AWS和Azure审计功能对比

总体对比

下表从不同的角度对比了一下AWS和Azure审计功能的差异。

AWS Azure
接口风格 RPC,审计围绕接口来做。 RESTful,审计围绕资源来做。
认证方式 AK/STS OAuth 2.0
审计产品 CloudTrail支持所有OpenAPI的审计。不走OpenAPI的产品需要产品自己提供审计功能。 Activity Logs负责基础设施资源的审计;Diagnostic Logs和产品自己的Audit功能负责云产品资源的审计。
Region化支持 历史事件和跟踪都区分Region 每个Subscription有一个Activity Logs,每个Activity Logs会收集所有Region的日志。
事件格式 增改删操作记录返回结果 Activity Logs不记录返回结果
历史事件 包含读写事件,数据保存三个月。 包括针对资源的Create、Update、Delete等写操作,不包含GET操作,数据保存一个月。
持久存储 Trail+OSS/CloudWatch。每个账号最多可创建5个跟踪。 Log Profile+Storage Account/Event Hubs。每个Subscription只能创建一个Log Profile。
安全保护 写OSS Bucket支持CMK加密和完整性验证。但是OSS Bucket和CloudWatch不能防止被删除。 Storage Account支持delete lock,不过也可以被删除。
数据分析 OSS Bucket可以导入Athena,也可以通过函数计算导入到各种分析平台;CloudWatch的查询功能非常强大。 Event Hubs可将数据导入Power BI做分析
监控报警 支持 支持

AWS审计事件实例

AWS创建一台虚机日志如下所示。

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "Root",
        "principalId": "978343370577",
        "arn": "arn:aws:iam::978343370577:root",
        "accountId": "978343370577",
        "accessKeyId": "AKIAICYCQ4IVL5QIDKUQ"
    },
    "eventTime": "2018-05-30T07:25:29Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "RunInstances",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "42.120.74.88",
    "userAgent": "aws-cli/1.15.5 Python/2.7.10 Darwin/17.5.0 botocore/1.10.5",
    "requestParameters": {
        "instancesSet": {
            "items": [
                {
                    "imageId": "ami-c636c6be",
                    "minCount": 1,
                    "maxCount": 1
                }
            ]
        },
        "instanceType": "t2.micro",
        "blockDeviceMapping": {},
        "monitoring": {
            "enabled": false
        },
        "disableApiTermination": false
    },
    "responseElements": {
        "requestId": "7efffacc-139b-470b-a4f2-df3d6cef7707",
        "reservationId": "r-031f9eacfbe733073",
        "ownerId": "978343370577",
        "groupSet": {},
        "instancesSet": {
            "items": [
                {
                    "instanceId": "i-0a05bf603be8ea691",
                    "imageId": "ami-c636c6be",
                    "instanceState": {
                        "code": 0,
                        "name": "pending"
                    },
                    "privateDnsName": "ip-172-31-19-125.us-west-2.compute.internal",
                    "amiLaunchIndex": 0,
                    "productCodes": {},
                    "instanceType": "t2.micro",
                    "launchTime": 1527665129000,
                    "placement": {
                        "availabilityZone": "us-west-2b",
                        "tenancy": "default"
                    },
                    "monitoring": {
                        "state": "disabled"
                    },
                    "subnetId": "subnet-bc163ddb",
                    "vpcId": "vpc-c4adb2a3",
                    "privateIpAddress": "172.31.19.125",
                    "stateReason": {
                        "code": "pending",
                        "message": "pending"
                    },
                    "architecture": "x86_64",
                    "rootDeviceType": "ebs",
                    "rootDeviceName": "/dev/sda1",
                    "blockDeviceMapping": {},
                    "virtualizationType": "hvm",
                    "hypervisor": "xen",
                    "groupSet": {
                        "items": [
                            {
                                "groupId": "sg-e85b7893",
                                "groupName": "default"
                            }
                        ]
                    },
                    "sourceDestCheck": true,
                    "networkInterfaceSet": {
                        "items": [
                            {
                                "networkInterfaceId": "eni-505c8168",
                                "subnetId": "subnet-bc163ddb",
                                "vpcId": "vpc-c4adb2a3",
                                "ownerId": "978343370577",
                                "status": "in-use",
                                "macAddress": "02:28:ab:7d:f6:f6",
                                "privateIpAddress": "172.31.19.125",
                                "privateDnsName": "ip-172-31-19-125.us-west-2.compute.internal",
                                "sourceDestCheck": true,
                                "groupSet": {
                                    "items": [
                                        {
                                            "groupId": "sg-e85b7893",
                                            "groupName": "default"
                                        }
                                    ]
                                },
                                "attachment": {
                                    "attachmentId": "eni-attach-e7356599",
                                    "deviceIndex": 0,
                                    "status": "attaching",
                                    "attachTime": 1527665129000,
                                    "deleteOnTermination": true
                                },
                                "privateIpAddressesSet": {
                                    "item": [
                                        {
                                            "privateIpAddress": "172.31.19.125",
                                            "privateDnsName": "ip-172-31-19-125.us-west-2.compute.internal",
                                            "primary": true
                                        }
                                    ]
                                },
                                "ipv6AddressesSet": {},
                                "tagSet": {}
                            }
                        ]
                    },
                    "ebsOptimized": false,
                    "cpuOptions": {
                        "coreCount": 1,
                        "threadsPerCore": 1
                    }
                }
            ]
        }
    },
    "requestID": "7efffacc-139b-470b-a4f2-df3d6cef7707",
    "eventID": "59f36b4f-e864-41b1-9c8b-8b05cbd17e10",
    "eventType": "AwsApiCall",
    "recipientAccountId": "978343370577"
}

