ActionTrail allows you to record and query events that are records of operations performed on Alibaba Cloud resources. Based on these events, an enterprise can troubleshoot issues and perform security analysis with ease. In addition, the events are important classified data of the enterprise because they reflect the way in which the enterprise manages IT resources in the cloud. For security reasons, you must protect these events from data tempering and illegal access when you store and use them. To ensure the integrity of auditing and the security of events, you must adopt necessary security protection measures and security administrative measures. This topic describes security practices of the measures. You can select one based on your business needs.

Complete auditing and security analysis based on trails

Expected result Solution Description Related topic
Events can be retained for a longer period of time. The ActionTrail console can record only events that were generated in the last 90 days. However, MLPS 2.0 requires that an enterprise must retain events that were generated in the last 180 days or even earlier. Create a trail. ActionTrail allows you to record events that were generated in the last 90 days in the ActionTrail console. If you do not deliver the events to specified storage services for storage, the events are cleared from the earliest as time goes on. If you need to retain events for more than 90 days, you must create a trail.

You can create a trail to deliver events to Object Storage Service (OSS) for long-period storage.

You can also create a trail to deliver events to Log Service for monitoring and analysis. If you only need to archive and store events, we recommend that you create a trail to deliver events to OSS.

Events from all regions are recorded to meet the requirements of national regulations and industry standards. When you create a trail, set the Target Regions parameter to All Regions and the Event Type parameter to All. To obtain all events of an Alibaba Cloud account, we recommend that you set the Target Regions parameter to All Regions when you create a trail. This way, events from all regions can be recorded. When new regions of Alibaba Cloud become available, the trail automatically delivers events from these regions. You do not have to modify the configurations.

To meet compliance requirements, both read and write events must be retained. We recommend that you set the Event Type parameter to All when you create a trail.

  • Events can be retained for a longer period of time to meet the requirements of the IT department or security compliance department of an enterprise. For example, events that were generated 90 days ago can be recorded.
  • Events can be achieved or downloaded. For example, events that were generated in recent years can be provided for the security compliance department.
  • Sensitive events can be analyzed and alert rules can be configured for the events.
Deliver events to OSS or Log Service. You can create a trail to deliver events to OSS or Log Service.
  • OSS: helps you retain events for a long period of time in a cost-effective way. You can download the events for use based on your business needs.
  • Log Service: helps you analyze event logs, create statistics dashboards, or send alert notifications for a specific type of events by email or DingTalk.

Security management of events

Expected result Solution Description Related topic
Events are encrypted when they are delivered to OSS. This ensures the security of the events. Implement server-side encryption by using KMS-managed keys (SSE-KMS). If you create a trail to deliver events to OSS, server-side encryption by using OSS-managed keys (SSE-OSS) is implemented by default.

If you need to use encryption keys that can be directly managed, you can implement SSE-KMS. You can perform the following operations:

  • Go to the OSS console and create an OSS bucket for which the server-side encryption is enabled. Then, go to the ActionTrail console and create a trail in to deliver events to the bucket.
  • When you create a trail in the ActionTrail console, create an OSS bucket and enable the server-side encryption for the bucket.
The events cannot be modified or deleted when they are stored in OSS or Log Service. This ensures the reliability of the events. Configure a retention policy for OSS objects to meet the compliance requirements. If you create a trail to deliver events to OSS, you must configure a retention policy for OSS objects. For example, when you create a time-based retention policy, you can configure a protection period during which users are not allowed to modify or delete events.
Note Events that are stored in Log Service cannot be deleted or modified. You do not need to configure a retention policy for these events.
Retention policy
The access permissions on events are strictly managed. Grant the access permissions on OSS or Log Service based on the principle of least privilege. Before you create a trail to deliver events to OSS or Log Service, you must grant your Alibaba Cloud account or a RAM user the permissions to access OSS or Log Service. In addition, you must grant relevant personnel the read permissions on the events.

We recommend that you grant permissions based on the principle of least privilege. This prevents service instances from being deleted or tampered due to improper authorization and unnecessary personnel from accessing events.

The management permissions of ActionTrail administrators are strictly managed. Manage the permissions of ActionTrail administrators. After the AliyunActionTrailFullAccess policy is attached to a RAM user, the RAM user is granted the permissions of the ActionTrail administrator and can modify or delete a trail. The changes of a trail affect the delivery of events. In this case, the tracking and auditing on the events are affected.

We recommend that you grant this permission only to necessary RAM users.