DocsICP FilingConsole
官方文档
首页

Create a multi-account trail

更新时间:
复制 MD 格式
产品详情
我的收藏

A multi-account trail delivers events from all members in a resource directory to a specified Simple Log Service (SLS) Logstore, Object Storage Service (OSS) bucket, or MaxCompute project.

Prerequisites

A resource directory is enabled. Enable a resource directory.

Background information

Procedure

  1. Log on to the ActionTrail console by using a delegated administrator account or the management account.

    To configure a delegated administrator account: Manage a delegated administrator account.

  2. In the left navigation bar, click Trail.

  3. In the top navigation bar, select the region where you want to create the multi-account trail.

    Note

    This region becomes the home region of the multi-account trail.

  4. On the Trails page, click Create Trail. The Quick Create Trail page appears by default. For advanced settings, click Create Trail at the top of the page.

  5. On the Quick Create Trail or Create Trail page, configure the trail parameters.

    • Basic Information

      Parameter

      Description

      Trail Name

      The trail name. Also used as the SLS Logstore name.

      Note

      The trail name must be unique.

      Trail Event Type

      The events that the trail delivers. Valid values:

      • Management Event: Selected by default. Choose an event type:

        • All Events: All read and write events. For complete auditing, select All Events.

        • Write event: Events that create, delete, or modify cloud resources, such as CreateInstance. Select Write event to focus on resource-changing events for custom analysis.

        • Read: Events that read resource information without modifying configurations, such as DescribeInstances. Read events generate high data volume. For complete auditing, deliver read events to trace AccessKey and resource access.

      • Insights events: When selected, the management event type is set to All. ActionTrail analyzes management events to identify risky API calls, API errors, abnormal IP requests, AccessKey usage, permission changes, password changes, and evasive actions. Overview of Insights events.

      • Data events: The read and write events for data in cloud products. You can select one of the following options:

        • Disable data events: Data events are not recorded.

        • All resources: All data events are recorded.

        • Specified resources: Only data events for specified resources are recorded.

      Note

      Trails created in the console deliver events from all regions by default. To limit to specific regions, call the CreateTrail API operation and set the TrailRegion parameter.

      Apply Trail to All Members

      The scope of the trail. Valid values:

      • Yes: Creates a multi-account trail that collects events from the management account and all members and delivers them to a unified destination. Recommended to avoid missing events.

      • No: Creates a single-account trail that delivers only events from the current account.

      Note

      • This option is irreversible. To change the Apply Trail to All Members setting, delete the trail and create a new one.

      • After creation, Multi-account Trail appears in the Trail Type column on the Trails page.

    • Event delivery

      You can deliver events to SLS, OSS, or MaxCompute, or to all three. To compare storage options: Deliver events to specified Alibaba Cloud services.

      Note

      A multi-account trail delivers only new events generated after creation. To deliver historical events from the last 90 days, create a data backfill task. Create a data backfill task.

      • Select Delivery to Log Service

        • Select Delivery to Current Account and configure the following parameters.

          Parameter

          Description

          Project

          Select a destination SLS Project.

          • New Log Service Project

          • Existing Log Service Project

          Logstore Region

          The region where the Project is located.

          Project Name

          The name of the Project in SLS.

          Note

          Project names must be globally unique across all Alibaba Cloud accounts.

          Note

          After the events are delivered, ActionTrail automatically creates a Logstore named actiontrail_<trail_name>. This Logstore is automatically configured with the optimal settings for auditing, including indexes and dashboards for queries. To ensure data integrity, write permissions are disabled for users. You do not need to create a Logstore in advance.

        • Select Delivery to Another Account, and configure the Log Service Project ARN and RAM Role ARN of Destination Account.

          To deliver events to another account, create a RAM role in the destination account, grant ActionTrail the required permissions, and create a Project in advance. Deliver events from multiple members in a resource directory to a single account.

      • Select Delivery to OSS

        • Select Delivery to Current Account and configure the following parameters.

          Parameter

          Description

          OSS bucket

          Select a destination OSS bucket.

          • Create a new bucket

          • Select an existing bucket

          Bucket name

          The OSS bucket name. Must be unique within the account.

          • When you select Create a new bucket, enter a bucket name.

          • When you select Select an existing bucket, choose a bucket from OSS.

            To create a bucket in OSS: Create buckets.

          Log File Prefix

          The prefix for event log files. Helps organize and locate events.

          Server Encryption

          Whether to encrypt log files in the bucket. Required when you select Create New Bucket. Valid values:

          • Fully Managed by OSS: Encrypts data with OSS-managed keys. Each object gets a unique key, protected by a regularly rotated master key.

          • KMS: Encrypts data with Key Management Service (KMS). You must activate KMS first. Purchase and enable a KMS instance.

          • Disable: Server-side encryption is not enabled.

          OSS server-side encryption details: Server-side encryption.

          Enable Retention Policy

          A retention policy stores data in a non-erasable, non-tamperable format for a specified period.

          Valid values:

          • Disable (Default)

          • Enable

        • Select Delivery to Another Account, and set RAM Role ARN of OSS Bucket, Bucket Name, and Log File Prefix.

          To deliver events to another account, create a RAM role in the destination account, grant ActionTrail the required permissions, and create an OSS bucket in advance. Deliver events from multiple members in a resource directory to a single account.

      • Select Deliver Events to MaxCompute

        • Select Delivery to Current Account and configure the following parameters.

          Parameter

          Description

          MaxCompute Region

          The region where the destination MaxCompute project is located.

          Note

          ActionTrail delivers audit logs to a project named actiontrail_<Alibaba_Cloud_Account_ID> in the specified MaxCompute region. If a project with this name already exists under your account, ActionTrail delivers logs to the existing project.

          Project Quota

          The quota for MaxCompute.

          Note

          When you create a trail to deliver events to MaxCompute for the first time, you must select a quota. If no quotas are available in the current region, select a different MaxCompute region.

        • Select Delivery to Another Account, and configure the Project ARN and RAM Role ARN of MaxCompute.

          To deliver events to another account, create a RAM role in the destination account, grant ActionTrail the required permissions, and create a MaxCompute project in advance. Deliver events from multiple Alibaba Cloud accounts to a single account.

  6. Click Confirm.

Results

After creation, events are saved in JSON format to the specified SLS Logstore, OSS bucket, or MaxCompute data table. View events in each service:

Note

The management account can view member events only in OSS, SLS, or MaxCompute. It cannot query member events on the Event Detail Query page or by calling the LookupEvents API operation.

  • Simple Log Service (SLS): ActionTrail automatically creates a Logstore named actiontrail_<trail_name>. On the Trails page, you can hover the pointer over the entry in the Storage Service column for the trail and click the SLS Logstore name.

  • OSS: Global events are delivered with home region events. Non-global events are stored in region-specific directories. Use EMR or a third-party log analysis service to analyze events.

    You can also go to the Trails page, hover the pointer over the entry in the Storage Service column, click the OSS bucket name, and then choose Files > Objects. For more information about the OSS storage path, see What is the storage path of an event that is delivered to an OSS bucket?.

  • MaxCompute: ActionTrail creates a table named actiontrail_<trail_name>. On the Trails page, hover over the Storage Service column entry and click the MaxCompute project name. Query data in the actiontrail_<trail_name> table by connecting with DataWorks.

Related topics

Previous:Manage a delegated administrator accountNext:Modify a multi-account trail