ActionTrail records specific types of management events for Object Storage Service (OSS) buckets. You can query the details of a management event to obtain information such as the time when the event occurred, the region where the event occurred, and the bucket involved. This topic provides the logs of sample management events for OSS buckets and describes the key fields included in the event logs.

Note For information about the supported types of management events for OSS buckets, see Events.

Create a bucket

  • Create a bucket by using an Alibaba Cloud account in the OSS console

    In the following example, the Alibaba Cloud account with the ID of 189217171671**** created the OSS bucket named test-123 in the OSS console at 16:24:43 on August 9, 2021 (UTC+8). 

    {
  "eventId": "6110E64B004C4034363CDC5E",
  "eventVersion": 1,
  "eventSource": "test-123.oss-cn-hangzhou-cross.aliyuncs.com",
  "sourceIpAddress": "Internal",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::OSS::Bucket": [
      "test-123"
    ]
  },
  "userIdentity": {
    "accountId": "189217171671****",
    "principalId": "189217171671****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "Oss",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "requestId": "6110E64B004C4034363CDC5E",
  "eventTime": "2021-08-09T08:24:43Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "PutBucket"
}

    The preceding example contains the following key fields:

    • userIdentity.type: the identity type of the requester. The value in this example is root-account, which indicates an Alibaba Cloud account.
    • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Oss, which indicates OSS.
    • eventName: the name of the event. The value in this example is PutBucket, which indicates that a bucket was created.
    • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::OSS::Bucket": ["test-123"]}, which indicates the test-123 bucket.
    • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
    • eventTime: the time when the event occurred in UTC. The value in this example is 2021-08-09T08:24:43Z, which indicates that the event occurred at 16:24:43 on August 9, 2021 (UTC+8).
  • Create a bucket as a RAM user in the OSS console

    In the following example, the RAM user whose username is Alice created the OSS bucket named test-123 in the OSS console. The bucket was created in the China (Hangzhou) region at 16:47:02 on August 9, 2021 (UTC+8). 

    {
  "eventId": "6110EB86141D4F39389301A2",
  "eventVersion": 1,
  "eventSource": "test-123.oss-cn-hangzhou-cross.aliyuncs.com",
  "sourceIpAddress": "Internal",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::OSS::Bucket": [
      "test-123"
    ]
  },
  "userIdentity": {
    "accountId": "189217171671****",
    "principalId": "26135379175722****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Oss",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "requestId": "6110EB86141D4F39389301A2",
  "eventTime": "2021-08-09T08:47:02Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "PutBucket"
}

    The preceding example contains the following key fields:

    • userIdentity.type: the identity type of the requester. The value in this example is ram-user, which indicates a RAM user.
    • userIdentity.userName: the username of the RAM user.
    • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Oss, which indicates OSS.
    • eventName: the name of the event. The value in this example is PutBucket, which indicates that a bucket was created.
    • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::OSS::Bucket": ["test-123"]}, which indicates the test-123 bucket.
    • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
    • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-09T08:47:02Z, which indicates that the event occurred at 16:47:02 on August 9, 2021 (UTC+8).
  • Create a bucket by calling the PutBucket operation as a RAM user with an AccessKey pair used

    In the following example, the RAM user whose username is Alice created the OSS bucket named test-123 in the China (Hangzhou) region by calling the PutBucket operation at 16:41:04 on August 9, 2021 (UTC+8). The RAM user used the AccessKey pair whose ID is LTAI4FimByATXqiFP9ni**** to initiate the API call. 

    {
  "eventId": "6110EA20EEC7423834B49315",
  "eventVersion": 1,
  "eventSource": "test-123.oss-cn-hangzhou.aliyuncs.com",
  "sourceIpAddress": "192.168.XX.XX",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::OSS::Bucket": [
      "test-123"
    ]
  },
  "userIdentity": {
    "accessKeyId": "LTAI4FimByATXqiFP9ni****",
    "accountId": "127894427633****",
    "principalId": "22111447899160****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Oss",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "requestId": "6110EA20EEC7423834B49315",
  "eventTime": "2021-08-09T08:41:04Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "PutBucket"
}

    The preceding example contains the following key fields:

    • userIdentity.accessKeyId: the AccessKey ID that is used to initiate the API call. The value in this example is LTAI4FimByATXqiFP9ni****.
    • userIdentity.principalId: the ID of the account to which the AccessKey pair belongs. The value in this example is 22111447899160****.
    • userIdentity.type: the identity type of the requester. The value in this example is ram-user, which indicates a RAM user.
    • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Oss, which indicates OSS.
    • eventName: the name of the event. The value in this example is PutBucket, which indicates that a bucket was created.
    • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::OSS::Bucket": ["test-123"]}, which indicates the test-123 bucket.
    • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
    • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-09T08:41:04Z, which indicates that the event occurred at 16:41:04 on August 9, 2021 (UTC+8).
  • Create a bucket by assuming a RAM role as a RAM user

    In the following example, a RAM user of the Alibaba Cloud account whose ID is 189217171671**** created the OSS bucket named test-123 in the China (Hangzhou) region by calling the PutBucket operation at 16:49:20 on August 9, 2021 (UTC+8). The RAM user created the OSS bucket by assuming the oss-role RAM role that belongs to the Alibaba Cloud account. 

