ActionTrail records the operations performed on Alibaba Cloud resources as events for you to query. You can troubleshoot issues and perform security analysis for your enterprise based on these events. In addition, the events are important classified data of your enterprise because they reflect the way in which your enterprise manages IT resources in the cloud. For security reasons, you must protect these events from data tempering and illegal access when you store and use them. To ensure the integrity of auditing and the security of events, you must adopt necessary security protection measures and regulations. This topic describes some practices of the security protection measures and regulations. You can reference them based on your business needs.

Complete auditing and security analysis based on trails

Expected result Solution Description Related topic
Events can be retained for a longer period of time. The ActionTrail console can record only events that were generated in the last 90 days. However, Multi-Level Protection Scheme (MLPS) 2.0 requires that an enterprise must retain events that were generated in the last 180 days or even earlier. Create a trail. ActionTrail records the events that were generated in the last 90 days in the ActionTrail console. If you do not deliver the events to specified storage services, the events are cleared from the earliest as time goes on. If you need to retain events for more than 90 days, you must create a trail.

You can create a trail to deliver events to Object Storage Service (OSS) for long-term storage.

You can also create a trail to deliver events to Log Service for monitoring and analysis. If you need only to archive and store events, we recommend that you create a trail to deliver events to OSS.

Events from all regions are recorded to meet the requirements of national regulations and industry standards. When you create a trail, set the Applied Regions parameter to All Regions and the Event Type parameter to All. To obtain all events of an Alibaba Cloud account, we recommend that you set the Applied Regions parameter to All Regions when you create a trail. This way, events from all regions can be recorded. When new regions of Alibaba Cloud become available, the trail automatically delivers events from these regions. You do not have to modify the configurations.

To meet the compliance requirements, both read and write events must be retained. When you create a trail, we recommend that you set the Event Type parameter to All.

  • Events can be retained for a longer period of time to meet the requirements of the IT department or security compliance department of an enterprise. For example, events that were generated 90 days ago can be recorded.
  • Events can be archived or downloaded. For example, events that were generated in recent years can be provided for the security compliance department.
  • Sensitive events can be analyzed and alert rules can be configured for the events.
Deliver events to OSS or Log Service. You can create a trail to deliver events to OSS or Log Service.
  • OSS: helps you retain events for a long period of time in a cost-effective way. You can download the events for use based on your business needs.
  • Log Service: helps you analyze events, create statistics dashboards, or send alert notifications for a specific type of events by email or DingTalk.

Security protection regulations for events

Expected result Solution Description Related topic
Events are encrypted when they are delivered to OSS. This ensures the security of the events. Implement server-side encryption by using KMS-managed keys (SSE-KMS). If you create a trail to deliver events to OSS, server-side encryption by using OSS-managed keys (SSE-OSS) is implemented by default.

If you need to use encryption keys that can be directly managed, you can implement SSE-KMS. You can perform the following operations:

  • Go to the OSS console and create an OSS bucket for which server-side encryption is enabled. Then, go to the ActionTrail console and create a trail to deliver events to the bucket.
  • When you create a trail in the ActionTrail console, create an OSS bucket and enable server-side encryption for the bucket.
The events cannot be modified or deleted when they are stored in OSS or Log Service. This ensures the reliability of the events. Configure a retention policy for OSS objects to meet the compliance requirements. If you create a trail to deliver events to OSS, you must configure a retention policy for OSS objects. For example, when you create a time-based retention policy, you can configure a protection period during which users are not allowed to modify or delete events.
Note Events that are stored in Log Service cannot be deleted or modified. You do not need to configure a retention policy for these events.
Retention policy
The access permissions on events are strictly managed. Grant the access permissions on OSS or Log Service based on the principle of least privilege. Before you create a trail to deliver events to OSS or Log Service, you must grant your Alibaba Cloud account or a RAM user the permissions to access OSS or Log Service. In addition, you must grant relevant staff the read permissions on the events.

We recommend that you grant permissions based on the principle of least privilege. This prevents service instances from being deleted or tampered due to improper authorization and unnecessary staff from accessing events.

The management permissions of ActionTrail administrators are strictly managed. Manage the permissions of ActionTrail administrators. After the AliyunActionTrailFullAccess policy is attached to a RAM user, the RAM user is granted the permissions of the ActionTrail administrator and can modify or delete a trail. The changes of a trail affect the delivery of events. In this case, the tracking and auditing on the events are affected.

We recommend that you attach this policy only to necessary RAM users.