Alibaba Cloud ActionTrail is a service that monitors and records the actions of your Alibaba Cloud account, including the access to and use of cloud products and services through the Alibaba Cloud console, API operations, and SDKs. ActionTrail records these actions as events. You can download these events from the ActionTrail console or configure ActionTrail to deliver these events to Log Service Logstores or Object Storage Service (OSS) buckets. Then, you can perform behavior analysis, security analysis, resource change tracking, and compliance auditing based on the events.

The following figure shows the architecture of ActionTrail.principle

Features

  • Out-of-box service: By default, ActionTrail tracks the actions of your Alibaba Cloud account in the last 90 days and records them as events. You can query these events in the ActionTrail console without any configuration.
  • Self-service management: You can create a trail to enable ActionTrail to deliver events to a Log Service Logstore as logs or to an OSS bucket as log files. You can manage the logs by using the retrieval and analysis features of Log Service or transferring the logs to big data services. For example, you can authorize other services to access the logs, define the lifecycle rules of the logs, archive, retrieve, and analyze the logs, and configure alert rules based on the logs.
  • Multi-dimensional event query: ActionTrail allows you to query events from multiple dimensions, such as the event time, username, resource type, resource name, and event name.

Scenarios

  • Compliance with requirements of classified protection: According to the Baseline for Classified Protection of Cybersecurity 2.0, you must record the actions of your Alibaba Cloud account and store the corresponding records for at least six months. ActionTrail records the actions as events and allows you to deliver events to Log Service Logstores or OSS buckets for long-term storage. This makes sure that your business complies with the requirements of classified protection.
  • Security analysis: ActionTrail records the actions of your Alibaba Cloud account in detail as events so that you can identify security issues of your Alibaba Cloud account based on the events.

    For example, you can configure a trail to enable delivery of events as logs to a specific Log Service Logstore. This not only enables you to store the logs for a longer period of time but also allows you to execute SQL statements to analyze the logs.

    senerio
  • Resource change tracking: Based on the events recorded by ActionTrail, you can locate the cause of an anomaly that occurs during the use of your resources. For example, if one of your ECS instances is shut down, you can use ActionTrail to locate the person who initiated the shutdown event, the time when the shutdown event occurred, and the IP address from which the shutdown event was initiated.
  • Compliance auditing: If you use the Resource Access Management (RAM) service to manage the members in your organization, ActionTrail records the actions of each member in detail as events. This makes sure that the actions of all members meet the compliance auditing requirements of your organization. You can also create multiple trails to track different types of events in different regions and deliver the events to different OSS buckets or Log Service Logstores based on the responsibilities of auditors.

    For example, if you have deployed resources on the Alibaba Cloud sites both in and outside China, you can create multiple trails to track the events that occur in different countries and regions and deliver the events to local storage objects based on the specific data security requirements of each country or region.

Benefits

  • Quick recording: ActionTrail records the actions that you take in the Alibaba Cloud console or through API operations and the actions triggered by Alibaba Cloud services through RAM roles. When an action is taken, ActionTrail tracks and records the action in 10 minutes.
  • Detailed records: ActionTrail records the detailed contextual information of your actions. You can query events corresponding to the actions taken in the last 90 days in the ActionTrail console or through API operations. For example, you can use ActionTrail to obtain the following information about a certain action: the person who initiated the action, the time when the action occurred, the target of the action, the IP address from which the action was initiated, whether the action was taken in the Alibaba Cloud console or through API operations, the result of the action, and the cause of failure in cases where the action failed.
  • High stability and reliability: ActionTrail allows you to deliver events to OSS and Log Service, which provide extremely high availability and guarantee the security of audit data through encryption and access control. When an event is delivered, ActionTrail sends you a notification.
  • Custom tracking: ActionTrail allows you to create up to five trails in each region to deliver events to OSS buckets or Log Service Logstores. This helps you track different types of events that occur in different regions and back up various types of audit data for organization members according to their responsibilities.
    Note Note that you shall avoid delivering events of the same type that occur in the same region to a single OSS bucket or Log Service Logstore.
  • Transparent O&M: ActionTrail records actions related to Alibaba Cloud services as events and stores event logs in a near real-time manner. Integrated with Log Service, it also provides O&M features, including querying and analyzing event logs, configuring alerts, and generating reports. Backed by these transparent O&M features, ActionTrail can meet your requirements on analyzing and auditing actions related to Alibaba Cloud services.