You can create a RAM account by using Alibaba Cloud RAM, and authorize the RAM account to operate ActionTrail. We strongly recommend this approach for security consideration.

List of ActionTrail operations that can be authorized to a RAM account

ActionTrail operations that can be authorized to a RAM account are as follows:

  • CreateTrail
  • UpdateTrail
  • DeleteTrail
  • DescribeTrails
  • GetTrailStatus
  • StartLogging
  • StopLogging
  • LookupEvents

Format resources

Alibaba Cloud resources are formatted as follows when granting permissions to RAM accounts.

Resource Description
* All cloud resources.
acs:actiontrail:${region}:${AccountId}:* Resources in a specified region.

Authorization policy example

  • Example 1: As a RAM administrator, grant a user read-only permission.
    {
        "Version": "1",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "actiontrail:LookupEvents", 
                "actiontrail:Describe*", 
                "actiontrail:Get*"
            ],
            "Resource": "*"
        }]
    }
  • Example 2: As a RAM administrator, grant a user read-only permission when they log on from a specified IP address.
    {
        "Version": "1",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "actiontrail:LookupEvents", 
                "actiontrail:Describe*", 
                "actiontrail:Get*"
            ],
            "Resource": "*",
            "Condition":{
                "IpAddress": {
                    "acs:SourceIp": "42.120.XX.X/24"
                }
            }
        }]
    }