e864-41b1-9c8b-8b05cbd17e10",
"eventType": "AwsApiCall",
"recipientAccountId": "978343370577"
}
审计事件会把本API操作的资源列出来。
image.png
Azure审计事件实例
Azure根据资源的类型,将日志分为Activity Logs、Diagnostic Logs、Application Logs等几种类型。Diagnostic Logs规范了Resource的日志,是一个很大的进步。
image.png
下面找几个典型产品的审计日志看看。
虚拟机
Azure创建一台虚机日志如下所示。
{
"authorization": {
"action": "Microsoft.Compute/virtualMachines/write",
"scope": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Compute/virtualMachines/cq-001"
},
"caller": "718878991@qq.com",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/e86128fb-fc4c-4044-8c6c-98002346bc88/",
"iat": "1530549732",
"nbf": "1530549732",
"exp": "1530553632",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"aio": "ASQA2/8HAAAAu/KE0Qal9vZvPPOGl+L3+6nrcCpoFBgppBg+nl1YPPw=",
"altsecid": "1:live.com:0003BFFD05FB0BB2",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
"appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
"appidacr": "2",
"e_exp": "262800",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "718878991@qq.com",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "ceee7c5a-8d91-47ab-b8a0-b71bc1091a59",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "d7b7c70b-d284-48c4-8524-551aa2cdb1d6",
"groups": "7a6c1cec-05ce-4bea-a805-20b60d406506",
"http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",
"ipaddr": "47.252.17.42",
"name": "ceee7c5a-8d91-47ab-b8a0-b71bc1091a59 d7b7c70b-d284-48c4-8524-551aa2cdb1d6",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "b51ce2d8-a13c-4f3a-8363-b10ee32839b5",
"puid": "1003BFFDAC0CF6C2",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "CCwmmAtHStkNdb8oiwkKWEocuO9LobxKkpEWrpp1m5Y",
"http://schemas.microsoft.com/identity/claims/tenantid": "e86128fb-fc4c-4044-8c6c-98002346bc88",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#718878991@qq.com",
"uti": "Tzex0-uxAUe0EaA8iVMEAA",
"ver": "1.0",
"wids": "62e90394-69f5-4237-9190-012177145e10"
},
"correlationId": "43e37bb9-80bc-4e77-9def-b7fd398b9f08",
"description": "",
"eventDataId": "35304090-b004-4180-8123-5a58f3d0bb84",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2018-07-02T17:07:02.9329881Z",
"id": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Compute/virtualMachines/cq-001/events/35304090-b004-4180-8123-5a58f3d0bb84/ticks/636661480229329881",
"level": "Informational",
"operationId": "235cdd75-477c-46a9-9856-485992cf1555",
"operationName": {
"value": "Microsoft.Compute/virtualMachines/write",
"localizedValue": "Create or Update Virtual Machine"
},
"resourceGroupName": "cq",
"resourceProviderName": {
"value": "Microsoft.Compute",
"localizedValue": "Microsoft.Compute"
},
"resourceType": {
"value": "Microsoft.Compute/virtualMachines",
"localizedValue": "Microsoft.Compute/virtualMachines"
},
"resourceId": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Compute/virtualMachines/cq-001",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "",
"localizedValue": ""
},
"submissionTimestamp": "2018-07-02T17:07:23.1382036Z",
"subscriptionId": "daeb1c77-2026-44f1-9a48-3d5513c6e467",
"properties": {
"statusCode": "Created",
"serviceRequestId": "9330410e-8e78-4583-aee1-0d5b8a7e590e"
},
"relatedEvents": []
}
Azure使用JWT Bearer Token,所以claims里面的信息非常多,可以在https://jwt.io/里面解开看看。
