By default, ActionTrail records the events that occurred within your Alibaba Cloud account in the last 90 days. You can query these events in the ActionTrail console. To query the events that occurred 90 days ago, you must create a trail first to record these events. After an enterprise creates a resource directory, a management account can create one multi-account trail in the ActionTrail console. The multi-account trail can deliver the events of all member accounts in the resource directory to a specified Object Storage Service (OSS) bucket or Log Service Logstore.
The following figure shows how a multi-account trail works with a resource directory.
A management account is used to enable a resource directory and is the super administrator of the resource directory. The management account has all administrative permissions on the resource directory and the member accounts in the resource directory. Only an Alibaba Cloud account that has passed enterprise real-name verification can be used as a management account. Each resource directory has only one management account.
A member account serves as a container for resources and an organizational unit in the resource directory involved. A member account indicates a project or an application. The resources of different member accounts are isolated. You can use a management account to authorize RAM users, user groups, or roles to access the resources of member accounts.
You can use a management account to invite a member account to join the resource directory involved or create a member account in the resource directory.
|multi-account trail||A multi-account trail is a trail that is created in the ActionTrail console by using a management account. To create a multi-account trail, select Yes for the Apply Trail to All Member Accounts parameter when you create the trail. A multi-account trail can deliver the events of all member accounts in the resource directory involved to a specified OSS bucket or Log Service Logstore.|
|single-account trail||A single-account trail is a trail that is created in the ActionTrail console to track and record the events of the Alibaba Cloud account that is used to create the trail.|
Differences between multi-account and single-account trails
|Trail type||Created by||Scope of events||Event query method||Maximum number of trails allowed|
|Single-account trail||Alibaba Cloud account||Events of the current account||
||Five in each region|
|Multi-account trail||Management account||Events of all member accounts||
||One for all regions|
Changes of member accounts in a resource directory
When a member account in a resource directory changes, take note of the following points:
- After the management account invites a member account to join the resource directory or creates a member account in the resource directory, the new member account can view the created multi-account trail in the trail list. The events of the new member account are automatically delivered to the OSS bucket or Log Service Logstore specified for the multi-account trail.
- After a member account is removed from the resource directory, the member account cannot view the created multi-account trail. The events of the member account are no longer delivered to the OSS bucket or Log Service Logstore specified for the multi-account trail. However, the events that have been delivered are not automatically deleted.
- Changes of the resource directory to which a member account belongs do not affect the delivery of events.