By default, ActionTrail records the events that occurred within your Alibaba Cloud account in the last 90 days. You can query these events in the ActionTrail console. To query the events that occurred 90 days ago, you must create a trail first to record these events. After an enterprise creates a resource directory, a management account can create multi-account trails in the ActionTrail console. A multi-account trail can deliver the events of all member accounts in a resource directory to a specified Object Storage Service (OSS) bucket or Log Service Logstore.

The following figure shows how a multi-account trail works with a resource directory.

multi account

Terms

Term Description
management account

A management account is an account that is used to enable a resource directory and is the super administrator of the resource directory. The management account has all administrative permissions on the resource directory and the member accounts in the resource directory. Only an Alibaba Cloud account that has passed the enterprise real-name verification can be used as a management account. Each resource directory has only one management account.

member account

A member account serves as a container for resources and is also an organizational unit in a resource directory. A member account indicates a project or an application. The resources of different member accounts are isolated. You can use a management account to authorize RAM users, user groups, or roles to access the resources of member accounts.

You can use a management account to invite a member account to join a resource directory or create a member account in a resource directory.

multi-account trail A multi-account trail is a trail that is created in the ActionTrail console by using a management account. To create a multi-account trail, select Yes for the Apply Trail to All Member Accounts parameter when you create the trail. A multi-account trail can deliver the events of all member accounts in a resource directory to a specified OSS bucket or Log Service Logstore.
single-account trail A single-account trail is a trail that is created in the ActionTrail console to track and record the events of the Alibaba Cloud account that is used to create the trail.

Differences between multi-account and single-account trails

Trail type Created by Scope of events Query method Maximum number of trails allowed
Single-account trail Alibaba Cloud account Events of the current account
  • ActionTrail console
  • LookupEvents operation
  • OSS console
  • Log Service console
Five in each region
Multi-account trail Management account Events of all member accounts
  • Management account:
    • ActionTrail console
    • LookupEvents operation
  • Member account:
    • OSS console
    • Log Service console
One in each region

Changes of member accounts in a resource directory

When a member account in a resource directory changes, take note of the following points:

  • When the management account invites a member account to join the resource directory or creates a member account in the resource directory, the new member account can view multi-account trails in the trail list. The events of the new member account are automatically delivered to the specified OSS bucket or Log Service Logstore.
  • When a member account is removed from the resource directory, the member account cannot view multi-account trails. The events of the member account are no longer delivered to the specified OSS bucket or Log Service Logstore. However, the events that have been delivered are not automatically deleted.
  • Changes of the resource directory to which a member account belongs do not affect the delivery of events.