ActionTrail allows you to record and query events that are records of operations performed on Alibaba Cloud resources. Based on these events, an enterprise can troubleshoot issues and perform security analysis with ease. In addition, the events are important classified data of the enterprise because they reflect the way in which the enterprise manages IT resources in the cloud. For security reasons, you must protect these events from data tempering and illegal access when you store and use them. To ensure the integrity of auditing and the security of events, you must adopt necessary security protection measures and security administrative measures. This topic describes security practices of the measures. You can select one based on your business needs.
Complete auditing and security analysis based on trails
Expected result | Solution | Description | Related topic |
---|---|---|---|
Events can be retained for a longer period of time. The ActionTrail console can record only events that were generated in the last 90 days. However, MLPS 2.0 requires that an enterprise must retain events that were generated in the last 180 days or even earlier. | Create a trail. | ActionTrail allows you to record events that were generated in the last 90 days in
the ActionTrail console. If you do not deliver the events to specified storage services
for storage, the events are cleared from the earliest as time goes on. If you need
to retain events for more than 90 days, you must create a trail.
You can create a trail to deliver events to Object Storage Service (OSS) for long-period storage. You can also create a trail to deliver events to Log Service for monitoring and analysis. If you only need to archive and store events, we recommend that you create a trail to deliver events to OSS. |
|
Events from all regions are recorded to meet the requirements of national regulations and industry standards. | When you create a trail, set the Target Regions parameter to All Regions and the Event Type parameter to All. | To obtain all events of an Alibaba Cloud account, we recommend that you set the Target
Regions parameter to All Regions when you create a trail. This way, events from all
regions can be recorded. When new regions of Alibaba Cloud become available, the trail
automatically delivers events from these regions. You do not have to modify the configurations.
To meet compliance requirements, both read and write events must be retained. We recommend that you set the Event Type parameter to All when you create a trail. |
|
|
Deliver events to OSS or Log Service. | You can create a trail to deliver events to OSS or Log Service.
|
Security management of events
Expected result | Solution | Description | Related topic |
---|---|---|---|
Events are encrypted when they are delivered to OSS. This ensures the security of the events. | Implement server-side encryption by using KMS-managed keys (SSE-KMS). | If you create a trail to deliver events to OSS, server-side encryption by using OSS-managed
keys (SSE-OSS) is implemented by default.
If you need to use encryption keys that can be directly managed, you can implement SSE-KMS. You can perform the following operations:
|
|
The events cannot be modified or deleted when they are stored in OSS or Log Service. This ensures the reliability of the events. | Configure a retention policy for OSS objects to meet the compliance requirements. | If you create a trail to deliver events to OSS, you must configure a retention policy
for OSS objects. For example, when you create a time-based retention policy, you can
configure a protection period during which users are not allowed to modify or delete
events.
Note Events that are stored in Log Service cannot be deleted or modified. You do not need
to configure a retention policy for these events.
|
Retention policy |
The access permissions on events are strictly managed. | Grant the access permissions on OSS or Log Service based on the principle of least privilege. | Before you create a trail to deliver events to OSS or Log Service, you must grant
your Alibaba Cloud account or a RAM user the permissions to access OSS or Log Service.
In addition, you must grant relevant personnel the read permissions on the events.
We recommend that you grant permissions based on the principle of least privilege. This prevents service instances from being deleted or tampered due to improper authorization and unnecessary personnel from accessing events. |
|
The management permissions of ActionTrail administrators are strictly managed. | Manage the permissions of ActionTrail administrators. | After the AliyunActionTrailFullAccess policy is attached to a RAM user, the RAM user
is granted the permissions of the ActionTrail administrator and can modify or delete
a trail. The changes of a trail affect the delivery of events. In this case, the tracking
and auditing on the events are affected.
We recommend that you grant this permission only to necessary RAM users. |