An AccessKey pair consists of an AccessKey ID and an AccessKey secret, which are used to identify a user and verify the key of the user. If the AccessKey pair is disclosed, your resources are at risk. ActionTrail helps you monitor AccessKey pair-related events so that you can respond to the abnormal use of AccessKey pairs with high efficiency.

Prerequisites

Log Service is activated.

If Log Service is not activated, log on to the Log Service console and activate the service by following the on-screen instructions.

Background information

You can use ActionTrail to query AccessKey pair-related events. You can also deliver events to Log Service and configure alert rules to monitor the use of AccessKey pairs.
  • Query AccessKey pair-related events that were generated in the last 90 days: On the Event Detail Query page of the ActionTrail console, set the filter condition to AccessKeyId to query AccessKey pair-related events in the last 90 days. For more information, see Query events in the ActionTrail console.
  • Query AccessKey pair-related events that were generated more than 90 days ago: Perform the steps described in this topic to query AccessKey pair-related events that were generated more than 90 days ago and configure alert rules to monitor the use of AccessKey pairs.

Step 1: Create a trail

This section describes how to create a single-account trail to deliver events to Log Service.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail that you want to create.
  4. On the Trails page, click Create Trail.
  5. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique within your Alibaba Cloud account.
    Log Event Set the Event Type parameter for management events to All Events.
  6. In the Event Delivery Settings step, select Delivery to Log Service and then select Delivery to Current Account.
  7. Select New Log Service Project, select a region from the Logstore Region drop-down list, and then set the Project Name parameter.
  8. Click Next.
  9. In the Preview and Create step, confirm the trail configurations and click Submit.

Step 2: Query events and configure an alert rule to monitor the use of AccessKey pairs in Log Service

  1. In the left-side navigation pane of the ActionTrail console, click Trails.
  2. On the Trails page, find the trail that you created, move the pointer over the Exclamation point icon icon in the Storage Service column, and then click the name of the Log Service Logstore.
  3. In the upper-right corner of the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
  4. Enter event.userIdentity.accessKeyId:"<YourAccessKeyId>" | select count(1) as use_ak_<YourAccessKeyId> in the search box and click Search & Analyze.
    Note Replace <YourAccessKeyId> with your AccessKey ID.
  5. Click Save Search or Save as Alert.
    • Save the query: Click Save Search in the upper-right corner. In the Saved Search Details panel, set the Saved Search Name parameter and click OK.
      Note After you save the query, you can select it in the Log Service console to initiate the query.

      For more information, see Saved search.

    • Configure an alert rule based on the query: Choose Save as Alert > Old Version Alert in the upper-right corner. In the Alert Monitoring Rule panel, set the parameters and click OK.

      For more information, see Configure an alert rule.

      Note After you configure the alert rule, you can receive an alert notification when the alert is triggered. For example, Log Service checks the use of your AccessKey ID every 5 minutes based on the alert rule that is shown in the preceding figure. If your AccessKey ID is used in the last 5 minutes, Log Service generates an alert.

Result

You can manage the saved queries and alert rules in the Log Service console.

Alerts