For accounts in the same resource directory, you can use the cross-account event delivery feature of ActionTrail to deliver the events of multiple member accounts to the Log Service Logstore or Object Storage Bucket (OSS) bucket specified by an account. This helps you archive and monitor auditing data in a centralized manner.

Background information

Before you use the cross-account event delivery feature of ActionTrail, you must understand the concepts of destination account and source account that are described in the following table.

Account Description Operation
Destination account The account to which the events from source accounts are delivered.
  • Create a Log Service Logstore or an OSS bucket for storing events.
  • Create a RAM role for which ActionTrail is selected as the trusted service. The ActionTrail service within source accounts must assume this role to write events to the destination account.
Source account The account that needs to write events to the destination account. Use the management account of member accounts to create a trail to deliver events to the Log Service Logstore or OSS bucket specified by the destination account.
The accounts in a resource directory are mutually trusted. If the destination and source accounts are in the same resource directory, only a few configuration steps are required for cross-account event delivery. The procedure for configuring cross-account event delivery varies with the destination account.
  • If the destination account is the management account, create a multi-account trail to deliver the events of all member accounts in the resource directory to the Log Service Logstore or OSS bucket specified by the management account. For more information, see Create a multi-account trail.
  • If the destination account is a member account, perform the steps described in this topic to configure cross-account event delivery.

Procedure

  1. Create a RAM role by using the destination account and grant ActionTrail the permissions to deliver events to the destination account.
    1. Log on to the RAM console by using the destination account.
    2. Create a RAM role for which ActionTrail is selected as the trusted service.
      1. In the left-side navigation pane, click RAM Roles.
      2. On the RAM Roles page, click Create RAM Role.
      3. In the Create RAM Role panel, select Alibaba Cloud Service for the Trusted entity type parameter and click Next.
      4. Select Normal Service Role for the Role Type parameter.
      5. Enter ActionTrailDeliveryRole in the RAM Role Name field.
      6. Select ActionTrail from the Select Trusted Service drop-down list.
      7. Click OK.
    3. Attach the system policy AliyunActionTrailDeliveryPolicy to the RAM role for precise authorization.
      1. Click Input and Attach.
      2. Select System Policy for the Type parameter and enter AliyunActionTrailDeliveryPolicy in the Policy Name field.
      3. Click OK and then click Close.

      You can view the details of the AliyunActionTrailDeliveryPolicy policy attached to the ActionTrailDeliveryRole role on the RAM Roles page. For more information about the policy, see Manage the permission policy for event delivery.

    4. Change the value of the Service field to a value in the Management account@actiontrail.aliyuncs.com format in the trust policy of the RAM role.
      For example, the Alibaba Cloud account ID of a management account may be 159498693826****. In this case, change the value of the Service field from actiontrail.aliyuncs.com to 159498693826****@actiontrail.aliyuncs.com. This way, the management account 159498693826**** allows ActionTrail to assume the RAM role.
      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "159498693826****@actiontrail.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }

      For more information, see Edit the trust policy of a RAM role.

  2. Use the destination account to create a Log Service project or an OSS bucket.
    For more information, see Create a project and Create buckets.
    Note For data security, we recommend that you configure server-side encryption and retention policies when you create an OSS bucket. For more information, see Configure server-side encryption and Configure retention policies.
  3. Use the management account to create a multi-account trail and set the delivery destination to the Log Service project or OSS bucket created in Step 2.
    1. Log on to the ActionTrail console by using the management account.
    2. In the left-side navigation pane, click Trails.
    3. In the top navigation bar, select the region where you want to create a multi-account trail.
      Note The region that you select becomes the home region of the trail that you want to create.
    4. On the Trails page, click Create Trail.
    5. In the Trail Basic Settings step, set the Trail Name, Applied Regions, Event Type, and Apply Trail to All Member Accounts parameters, and click Next.
      Note
      • Set the Apply Trail to All Member Accounts parameter to Yes.
      • We recommend that you set the Applied Regions parameter to All Regions and the Event Type parameter to All. This way, the trail you create can deliver all events that occur in all regions.
      • For more information about the parameters, see Create a multi-account trail.
    6. In the Event Delivery Settings step, specify one or more delivery destinations and click Next.
      You can create a trail to deliver events to Log Service, OSS, or both. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services. delivery
      • If you select Delivery to Log Service, select Delivery to Another Account and set the parameters that are described in the following table.
        Parameter Description
        Log Service Project ARN Enter the region where the Log Service project resides, the ID of the destination account, and the name of the Log Service project.

        The name of the Log Service project created in Step 2 is used.

        RAM Role ARN of Destination Account Enter the ID of the destination account and the name of the RAM role.

        The name of the RAM role created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.

      • If you select Delivery to OSS, select Delivery to Another Account and set the parameters that are described in the following table.
        Parameter Description
        RAM Role ARN of OSS Bucket Enter the ID of the destination account and the name of the RAM role.

        The name of the RAM role created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.

        Bucket Name Enter the name of the OSS bucket created in Step 2.
        Log File Prefix Enter the prefix of the name of the log file where the events are stored.
    7. In the Preview and Create step, confirm the trail information and click Submit.

Result

After the trail is created, you can view the events within multiple member accounts in the Log Service project or OSS bucket by using the destination account.