审计事件会把本API操作的资源列出来。

image.png

Azure审计事件实例

Azure根据资源的类型,将日志分为Activity Logs、Diagnostic Logs、Application Logs等几种类型。Diagnostic Logs规范了Resource的日志,是一个很大的进步。

image.png

下面找几个典型产品的审计日志看看。

虚拟机

Azure创建一台虚机日志如下所示。

{
    "authorization": {
        "action": "Microsoft.Compute/virtualMachines/write",
        "scope": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Compute/virtualMachines/cq-001"
    },
    "caller": "[email protected]",
    "channels": "Operation",
    "claims": {
        "aud": "https://management.core.windows.net/",
        "iss": "https://sts.windows.net/e86128fb-fc4c-4044-8c6c-98002346bc88/",
        "iat": "1530549732",
        "nbf": "1530549732",
        "exp": "1530553632",
        "http://schemas.microsoft.com/claims/authnclassreference": "1",
        "aio": "ASQA2/8HAAAAu/KE0Qal9vZvPPOGl+L3+6nrcCpoFBgppBg+nl1YPPw=",
        "altsecid": "1:live.com:0003BFFD05FB0BB2",
        "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
        "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
        "appidacr": "2",
        "e_exp": "262800",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "[email protected]",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "ceee7c5a-8d91-47ab-b8a0-b71bc1091a59",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "d7b7c70b-d284-48c4-8524-551aa2cdb1d6",
        "groups": "7a6c1cec-05ce-4bea-a805-20b60d406506",
        "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",
        "ipaddr": "47.252.17.42",
        "name": "ceee7c5a-8d91-47ab-b8a0-b71bc1091a59 d7b7c70b-d284-48c4-8524-551aa2cdb1d6",
        "http://schemas.microsoft.com/identity/claims/objectidentifier": "b51ce2d8-a13c-4f3a-8363-b10ee32839b5",
        "puid": "1003BFFDAC0CF6C2",
        "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "CCwmmAtHStkNdb8oiwkKWEocuO9LobxKkpEWrpp1m5Y",
        "http://schemas.microsoft.com/identity/claims/tenantid": "e86128fb-fc4c-4044-8c6c-98002346bc88",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#[email protected]",
        "uti": "Tzex0-uxAUe0EaA8iVMEAA",
        "ver": "1.0",
        "wids": "62e90394-69f5-4237-9190-012177145e10"
    },
    "correlationId": "43e37bb9-80bc-4e77-9def-b7fd398b9f08",
    "description": "",
    "eventDataId": "35304090-b004-4180-8123-5a58f3d0bb84",
    "eventName": {
        "value": "EndRequest",
        "localizedValue": "End request"
    },
    "category": {
        "value": "Administrative",
        "localizedValue": "Administrative"
    },
    "eventTimestamp": "2018-07-02T17:07:02.9329881Z",
    "id": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Compute/virtualMachines/cq-001/events/35304090-b004-4180-8123-5a58f3d0bb84/ticks/636661480229329881",
    "level": "Informational",
    "operationId": "235cdd75-477c-46a9-9856-485992cf1555",
    "operationName": {
        "value": "Microsoft.Compute/virtualMachines/write",
        "localizedValue": "Create or Update Virtual Machine"
    },
    "resourceGroupName": "cq",
    "resourceProviderName": {
        "value": "Microsoft.Compute",
        "localizedValue": "Microsoft.Compute"
    },
    "resourceType": {
        "value": "Microsoft.Compute/virtualMachines",
        "localizedValue": "Microsoft.Compute/virtualMachines"
    },
    "resourceId": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Compute/virtualMachines/cq-001",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "submissionTimestamp": "2018-07-02T17:07:23.1382036Z",
    "subscriptionId": "daeb1c77-2026-44f1-9a48-3d5513c6e467",
    "properties": {
        "statusCode": "Created",
        "serviceRequestId": "9330410e-8e78-4583-aee1-0d5b8a7e590e"
    },
    "relatedEvents": []
}