    {
  "eventId": "6110EC1086A4803039D44C7A",
  "eventVersion": 1,
  "eventSource": "test-123.oss-cn-hangzhou-cross.aliyuncs.com",
  "requestParameters": {
    "stsTokenPlayerUid": "189217171671****"
  },
  "sourceIpAddress": "Internal",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::OSS::Bucket": [
      "test-123"
    ]
  },
  "userIdentity": {
    "accessKeyId": "STS.NTThE5nV7fh3q4fPkQdQH****",
    "accountId": "189217171671****",
    "principalId": "39484351102463****:roleTest123",
    "type": "assumed-role",
    "userName": "oss-role:roleTest123"
  },
  "serviceName": "Oss",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "requestId": "6110EC1086A4803039D44C7A",
  "eventTime": "2021-08-09T08:49:20Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "PutBucket"
}

    The preceding example contains the following key fields:

    • userIdentity.type: the identity type of the requester. The value in this example is assumed-role, which indicates a RAM role.
    • userIdentity.userName: the username of the requester. The value is in the format of {roleName}:{sessionName}. roleName indicates the name of the RAM role that was assumed. sessionName indicates the name that was specified when the RAM user assumed the RAM role. The value in this example is oss-role:roleTest123, which indicates that the name of the RAM role that was assumed is oss-role, and the name that was specified when the RAM user assumed the RAM role is roleTest123.
    • requestParameters.stsTokenPlayerUid: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in this example is 189217171671****.
    • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::OSS::Bucket": ["test-123"]}, which indicates the test-123 bucket.
    • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Oss, which indicates OSS.
    • eventName: the name of the event. The value in this example is PutBucket, which indicates that a bucket was created.
    • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
    • eventTime: the time when the event occurred in UTC. The value in this example is 2021-08-09T08:49:20Z, which indicates that the event occurred at 16:49:20 on August 9, 2021 (UTC+8).

Delete a bucket

  • Delete a bucket by using an Alibaba Cloud account in the OSS console

    In the following example, the Alibaba Cloud account with the ID of 189217171671**** deleted the OSS bucket named test-123 in the OSS console at 16:26:56 on August 9, 2021 (UTC+8). 

    {
  "eventId": "6110E6D0E310653237000581",
  "eventVersion": 1,
  "eventSource": "test-123.oss-cn-hangzhou-cross.aliyuncs.com",
  "sourceIpAddress": "Internal",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::OSS::Bucket": [
      "test-123"
    ]
  },
  "userIdentity": {
    "accountId": "189217171671****",
    "principalId": "189217171671****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "Oss",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "requestId": "6110E6D0E310653237000581",
  "eventTime": "2021-08-09T08:26:56Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DeleteBucket"
}

    The preceding example contains the following key fields:

    • userIdentity.type: the identity type of the requester. The value in this example is root-account, which indicates an Alibaba Cloud account.
    • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Oss, which indicates OSS.
    • eventName: the name of the event. The value in this example is DeleteBucket, which indicates that a bucket was deleted.
    • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::OSS::Bucket": ["test-123"]}, which indicates the test-123 bucket.
    • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
    • eventTime: the time when the event occurred in UTC. The value in this example is 2021-08-09T08:26:56Z, which indicates that the event occurred at 16:26:56 on August 9, 2021 (UTC+8).
  • Delete a bucket as a RAM user in the OSS console

    In the following example, the RAM user whose username is Alice deleted the OSS bucket named test-123 from the China (Hangzhou) region in the OSS console at 16:47:11 on August 9, 2021 (UTC+8). 

