New user sign up using AWS Builder ID
New user sign up using AWS Builder ID is currently unavailable on re:Post. To sign up, please use the AWS Management Console instead.
如何找到不在我的 Amazon VPC 中但在我的日志中的 IP 地址?
我想找到一个 IP 地址,它目前不在我的 Amazon Virtual Private Cloud (Amazon VPC) 中,但在我的日志中。
简短描述
使用 AWS CloudTrail 查看过去发生的事件,其中包括添加或移除 IP 地址。要查看过去的事件,请使用 AWS 命令行界面 (AWS CLI) 查看过去 90 天的事件,或者使用 Amazon CloudWatch Logs Insights。
解决方法
AWS CLI
**注意:**如果在运行 AWS CLI 命令时收到错误,请参阅 AWS CLI 错误故障排除。此外,请确保您使用的是最新版本的 AWS CLI。
1.使用 AllocateAddress 事件检查弹性 IP 地址是否已分配给您的账户:
**注意:**将 example-eip-address 替换为您的弹性 IP 地址,将 example-mm-dd-yyyy 替换为您的开始日期,将 example-region 替换为您的 AWS 区域。
aws cloudtrail lookup-events \ --region example-region \ --lookup-attributes AttributeKey=EventName,AttributeValue=AllocateAddress \ --start-time example-mm-dd-yyyy \ --query 'Events[].Resources[?ResourceName == `example-eip-address`].{ResourceType:ResourceType,IP:ResourceName}[]' --output table
**注意:**在前面的 CloudTrail 查询中,未列出 Amazon Elastic Compute Cloud (Amazon EC2) 公有 IPv4 地址。
2.使用 AssociateAddress 事件和 Allocation ID 筛选器查看使用弹性 IP 地址的服务:
**注意:**将 example-allocation-id 替换为您的弹性 IP 地址 ID,将 example-mm-dd-yyyy 替换为您的开始日期,将 example-region 替换为您的区域。
aws cloudtrail lookup-events \ --region example-region \ --lookup-attributes AttributeKey=ResourceName,AttributeValue=example-allocation-id \ --start-time example-mm-dd-yyy
3.使用 CreateNetworkInterface 事件检查私有 IP 地址是否已分配给弹性网络接口:
**注意:**将 example-private-ip-address 替换为您的私有 IP 地址,将 example-mm-dd-yyyy 替换为您的开始日期,将 example-region 替换为您的区域。
aws cloudtrail lookup-events \ --region example-region \ --lookup-attributes AttributeKey=EventName,AttributeValue=CreateNetworkInterface \ --start-time example-dd-mm-yyyy \ --query 'Events[].CloudTrailEvent' --output text | jq -r "select(.responseElements.networkInterface.privateIpAddressesSet.item[].privateIpAddress == \"example-private-ip-address\")"
4.使用 AttachNetworkInterface 事件检查资源过去是否使用过网络接口:
**注意:**将 example-eni-id 替换为您的网络接口 ID,将 example-mm-dd-yyyy 替换为您的开始日期,将 example-region 替换为您的区域。
aws cloudtrail lookup-events \ --region example-region \ --lookup-attributes AttributeKey=EventName,AttributeValue=AttachNetworkInterface \ --start-time example-dd-mm-yyyy \ --query 'Events[].CloudTrailEvent' --output text | jq -r "select(.requestParameters.networkInterfaceId == \"example-eni-id\")"
5.使用 RunInstances 事件检查私有 IP 地址在实例启动时是否与实例相关联:
**注意:**将 example-private-ip-address 替换为您的私有 IP 地址,将 example-mm-dd-yyyy 替换为您的开始日期,将 example-region 替换为您的区域。
aws cloudtrail lookup-events \ --region example-region \ --lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances \ --start-time example-mm-dd-yyyy \ --query 'Events[].CloudTrailEvent' --output text | jq -r "select(.responseElements.instancesSet.items[].privateIpAddress == \"example-private-ip-address\") | [.responseElements.instancesSet.items[].networkInterfaceSet.items[]] "
6.使用 AssignPrivateIpAddresses 事件检查私有 IP 地址是否与网络接口相关联:
**注意:**将 example-private-ip-address 替换为您的私有 IP 地址,将 example-mm-dd-yyyy 替换为您的开始日期,将 example-region 替换为您的区域。
aws cloudtrail lookup-events \ --region example-region \ --lookup-attributes AttributeKey=EventName,AttributeValue=AssignPrivateIpAddresses \ --start-time example-mm-dd-yyyy \ --query 'Events[].CloudTrailEvent' --output text | jq -r "select(.responseElements.assignedPrivateIpAddressesSet.assignedPrivateIpAddressSetType[].privateIpAddress == \"example-private-ip-address\" ) | {requestParameters,responseElements}"
7.使用 AssignIpv6Addresses 事件检查 IPv6 地址是否已分配给指定的网络接口:
**注意:**将 example-IPv6-address 替换为您的 IPv6 地址,将 example-mm-dd-yyyy 替换为您的开始日期,将 example-region 替换为您的区域。
aws cloudtrail lookup-events \ --region example-region \ --lookup-attributes AttributeKey=EventName,AttributeValue=AssignIpv6Addresses \ --start-time example-mm-dd-yyyy \ --query 'Events[].CloudTrailEvent' --output text | jq -r "select(.responseElements.AssignIpv6AddressesResponse.assignedIpv6Addresses.item == \"example-IPv6-address\") | [.responseElements.AssignIpv6AddressesResponse] "