Azure使用JWT Bearer Token,所以claims里面的信息非常多,可以在https://jwt.io/里面解开看看。

PUT https://management.azure.com/subscriptions/58aa8093-df77-4b7f-b121-2ea1a1ebbad2/resourceGroups/%7BresourceGroupName%7D/providers/Microsoft.Compute/virtualMachines/%7BvmName%7D?api-version=2017-12-01
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlRpb0d5d3dsaHZkRmJYWjgxM1dwUGF5OUFsVSIsImtpZCI6IlRpb0d5d3dsaHZkRmJYWjgxM1dwUGF5OUFsVSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuY29yZS53aW5kb3dzLm5ldC8iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9lODYxMjhmYi1mYzRjLTQwNDQtOGM2Yy05ODAwMjM0NmJjODgvIiwiaWF0IjoxNTMyMDkzMjUwLCJuYmYiOjE1MzIwOTMyNTAsImV4cCI6MTUzMjA5NzE1MCwiYWNyIjoiMSIsImFpbyI6IjQyQmdZSkNTTXZpLzZkeWZTcEZ2Wnhmb3FDaGwxbjIvYVdSNTJ0RHczVXF4MnJhRUtab0EiLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwM0JGRkQwNUZCMEJCMiIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiI3ZjU5YTc3My0yZWFmLTQyOWMtYTA1OS01MGZjNWJiMjhiNDQiLCJhcHBpZGFjciI6IjIiLCJlX2V4cCI6MjYyODAwLCJlbWFpbCI6IjcxODg3ODk5MUBxcS5jb20iLCJmYW1pbHlfbmFtZSI6ImNlZWU3YzVhLThkOTEtNDdhYi1iOGEwLWI3MWJjMTA5MWE1OSIsImdpdmVuX25hbWUiOiJkN2I3YzcwYi1kMjg0LTQ4YzQtODUyNC01NTFhYTJjZGIxZDYiLCJncm91cHMiOlsiN2E2YzFjZWMtMDVjZS00YmVhLWE4MDUtMjBiNjBkNDA2NTA2Il0sImlkcCI6ImxpdmUuY29tIiwiaXBhZGRyIjoiNDcuMjUyLjEuMTMzIiwibmFtZSI6ImNlZWU3YzVhLThkOTEtNDdhYi1iOGEwLWI3MWJjMTA5MWE1OSBkN2I3YzcwYi1kMjg0LTQ4YzQtODUyNC01NTFhYTJjZGIxZDYiLCJvaWQiOiJiNTFjZTJkOC1hMTNjLTRmM2EtODM2My1iMTBlZTMyODM5YjUiLCJwdWlkIjoiMTAwM0JGRkRBQzBDRjZDMiIsInNjcCI6InVzZXJfaW1wZXJzb25hdGlvbiIsInN1YiI6IkNDd21tQXRIU3RrTmRiOG9pd2tLV0VvY3VPOUxvYnhLa3BFV3JwcDFtNVkiLCJ0aWQiOiJlODYxMjhmYi1mYzRjLTQwNDQtOGM2Yy05ODAwMjM0NmJjODgiLCJ1bmlxdWVfbmFtZSI6ImxpdmUuY29tIzcxODg3ODk5MUBxcS5jb20iLCJ1dGkiOiJDT2hfdGJpdUhVRzQ1VE9DeXhJT0FBIiwidmVyIjoiMS4wIiwid2lkcyI6WyI2MmU5MDM5NC02OWY1LTQyMzctOTE5MC0wMTIxNzcxNDVlMTAiXX0.NvCoikFBYVhrBnAP0AdZ_OolhP21cDgjCmfa3BBZWr8CgD0yY0_axG5Q1OCRv1RGkvstUj5iTU1ItRwDv-oObDwhIXT_01AwNm9Xi8tdljChdpzddYgoFuSzAMKM-_7aOhmFl2YGZim4c1dK2iBn8CR1j_xtbMZJUsNyWNoYdSQ6nx-jflu_oMfBTxfDM2jWw6DMK1xBb6pW7ObKAhMRiVrh8-Pwm3vS02bCA5EpuOa55TNYCtxqwnIrW2L5MwAMeL7bD7yNbBpUwxH9FW_SwZeRIut-AgD0bIFooxkLEJQWkOj3pO23dBkyKXDkCOJjtXOkBVY188qe2TcRJ82uxg
Content-type: application/json
image.png

