You can use the management account of a resource directory to specify a member as the delegated administrator account for ActionTrail. The delegated administrator account can be used to create a multi-account trail. The multi-account trail allows ActionTrail to deliver the events of all members in the resource directory to a specific Log Service Logstore or Object Storage Service (OSS) bucket for centralized management. The Log Service Logstore or OSS bucket can be one that belongs to the delegated administrator account or one that belongs to another member in the resource directory.
Prerequisites
- A resource directory is enabled. For more information, see Enable a resource directory.
- Members are created in the resource directory, or members are invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
Scenarios
A delegated administrator account for ActionTrail allows you to separate organization management tasks from auditing tasks. This is essential for the cloud security management of your business.
By default, the management account of your resource directory serves as the super administrator of your enterprise. To achieve best practices for IT management, you should place the focus of the management account on the organizational management of the resource directory instead of resource configuration management. This prevents accidental operations from being performed by the management account that has excessive permissions. You can use the delegated administrator account to perform global management operations for your enterprise. For example, you can use the management account to specify a member as the delegated administrator account for ActionTrail, and allocate the delegated administrator account to the audit department of your enterprise. Then, the audit department can use the delegated administrator account to collect events for centralized auditing and analysis. This accords with the division of work in your enterprise.
To achieve best practices for multi-account management, you can specify a delegated administrator account for ActionTrail to fulfill the following requirements:
- A dedicated account takes the place of the management account to collect, manage, and analyze audit events.
- A dedicated account takes the place of the management account to manage the configurations of ActionTrail. This prevents excessive use of the management account.
For more information about delegated administrator accounts, see What is a delegated administrator account?.
Add a delegated administrator account
You can specify a member in the resource directory as a delegated administrator account for ActionTrail to audit events. This account is used only to manage the configurations of trails and store audit events in the cloud. Other resources are not retained within this account. This way, duties for permission management, audit management, and resource management are assigned to different accounts to improve cloud security. The delegated administrator account for ActionTrail is used to create a multi-account trail that delivers the events of all members in the resource directory to a specific Log Service Logstore or OSS bucket. We recommend that you deliver these events to a Log Service Logstore or OSS bucket within the delegated administrator account. However, you can also specify a Log Service Logstore or OSS bucket of another member to store these events. You can use this delegated administrator account to manage the configurations of trails, store the events of all members in the resource directory, and send alert notifications based on the analysis of audit events in the long term.
The following permissions are granted to the delegated administrator account for ActionTrail:
- The permissions to view the information about the structure and members of the resource directory in ActionTrail.
- The permissions to create a multi-account trail that collects the events of all members in the resource directory.
You can use the management account of your resource directory to add a delegated administrator account in the Resource Management console. For more information, see Add a delegated administrator account.
Change a delegated administrator account
After you specify a member as the delegated administrator account for ActionTrail, we recommend that you do not change this account. The delegated administrator account is used to manage the business within the resource directory. If you change the specified account, configurations that are related to the delegated administrator account may fail to take effect. This affects the continuous auditing process. If you must change the specified account, you must first remove the original delegated administrator account. Then, you can specify a new delegated administrator account.