You can use the management account of a resource directory to specify a member in the resource directory as a delegated administrator account for ActionTrail. The delegated administrator account is granted the same permissions as the management account and can be used to create a multi-account trail. The multi-account trail delivers the events of all members in the resource directory to a Simple Log Service Logstore or Object Storage Service (OSS) bucket of a member for centralized management.
Prerequisites
A resource directory is enabled. For more information, see Enable a resource directory.
Members are created in the resource directory, or members are invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
Scenarios
A delegated administrator account for ActionTrail enables the separation of organization management and audit management from the IT infrastructure. This is essential for the cloud security management of your business.
By default, the management account of your resource directory serves as the super administrator of your enterprise. To achieve best practices for IT management, we recommend that you use the management account only for the organizational management of the resource directory instead of resource configuration management. This prevents accidental operations from being performed by using the management account, which has excessive permissions. You can use a delegated administrator account to perform global management operations for your enterprise. For example, you can use the management account to specify a member as a delegated administrator account for ActionTrail, and allocate the delegated administrator account to the audit department of your enterprise. This way, the audit department can use the delegated administrator account to collect events for centralized audit and analysis. This type of management is in compliance with the division of work in your enterprise.
To achieve best practices for multi-account management, we recommend that you specify a delegated administrator account for ActionTrail to fulfill the following requirements:
A dedicated account takes the place of the management account to collect, manage, and analyze audit events.
A dedicated account takes the place of the management account to manage the configurations of ActionTrail. This prevents excessive use of the management account.
For more information about delegated administrator accounts, see Manage a delegated administrator account.
Add a delegated administrator account
You can specify a member in the resource directory as a delegated administrator account for ActionTrail to audit events. This account is used only to manage the audit configurations and store audit events in the cloud. Other resources are not retained within this account. This way, duties for permission management, audit management, and resource management are assigned to different accounts to improve cloud security. The delegated administrator account for ActionTrail is used to create a multi-account trail that delivers the events of all members in the resource directory to a specific Simple Log Service Logstore or OSS bucket. We recommend that you deliver the events to a Simple Log Service Logstore or OSS bucket within the delegated administrator account. You can also specify a Simple Log Service Logstore or OSS bucket of another member to store the events. You can use the delegated administrator account to manage the configurations of trails, store the events of all members in the resource directory, and send alert notifications based on the analysis results of audit events in the long term.
The following permissions are granted to the delegated administrator account for ActionTrail:
The permissions to view the information about the structure and members of the resource directory in ActionTrail.
The permissions to create a multi-account trail that collects the events of all members in the resource directory.
You can create only one multi-account trail within each resource directory. Therefore, you can use the management account of a resource directory to add only one delegated administrator account for ActionTrail within the resource directory.
You can use the management account of your resource directory to add a delegated administrator account in the Resource Management console. For more information, see Add a delegated administrator account.
Change a delegated administrator account
After you specify a member as the delegated administrator account for ActionTrail, we recommend that you do not change this account. The delegated administrator account is used to manage the business within the resource directory. If you change the specified account, configurations that are related to the delegated administrator account may fail to take effect. This affects the continuous audit process. If you need to change the specified account, you must first remove the original delegated administrator account. Then, you can specify a new delegated administrator account.
Before you remove the original delegated administrator account, you must delete the multi-account trail that was created by using this account. After you delete the multi-account trail, the events of members in the resource directory are no longer collected until another multi-account trail is created. Proceed with caution. For more information about how to delete a multi-account trail, see Delete a multi-account trail.
Log on to the Resource Management console and use the management account to remove the original delegated administrator account from the resource directory.
For more information, see Remove a delegated administrator account.
In the Resource Management console, specify a new delegated administrator account.
For more information, see Add a delegated administrator account.
Log on to the ActionTrail console and use the new delegated administrator account to create a multi-account trail that delivers events to the storage space of the new account.
For more information, see Use a member to log on to the Alibaba Cloud Management Console and Create a multi-account trail.
In the ActionTrail console, use the new delegated administrator account to create a data backfill task that delivers all events of the last 90 days to the specified storage space at a time.
For more information, see Create a data backfill task.
Log on to the Simple Log Service console or OSS console and migrate the events of the original delegated administrator account to the storage space of the new delegated administrator account.
For more information, see Replicate data from a Logstore and Migrate data between OSS buckets.
NoteAfter you change the delegated administrator account, duplicate events of up to 90 days are stored in the Simple Log Service Logstore or OSS bucket that is specified for the new delegated administrator account. This ensures that no events generated in the last 90 days are lost.