创建一个ECS涉及众多资源,Activity Logs知道这些资源的从属关系,属于虚机的资源会聚合到一起。

image.png

同样的日志,会在Activity Logs里面有一份,在资源自己的Logs里面还会有一份。比如创建虚机的日志在虚机的Activity Logs里面也保存了。

image.png

数据库

Azure数据库的审计功能非常完善,它的审计体现在三个方面,Activity Logs记录数据库的操作,Diagnostic Logs记录数据库的状态,自身的Audit功能则审计执行的SQL。

创建数据库的Activity Logs审计事件如下所示。

image.png
{
    "authorization": {
        "action": "Microsoft.Sql/servers/databases/write",
        "scope": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Sql/servers/cq001/databases/CQ001"
    },
    "caller": "[email protected]",
    "channels": "Operation",
    "claims": {
        "aud": "https://management.core.windows.net/",
        "iss": "https://sts.windows.net/e86128fb-fc4c-4044-8c6c-98002346bc88/",
        "iat": "1531881065",
        "nbf": "1531881065",
        "exp": "1531884965",
        "http://schemas.microsoft.com/claims/authnclassreference": "1",
        "aio": "42BgYKi2uf7kwJYkgdIrbwtt1xxJS5Hd9nVZ88+5nx3KvA20lH0B",
        "altsecid": "1:live.com:0003BFFD05FB0BB2",
        "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
        "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
        "appidacr": "2",
        "e_exp": "262800",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "[email protected]",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "ceee7c5a-8d91-47ab-b8a0-b71bc1091a59",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "d7b7c70b-d284-48c4-8524-551aa2cdb1d6",
        "groups": "7a6c1cec-05ce-4bea-a805-20b60d406506",
        "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",
        "ipaddr": "42.120.75.135",
        "name": "ceee7c5a-8d91-47ab-b8a0-b71bc1091a59 d7b7c70b-d284-48c4-8524-551aa2cdb1d6",
        "http://schemas.microsoft.com/identity/claims/objectidentifier": "b51ce2d8-a13c-4f3a-8363-b10ee32839b5",
        "puid": "1003BFFDAC0CF6C2",
        "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "CCwmmAtHStkNdb8oiwkKWEocuO9LobxKkpEWrpp1m5Y",
        "http://schemas.microsoft.com/identity/claims/tenantid": "e86128fb-fc4c-4044-8c6c-98002346bc88",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#[email protected]",
        "uti": "H2s27oSsSEeJzZMcKVYaAA",
        "ver": "1.0",
        "wids": "62e90394-69f5-4237-9190-012177145e10"
    },
    "correlationId": "0054cdb5-05e7-434d-81f9-da475fdbc60e",
    "description": "",
    "eventDataId": "f3155f54-58d1-4e7c-9965-d5f204cea8b8",
    "eventName": {
        "value": "EndRequest",
        "localizedValue": "End request"
    },
    "category": {
        "value": "Administrative",
        "localizedValue": "Administrative"
    },
    "eventTimestamp": "2018-07-18T02:50:21.5069973Z",
    "id": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Sql/servers/cq001/databases/CQ001/events/f3155f54-58d1-4e7c-9965-d5f204cea8b8/ticks/636674790215069973",
    "level": "Informational",
    "operationId": "cebfd6d3-c89a-4e8d-be0e-1e4b805a14cc",
    "operationName": {
        "value": "Microsoft.Sql/servers/databases/write",
        "localizedValue": "Update SQL database"
    },
    "resourceGroupName": "cq",
    "resourceProviderName": {
        "value": "Microsoft.Sql",
        "localizedValue": "Microsoft SQL"
    },
    "resourceType": {
        "value": "Microsoft.Sql/servers/databases",
        "localizedValue": "Microsoft.Sql/servers/databases"
    },
    "resourceId": "/subscriptions/daeb1c77-2026-44f1-9a48-3d5513c6e467/resourcegroups/cq/providers/Microsoft.Sql/servers/cq001/databases/CQ001",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "submissionTimestamp": "2018-07-18T02:50:41.1021034Z",
    "subscriptionId": "daeb1c77-2026-44f1-9a48-3d5513c6e467",
    "relatedEvents": []
}

