You can use the management account of your resource directory to specify a member account as the delegated administrator account of ActionTrail. After that, you can use the delegated administrator account to create a multi-account trail in the ActionTrail console. The multi-account trail can deliver events of all member accounts in your resource directory to a specified Log Service Logstore or Object Storage Service (OSS) bucket for centralized management.

Prerequisites

Scenarios

A delegated administrator account of ActionTrail allows you to separate organization management tasks from auditing tasks. This is essential for the cloud security management of your business.

By default, the management account of your resource directory serves as the super administrator of your enterprise. To achieve best practices for IT management, you can use the management account to manage the resource directory and delegate a member account to manage the configurations of cloud services. This prevents accidental operations from being performed by an account that has excessive permissions. You can use the delegated administrator account to perform global management operations for your business. For example, you use the management account to specify a member account as the delegated administrator account of ActionTrail. The audit department of your enterprise owns and uses the delegated administrator account to collect events for centralized auditing and analysis. This accords with the division of work in your enterprise.

To achieve best practices for multi-account management, you can add a delegated administrator account of ActionTrail to fulfill the following requirements:

  • Take the place of the management account to collect, manage, and analyze audit events.
  • Take the place of the management account to manage the configurations of ActionTrail. This prevents excessive use of the management account.

For more information about delegated administrator accounts, see What is a delegated administrator account?.

Add a delegated administrator account

You can specify a member account in the resource directory as a delegated administrator account to audit events recorded by ActionTrail. This account is used only to manage the configurations of trails and store audit events in the cloud. Other resources are not retained within this account. This way, duties for permission management, audit management, and resource management are assigned to different accounts to improve cloud security. A delegated administrator account is used to create a multi-account trail that delivers events of all member accounts in the resource directory to a specified Log Service Logstore or OSS bucket. We recommend that you deliver these events to a Log Service Logstore or OSS bucket within the delegated administrator account. However, you can also specify another member account to store these events. You can use this delegated administrator account to manage the configurations of trails, store events of all member accounts in the resource directory, and send alert notifications based on the analysis of audit events in the long term.

The following permissions are granted to the delegated administrator account of ActionTrail:

  • The permissions to view the information about the structure and member accounts of the resource directory in ActionTrail.
  • The permissions to create a multi-account trail that collects the events of all member accounts in the resource directory.
Note You can create only one multi-account trail for all member accounts in each resource directory. Therefore, you can use the management account to add only one delegated administrator account of ActionTrail in each resource directory.

You can use the management account of your resource directory to add a delegated administrator account in the Resource Management console. For more information, see Add a delegated administrator account.

Change a delegated administrator account

After you specify a member account as the delegated administrator account of ActionTrail, we recommend that you do not change this account. The delegated administrator account is used to manage the business within the resource directory. If you change the specified account, configurations that are managed by the delegated administrator account may fail to take effect for a period of time. This affects the continuous auditing process. If you must change the specified account, you must first remove the original delegated administrator account. Then, you can specify a new delegated administrator account.

Notice Before you remove the original delegated administrator account, you must delete the multi-account trail that was created by using this account. Proceed with caution if you need to delete the multi-account trail. After you delete the multi-account trail, events of the member accounts in the resource directory are no longer collected in a centralized manner until another multi-account trail is created. For more information about how to delete a multi-account trail, see Delete a multi-account trail.
  1. Log on to the Resource Management console and remove the original delegated administrator account of ActionTrail by using the management account.
    For more information, see Remove a delegated administrator account.
  2. In the Resource Management console, specify a new delegated administrator account.
    For more information, see Add a delegated administrator account.
  3. Log on to the ActionTrail console and create a multi-account trail by using the new delegated administrator account to deliver events to a specified Log Service Logstore or OSS bucket within this account.
    For more information, see Access a member and Create a multi-account trail.
  4. In the ActionTrail console, create a historical event delivery task to deliver events generated in the last 90 days to the specified Log Service Logstore or OSS bucket at a time.
    For more information, see Create a historical event delivery task.
  5. Log on to the Log Service console or OSS console and migrate the events delivered by the multi-account trail created by using the original delegated administrator account to the Log Service Logstore or OSS bucket specified for the multi-account trail created by using the new delegated administrator account.
    For more information, see Replicate data from a Logstore or Migrate data between OSS buckets.
    Note After you change the delegated administrator account, duplicate events of up to 90 days are stored in the Log Service Logstore or OSS bucket specified for the multi-account trail created by using the new delegated administrator account. This ensures that no events generated in the last 90 days are lost.