Prerequisites

Before getting started, you must create a RAM user. For more information, see Create a RAM user.

Attach ActionTrail system policies to a group

The available system policies are as follows:

  • AliyunActionTrailReadOnlyAccess (read-only permission)
  • AliyunActionTrailFullAccess (full permission)

For more information about how to attach a policy, see Authorize RAM users.

Attach ActionTrail custom policies to a group

If the system policies cannot meet your requirements, you can create a custom policy. For more information, see (Optional) Create a custom policy. The following is a policy example of allowing requests from a specified IP range for performing ActionTrail read-only operations on all resources. The policy is as follows:

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "actiontrail:LookupEvents", 
            "actiontrail:Describe*", 
            "actiontrail:Get*"
        ],
        "Resource": "*",
        "Condition":{
            "IpAddress": {
                "acs:SourceIp": "42.120.66.0/24"
            }
        }
    }]
}