数据库的状态审计事件如下所示。

{
    "LogicalServerName": "cq001",
    "SubscriptionId": "daeb1c77-2026-44f1-9a48-3d5513c6e467",
    "ResourceGroup": "cq",
    "time": "2018-07-18T02:48:35.7300000Z",
    "resourceId": "/SUBSCRIPTIONS/DAEB1C77-2026-44F1-9A48-3D5513C6E467/RESOURCEGROUPS/CQ/PROVIDERS/MICROSOFT.SQL/SERVERS/CQ001/DATABASES/CQ001",
    "category": "DatabaseWaitStatistics",
    "operationName": "DatabaseWaitStatistcsEvent",
    "properties": {"ElasticPoolName":"","DatabaseName":"CQ001","start_utc_date":"2018-07-18T02:48:35.7300000Z","end_utc_date":"2018-07-18T02:53:35.7230000Z","wait_type":"SOS_SCHEDULER_YIELD","delta_max_wait_time_ms":15,"delta_signal_wait_time_ms":15,"delta_wait_time_ms":15,"delta_waiting_tasks_count":12}
}
{
    "count": 0,
    "total": 0,
    "minimum": 0,
    "maximum": 0,
    "average": 0,
    "resourceId": "/SUBSCRIPTIONS/DAEB1C77-2026-44F1-9A48-3D5513C6E467/RESOURCEGROUPS/CQ/PROVIDERS/MICROSOFT.SQL/SERVERS/CQ001/DATABASES/CQ001",
    "time": "2018-07-18T02:44:00.0000000Z",
    "metricName": "cpu_percent",
    "timeGrain": "PT1M"
}

自身Audit功能记录的审计事件则以xel格式的文件保存,这种文件需要专门的工具才能打开。

image.png

这三种事件都支持投递到Storage Account和Event Hubs里面。

image.png

活动目录

活动目录提供自己的审计功能,但是不支持Diagnostic Logs。创建一个账号的日志如下所示。没有提供查看完整JSON格式事件的功能。

image.png

阿里云对不同API的支持

阿里云大部分产品使用RPC API,但是也有少部分产品使用REST API,比如容器服务CS和资源编排ROS。阿里云的REST API比较特殊在于,授权这块使用STS token,而非通用的OAuth 2.0 JWT Bearer token,并且支持HTTP协议,这增加了很多复杂性。STS token缺乏刷新机制。支持HTTP协议导致需要比较复杂的加签。针对REST API,阿里云会将其映射到一个虚拟的API,保持基础设施的兼容性。目前ActionTrail支持审计容器服务和资源编排这两个使用REST API的产品。

参考文档

  1. Monitor Subscription Activity with the Azure Activity Log
  2. Supported services, schemas, and categories for Azure Diagnostic Logs
  3. Azure REST API Reference
  4. AWS CloudTrail
  5. 阿里云API介绍

你可能感兴趣的:(AWS和Azure审计功能对比)