ActionTrail allows you to create multiple single-account trails, one multi-account trail, and one trail for the Inner-ActionTrail feature as required.

The following table describes the differences among a single-account trail, a multi-account trail, and a trail for the Inner-ActionTrail feature.

Item Single-account trail Multi-account trail Trail for the Inner-ActionTrail feature
Scenario An individual user can create a single-account trail to deliver events to a Log Service Logstore or an Object Storage Service (OSS) bucket.

An individual user can create multiple single-account trails to achieve the following goals:

  • Assume different roles to audit different types of events.
  • Manage the audit data for multiple regions in a compliant manner.
  • Create multiple replicas for an event.
After an enterprise creates a resource directory, the master account can create a multi-account trail to deliver events of all member accounts in the resource directory to a Log Service Logstore or an OSS bucket. An individual user can create a trail for the Inner-ActionTrail feature to deliver Alibaba Cloud-initiated events that are generated when the Alibaba Cloud O&M team maintains services for the user to a Log Service Logstore.
Creation method All Alibaba Cloud accounts can create single-account trails. After an enterprise creates a resource directory and establishes an organizational structure in the resource directory, the master account can create a multi-account trail in the ActionTrail console. Submit a ticket or ask your sales manager to add you to the whitelist of users who can create a trail for the Inner-ActionTrail feature.
Supported Alibaba Cloud service Alibaba Cloud services that support ActionTrail Alibaba Cloud services that support ActionTrail Key Management Service (KMS), Data Security Center (DSC), OSS, Elastic Compute Service (ECS), ApsaraDB RDS, Container Service for Kubernetes (ACK), Container Registry (ACR), and E-MapReduce (EMR)
Supported accounts All Alibaba Cloud accounts Master accounts All Alibaba Cloud accounts
Types of events to be delivered Events that are generated when an individual user uses the Alibaba Cloud Management Console, API operations, or developer tools to access and manage Alibaba Cloud services Events that are generated when an enterprise user uses the Alibaba Cloud Management Console, API operations, or developer tools to access and manage Alibaba Cloud services Alibaba Cloud-initiated events that are generated when the Alibaba Cloud O&M team maintains services for a user
Scope of events to be delivered Events of the current account Events of all member accounts Alibaba Cloud-initiated events of the current account
Storage services for delivered events
  • Log Service
  • OSS
  • Log Service
  • OSS
 Log Service
Event query methods
  • ActionTrail console
  • LookupEvents operation
  • OSS console
  • Log Service console
  • Master account:
    • ActionTrail console
    • LookupEvents operation
  • Member account:
    • OSS console
    • Log Service console
  • ActionTrail console
  • Log Service console
Maximum number of trails allowed Five in each region One for all regions One for all regions
Event storage path in an OSS bucket
  • Management events: oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/<region>/<YYYY>/<MM>/<DD>/<Log file>
  • Insight events: oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail-Insight/<region>/<YYYY>/<MM>/<DD>/<Log file>
    Note To store insight events, you must apply for required permissions. For more information, see Overview of insight events.
oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/rd_id/accountid/regionid/yyyy/mm/dd/Log file name N/A
Default name of a Log Service Logstore to store events actiontrail_Single-account trail name actiontrail_Multi-account trail name innertrail_Name of the trail for the Inner-ActionTrail feature