PUT https://management.azure.com/subscriptions/58aa8093-df77-4b7f-b121-2ea1a1ebbad2/resourceGroups/%7BresourceGroupName%7D/providers/Microsoft.Compute/virtualMachines/%7BvmName%7D?api-version=2017-12-01
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlRpb0d5d3dsaHZkRmJYWjgxM1dwUGF5OUFsVSIsImtpZCI6IlRpb0d5d3dsaHZkRmJYWjgxM1dwUGF5OUFsVSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuY29yZS53aW5kb3dzLm5ldC8iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9lODYxMjhmYi1mYzRjLTQwNDQtOGM2Yy05ODAwMjM0NmJjODgvIiwiaWF0IjoxNTMyMDkzMjUwLCJuYmYiOjE1MzIwOTMyNTAsImV4cCI6MTUzMjA5NzE1MCwiYWNyIjoiMSIsImFpbyI6IjQyQmdZSkNTTXZpLzZkeWZTcEZ2Wnhmb3FDaGwxbjIvYVdSNTJ0RHczVXF4MnJhRUtab0EiLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwM0JGRkQwNUZCMEJCMiIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiI3ZjU5YTc3My0yZWFmLTQyOWMtYTA1OS01MGZjNWJiMjhiNDQiLCJhcHBpZGFjciI6IjIiLCJlX2V4cCI6MjYyODAwLCJlbWFpbCI6IjcxODg3ODk5MUBxcS5jb20iLCJmYW1pbHlfbmFtZSI6ImNlZWU3YzVhLThkOTEtNDdhYi1iOGEwLWI3MWJjMTA5MWE1OSIsImdpdmVuX25hbWUiOiJkN2I3YzcwYi1kMjg0LTQ4YzQtODUyNC01NTFhYTJjZGIxZDYiLCJncm91cHMiOlsiN2E2YzFjZWMtMDVjZS00YmVhLWE4MDUtMjBiNjBkNDA2NTA2Il0sImlkcCI6ImxpdmUuY29tIiwiaXBhZGRyIjoiNDcuMjUyLjEuMTMzIiwibmFtZSI6ImNlZWU3YzVhLThkOTEtNDdhYi1iOGEwLWI3MWJjMTA5MWE1OSBkN2I3YzcwYi1kMjg0LTQ4YzQtODUyNC01NTFhYTJjZGIxZDYiLCJvaWQiOiJiNTFjZTJkOC1hMTNjLTRmM2EtODM2My1iMTBlZTMyODM5YjUiLCJwdWlkIjoiMTAwM0JGRkRBQzBDRjZDMiIsInNjcCI6InVzZXJfaW1wZXJzb25hdGlvbiIsInN1YiI6IkNDd21tQXRIU3RrTmRiOG9pd2tLV0VvY3VPOUxvYnhLa3BFV3JwcDFtNVkiLCJ0aWQiOiJlODYxMjhmYi1mYzRjLTQwNDQtOGM2Yy05ODAwMjM0NmJjODgiLCJ1bmlxdWVfbmFtZSI6ImxpdmUuY29tIzcxODg3ODk5MUBxcS5jb20iLCJ1dGkiOiJDT2hfdGJpdUhVRzQ1VE9DeXhJT0FBIiwidmVyIjoiMS4wIiwid2lkcyI6WyI2MmU5MDM5NC02OWY1LTQyMzctOTE5MC0wMTIxNzcxNDVlMTAiXX0.NvCoikFBYVhrBnAP0AdZ_OolhP21cDgjCmfa3BBZWr8CgD0yY0_axG5Q1OCRv1RGkvstUj5iTU1ItRwDv-oObDwhIXT_01AwNm9Xi8tdljChdpzddYgoFuSzAMKM-_7aOhmFl2YGZim4c1dK2iBn8CR1j_xtbMZJUsNyWNoYdSQ6nx-jflu_oMfBTxfDM2jWw6DMK1xBb6pW7ObKAhMRiVrh8-Pwm3vS02bCA5EpuOa55TNYCtxqwnIrW2L5MwAMeL7bD7yNbBpUwxH9FW_SwZeRIut-AgD0bIFooxkLEJQWkOj3pO23dBkyKXDkCOJjtXOkBVY188qe2TcRJ82uxg
Content-type: application/json
image.png
创建一个ECS涉及众多资源,Activity Logs知道这些资源的从属关系,属于虚机的资源会聚合到一起。
image.png
同样的日志,会在Activity Logs里面有一份,在资源自己的Logs里面还会有一份。比如创建虚机的日志在虚机的Activity Logs里面也保存了。
image.png
数据库
Azure数据库的审计功能非常完善,它的审计体现在三个方面,Activity Logs记录数据库的操作,Diagnostic Logs记录数据库的状态,自身的Audit功能则审计执行的SQL。
创建数据库的Activity Logs审计事件如下所示。
image.png
{
"authorization": {
"action": "Microsoft.Sql/servers/databases/write",
"scope": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Sql/servers/cq001/databases/CQ001"
},
"caller": "718878991@qq.com",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/e86128fb-fc4c-4044-8c6c-98002346bc88/",
"iat": "1531881065",
"nbf": "1531881065",
"exp": "1531884965",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"aio": "42BgYKi2uf7kwJYkgdIrbwtt1xxJS5Hd9nVZ88+5nx3KvA20lH0B",
"altsecid": "1:live.com:0003BFFD05FB0BB2",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
"appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
"appidacr": "2",
"e_exp": "262800",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "718878991@qq.com",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "ceee7c5a-8d91-47ab-b8a0-b71bc1091a59",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "d7b7c70b-d284-48c4-8524-551aa2cdb1d6",
