You can use the management account of a resource directory to specify a member as the delegated administrator account for ActionTrail. The delegated administrator account can be used to create a multi-account trail. The multi-account trail allows ActionTrail to deliver the events of all members in the resource directory to a specific Log Service Logstore or Object Storage Service (OSS) bucket for centralized management. The Log Service Logstore or OSS bucket can be one that belongs to the delegated administrator account or one that belongs to another member in the resource directory.

Prerequisites

Scenarios

A delegated administrator account for ActionTrail allows you to separate organization management tasks from auditing tasks. This is essential for the cloud security management of your business.

By default, the management account of your resource directory serves as the super administrator of your enterprise. To achieve best practices for IT management, you should place the focus of the management account on the organizational management of the resource directory instead of resource configuration management. This prevents accidental operations from being performed by the management account that has excessive permissions. You can use the delegated administrator account to perform global management operations for your enterprise. For example, you can use the management account to specify a member as the delegated administrator account for ActionTrail, and allocate the delegated administrator account to the audit department of your enterprise. Then, the audit department can use the delegated administrator account to collect events for centralized auditing and analysis. This accords with the division of work in your enterprise.

To achieve best practices for multi-account management, you can specify a delegated administrator account for ActionTrail to fulfill the following requirements:

  • A dedicated account takes the place of the management account to collect, manage, and analyze audit events.
  • A dedicated account takes the place of the management account to manage the configurations of ActionTrail. This prevents excessive use of the management account.

For more information about delegated administrator accounts, see What is a delegated administrator account?.

Add a delegated administrator account

You can specify a member in the resource directory as a delegated administrator account for ActionTrail to audit events. This account is used only to manage the configurations of trails and store audit events in the cloud. Other resources are not retained within this account. This way, duties for permission management, audit management, and resource management are assigned to different accounts to improve cloud security. The delegated administrator account for ActionTrail is used to create a multi-account trail that delivers the events of all members in the resource directory to a specific Log Service Logstore or OSS bucket. We recommend that you deliver these events to a Log Service Logstore or OSS bucket within the delegated administrator account. However, you can also specify a Log Service Logstore or OSS bucket of another member to store these events. You can use this delegated administrator account to manage the configurations of trails, store the events of all members in the resource directory, and send alert notifications based on the analysis of audit events in the long term.

The following permissions are granted to the delegated administrator account for ActionTrail:

  • The permissions to view the information about the structure and members of the resource directory in ActionTrail.
  • The permissions to create a multi-account trail that collects the events of all members in the resource directory.
Note You can create only one multi-account trail for each resource directory. Therefore, you can use the management account to add only one delegated administrator account for ActionTrail in each resource directory.

You can use the management account of your resource directory to add a delegated administrator account in the Resource Management console. For more information, see Add a delegated administrator account.

Change a delegated administrator account

After you specify a member as the delegated administrator account for ActionTrail, we recommend that you do not change this account. The delegated administrator account is used to manage the business within the resource directory. If you change the specified account, configurations that are related to the delegated administrator account may fail to take effect. This affects the continuous auditing process. If you must change the specified account, you must first remove the original delegated administrator account. Then, you can specify a new delegated administrator account.

Notice Before you remove the original delegated administrator account, you must delete the multi-account trail that was created by using this account. Proceed with caution if you need to delete the multi-account trail. After you delete the multi-account trail, the events of members in the resource directory are no longer collected until another multi-account trail is created. For more information about how to delete a multi-account trail, see Delete a multi-account trail.
  1. Log on to the Resource Management console and remove the original delegated administrator account for ActionTrail by using the management account.
    For more information, see Remove a delegated administrator account.
  2. In the Resource Management console, specify a new delegated administrator account.
    For more information, see Add a delegated administrator account.
  3. Log on to the ActionTrail console and create a multi-account trail by using the new delegated administrator account to deliver events to a Log Service Logstore or OSS bucket within the delegated administrator account or another member.
    For more information, see Access a member and Create a multi-account trail.
  4. In the ActionTrail console, create a historical event delivery task to deliver events generated in the last 90 days to the specified Log Service Logstore or OSS bucket at a time.
    For more information, see Create a historical event delivery task.
  5. Log on to the Log Service console or OSS console and migrate the historical events collected by the original delegated administrator account to the Log Service Logstore or OSS bucket specified by using the new delegated administrator account.
    For more information, see Replicate data from a Logstore or Migrate data between OSS buckets.
    Note After you change the delegated administrator account, duplicate events of up to 90 days exist in the Log Service Logstore or OSS bucket specified by using the new delegated administrator account. This ensures that no events generated in the last 90 days are lost.