CloudWatch Logs Insights
**注意:**要向 CloudWatch Logs 发送日志事件,请配置您的跟踪。有关详细信息,请参阅使用 Amazon CloudWatch Logs 监控 CloudTrail 日志文件。
检查您的账户是否已分配 IPv4 地址
完成以下步骤:
1.查看过去的弹性 IP 地址分配和使用公共 IP 地址的服务:
**注意:**将 example public ip-addresses 替换为您的公共 IP 地址,将 example-allocation-id 替换为您的分配 ID。
fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action, requestParameters.allocationId as AssociateAddress_AllocationID, requestParameters.instanceId as InstanceID, requestParameters.privateIpAddress as PrivateIP, responseElements.allocationId as AllocateAddress_AllocationID, responseElements.publicIp as EIP | filter eventName = "AllocateAddress" or eventName = "AssociateAddress" and # AssociateAddress does not indicate resources outside EC2 instances. ( EIP = "example-public-ip-addresses" or AssociateAddress_AllocationID = "example-allocation-id" ) | sort @timestamp desc
2.使用以下事件查找先前的私有 IP 地址分配:
**注意:**将 example-private-ip-addresses 替换为您的 IP 地址。
CreateNetworkInterface 事件:
parse @message '"privateIpAddressesSet":{"item":[{"privateIpAddress":"*"' as PrivateIP | fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action, responseElements.networkInterface.networkInterfaceId as ENI | filter eventName = "CreateNetworkInterface" and ( PrivateIP = "example-private-ip-addresses" ) | sort @timestamp desc
RunInstances 事件:
parse @message '{"privateIpAddress":"*"' as PrivateIP |fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action | filter eventName = "RunInstances" and ( PrivateIP = "example-private-ip-addresses" ) | sort @timestamp desc
AssignPrivateIpAddress 事件:
parse @message '"assignedPrivateIpAddressSetType":[{*}]' as PrivateIpAddress | fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action | filter eventName = "AssignPrivateIpAddresses" and ( PrivateIpAddress like "example-private-ip-addresses" ) | sort @timestamp desc
3.查看使用网络接口的资源:
**注意:**将 example-eni-id 替换为您的网络接口 ID。
fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action, requestParameters.instanceId as InstanceID, requestParameters.networkInterfaceId as ENI | filter eventName = "AttachNetworkInterface" and ( ENI = "example-eni-id" ) | sort @timestamp desc
检查您的账户是否已分配 IPv6 地址
完成以下步骤:
1.使用以下事件查找先前的私有 IP 地址分配:
**注意:**将 example-ipv6-addresses 替换为您的 IP 地址。
AssignIpv6Addresses 事件:
fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action, responseElements.AssignIpv6AddressesResponse.assignedIpv6Addresses.item as IPv6 | filter eventName = "AssignIpv6Addresses" and ( IPv6 = "example-ipv6-addresses" ) | sort @timestamp desc
RunInstances 事件:
parse @message '"ipv6AddressesSet":{"items":[{"ipv6Address":"*"' as IPv6 | fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action, responseElements.instancesSet.items.0.instanceId as InstanceID | filter eventName = "RunInstances"and ( IPv6 = "example-ipv6-addresses" ) | sort @timestamp desc
CreateNetworkInterface 事件:
parse @message '"ipv6AddressesSet":{"items":[{"ipv6Address":"*"' as IPv6 | fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action, responseElements.instancesSet.items.0.instanceId as InstanceID | filter eventName = "CreateNetworkInterface" and ( IPv6 = "example-ipv6-addresses" ) | sort @timestamp desc
2.查看使用网络接口的资源:
**注意:**将 example-eni-id 替换为您的网络接口 ID。
fields eventTime as Time, userIdentity.accountId as AccountID, userIdentity.principalId as Principal, awsRegion as Region, eventName as Action, requestParameters.instanceId as InstanceID, requestParameters.networkInterfaceId as ENI | filter eventName = "AttachNetworkInterface" and ( ENI = "example-eni-id" or ) | sort @timestamp desc
3.(可选)运行以下命令以检查公共 IP 地址的 BGP 前缀和 ASN 是否为 AWS IP 地址。
**注意:**将 example-public-ip-address 替换为您的公共 IP 地址。在 Linux 计算机上运行以下命令。
$ whois -h whois.cymru.com " -v example-public-ip-address"
如果是 AWS IP 地址并且您看到恶意活动,请联系 AWS 信任与安全团队。
相关信息
使用 CloudWatch Logs Insights 分析日志数据
如何在 Amazon VPC 中找到当前拥有未知 IP 地址的资源?

相关内容
- 已提问 2 年前lg...
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 3 个月前
- AWS 官方已更新 2 年前