"groups": "7a6c1cec-05ce-4bea-a805-20b60d406506",
"http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",
"ipaddr": "42.120.75.135",
"name": "ceee7c5a-8d91-47ab-b8a0-b71bc1091a59 d7b7c70b-d284-48c4-8524-551aa2cdb1d6",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "b51ce2d8-a13c-4f3a-8363-b10ee32839b5",
"puid": "1003BFFDAC0CF6C2",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "CCwmmAtHStkNdb8oiwkKWEocuO9LobxKkpEWrpp1m5Y",
"http://schemas.microsoft.com/identity/claims/tenantid": "e86128fb-fc4c-4044-8c6c-98002346bc88",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#718878991@qq.com",
"uti": "H2s27oSsSEeJzZMcKVYaAA",
"ver": "1.0",
"wids": "62e90394-69f5-4237-9190-012177145e10"
},
"correlationId": "0054cdb5-05e7-434d-81f9-da475fdbc60e",
"description": "",
"eventDataId": "f3155f54-58d1-4e7c-9965-d5f204cea8b8",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2018-07-18T02:50:21.5069973Z",
"id": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Sql/servers/cq001/databases/CQ001/events/f3155f54-58d1-4e7c-9965-d5f204cea8b8/ticks/636674790215069973",
"level": "Informational",
"operationId": "cebfd6d3-c89a-4e8d-be0e-1e4b805a14cc",
"operationName": {
"value": "Microsoft.Sql/servers/databases/write",
"localizedValue": "Update SQL database"
},
"resourceGroupName": "cq",
"resourceProviderName": {
"value": "Microsoft.Sql",
"localizedValue": "Microsoft SQL"
},
"resourceType": {
"value": "Microsoft.Sql/servers/databases",
"localizedValue": "Microsoft.Sql/servers/databases"
},
"resourceId": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Sql/servers/cq001/databases/CQ001",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "",
"localizedValue": ""
},
"submissionTimestamp": "2018-07-18T02:50:41.1021034Z",
"subscriptionId": "daeb1c77-2026-44f1-9a48-3d5513c6e467",
"relatedEvents": []
}
数据库的状态审计事件如下所示。
{
"LogicalServerName": "cq001",
"SubscriptionId": "daeb1c77-2026-44f1-9a48-3d5513c6e467",
"ResourceGroup": "cq",
"time": "2018-07-18T02:48:35.7300000Z",
"resourceId": "/SUBSCRIPTIONS/DAEB1C77-2026-44F1-9A48-3D5513C6E467/RESOURCEGROUPS/CQ/PROVIDERS/MICROSOFT.SQL/SERVERS/CQ001/DATABASES/CQ001",
"category": "DatabaseWaitStatistics",
"operationName": "DatabaseWaitStatistcsEvent",
"properties": {"ElasticPoolName":"","DatabaseName":"CQ001","start_utc_date":"2018-07-18T02:48:35.7300000Z","end_utc_date":"2018-07-18T02:53:35.7230000Z","wait_type":"SOS_SCHEDULER_YIELD","delta_max_wait_time_ms":15,"delta_signal_wait_time_ms":15,"delta_wait_time_ms":15,"delta_waiting_tasks_count":12}
}
{
"count": 0,
"total": 0,
"minimum": 0,
"maximum": 0,
"average": 0,
"resourceId": "/SUBSCRIPTIONS/DAEB1C77-2026-44F1-9A48-3D5513C6E467/RESOURCEGROUPS/CQ/PROVIDERS/MICROSOFT.SQL/SERVERS/CQ001/DATABASES/CQ001",
"time": "2018-07-18T02:44:00.0000000Z",
"metricName": "cpu_percent",
"timeGrain": "PT1M"
}
自身Audit功能记录的审计事件则以xel格式的文件保存,这种文件需要专门的工具才能打开。
image.png
这三种事件都支持投递到Storage Account和Event Hubs里面。
image.png
活动目录
活动目录提供自己的审计功能,但是不支持Diagnostic Logs。创建一个账号的日志如下所示。没有提供查看完整JSON格式事件的功能。
image.png
阿里云对不同API的支持
阿里云大部分产品使用RPC API,但是也有少部分产品使用REST API,比如容器服务CS和资源编排ROS。阿里云的REST API比较特殊在于,授权这块使用STS token,而非通用的OAuth 2.0 JWT Bearer token,并且支持HTTP协议,这增加了很多复杂性。STS token缺乏刷新机制。支持HTTP协议导致需要比较复杂的加签。针对REST API,阿里云会将其映射到一个虚拟的API,保持基础设施的兼容性。目前ActionTrail支持审计容器服务和资源编排这两个使用REST API的产品。