    {
  "eventId": "6110EB8F7912BA33318EFEC6",
  "eventVersion": 1,
  "eventSource": "test-123.oss-cn-hangzhou-cross.aliyuncs.com",
  "sourceIpAddress": "Internal",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::OSS::Bucket": [
      "test-123"
    ]
  },
  "userIdentity": {
    "accountId": "189217171671****",
    "principalId": "26135379175722****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Oss",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "requestId": "6110EB8F7912BA33318EFEC6",
  "eventTime": "2021-08-09T08:47:11Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DeleteBucket"
}

    The preceding example contains the following key fields:

    • userIdentity.type: the identity type of the requester. The value in this example is ram-user, which indicates a RAM user.
    • userIdentity.userName: the username of the RAM user.
    • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Oss, which indicates OSS.
    • eventName: the name of the event. The value in this example is DeleteBucket, which indicates that a bucket was deleted.
    • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::OSS::Bucket": ["test-123"]}, which indicates the test-123 bucket.
    • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
    • eventTime: the time when the event occurred in UTC. The value in this example is 2021-08-09T08:47:11Z, which indicates that the event occurred at 16:47:11 on August 9, 2021 (UTC+8).
  • Delete a bucket by calling the DeleteBucket operation as a RAM user with an AccessKey pair used

    In the following example, the RAM user whose username is Alice deleted the OSS bucket named test-123 from the China (Hangzhou) region by calling the DeleteBucket operation at 17:14:50 on August 09, 2021 (UTC+8). The RAM user used the AccessKey pair whose ID is LTAI4G2wxd32KLGARfid**** to initiate the API call. 

    {
  "eventId": "6110F20A1B319838338E95DB",
  "eventVersion": 1,
  "eventSource": "test-123.oss-cn-hangzhou-internal.aliyuncs.com",
  "sourceIpAddress": "192.168.XX.XX",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::OSS::Bucket": [
      "test-123"
    ]
  },
  "userIdentity": {
    "accessKeyId": "LTAI4G2wxd32KLGARfid****",
    "accountId": "184538913914****",
    "principalId": "24576749206513****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Oss",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "requestId": "6110F20A1B319838338E95DB",
  "eventTime": "2021-08-09T09:14:50Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DeleteBucket"
}

    The preceding example contains the following key fields:

    • userIdentity.accessKeyId: the AccessKey ID that is used to initiate the API call. The value in this example is LTAI4G2wxd32KLGARfid****.
    • userIdentity.principalId: the ID of the account to which the AccessKey pair belongs. The value in this example is 24576749206513****.
    • userIdentity.type: the identity type of the requester. The value in this example is ram-user, which indicates a RAM user.
    • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Oss, which indicates OSS.
    • eventName: the name of the event. The value in this example is DeleteBucket, which indicates that a bucket was deleted.
    • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::OSS::Bucket": ["test-123"]}, which indicates the test-123 bucket.
    • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
    • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-09T09:14:50Z, which indicates that the event occurred at 17:14:50 on August 9, 2021 (UTC+8).
  • Delete a bucket by assuming a RAM role as a RAM user

    In the following example, a RAM user of the Alibaba Cloud account whose ID is 189217171671**** deleted the OSS bucket named test-123 from the China (Hangzhou) region by calling the DeleteBucket operation at 16:49:27 on August 9, 2021 (UTC+8). The RAM user deleted the bucket by assuming the oss-role RAM role that belongs to the Alibaba Cloud account. 

    {
  "eventId": "6110EC176C9A3A31332831C7",
  "eventVersion": 1,
  "eventSource": "test-123.oss-cn-hangzhou-cross.aliyuncs.com",
  "requestParameters": {
    "stsTokenPlayerUid": "189217171671****"
  },
  "sourceIpAddress": "Internal",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::OSS::Bucket": [
      "test-123"
    ]
  },
  "userIdentity": {
    "accessKeyId": "STS.NTThE5nV7fh3q4fPkQdQH****",
    "accountId": "189217171671****",
    "principalId": "39484351102463****:roleTest123",
    "type": "assumed-role",
    "userName": "oss-role:roleTest123"
  },
  "serviceName": "Oss",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "requestId": "6110EC176C9A3A31332831C7",
  "eventTime": "2021-08-09T08:49:27Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DeleteBucket"
}

    The preceding example contains the following key fields:

    • userIdentity.type: the identity type of the requester. The value in this example is assumed-role, which indicates a RAM role.
    • userIdentity.userName: the username of the requester. The value is in the format of {roleName}:{sessionName}. roleName indicates the name of the RAM role that was assumed. sessionName indicates the name that was specified when the RAM user assumed the RAM role. The value in this example is oss-role:roleTest123, which indicates that the name of the RAM role that was assumed is oss-role, and the name that was specified when the RAM user assumed the RAM role is roleTest123.
    • requestParameters.stsTokenPlayerUid: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in this example is 189217171671****.
    • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::OSS::Bucket": ["test-123"]}, which indicates the test-123 bucket.
    • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Oss, which indicates OSS.
    • eventName: the name of the event. The value in this example is DeleteBucket, which indicates that a bucket was deleted.
    • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
    • eventTime: the time when the event occurred in UTC. The value in this example is 2021-08-09T08:49:27Z, which indicates that the event occurred at 16:49:27 on August 9, 2021 (UTC+8).