You can use ActionTrail to audit the operations of your team members. This helps your
team members comply with the terms of use of each Alibaba Cloud service. For example,
you can use ActionTrail to find the RAM user that performed a specific misoperation
at a specific point in time. This topic describes how to use ActionTrail to query
the event logs of NAT Gateway.
Background information
As the team manager, you have used an Alibaba Cloud account to create multiple RAM
users for your team members to use, and granted the RAM users the AdministratorAccess
permission.
When RAM User A queries the event logs of NAT Gateway, RAM User A notices that an
elastic IP address (EIP) is bound to the NAT gateway of RAM User A. However, because
all the RAM users have the AdministratorAccess permission, you cannot directly determine
which RAM user bound the EIP to the NAT gateway. In this case, you can use ActionTrail
to query the details of event logs and identify the RAM user that bound the EIP to
the NAT gateway.

Note You can click an EIP to view information such as the ID of the EIP.
Procedure
- Log on to the ActionTrail console.
- In the top navigation bar, select the region where the EIP resides.
- In the left-side navigation pane, choose .
- Select Resource Name from the drop-down list.
- Enter the ID of the EIP in the search box and click the
icon.
- Click the plus sign (+) next to the event log to query detailed information.

Note The event log indicates that RAM User B bound the EIP to the NAT gateway at 16:24:56
on November 2, 2020, as shown in the preceding figure. This way, you can determine
that RAM User B bound the EIP to the NAT gateway of RAM User A.
- Optional. Query the code of the event log. For more information, see View Event.