ActionTrail is a service that monitors and records the operations of your Alibaba Cloud account. The operations include your access to and use of cloud services by using the Alibaba Cloud Management Console, APIs, and SDKs. ActionTrail records these operations as events. You can download these events from the ActionTrail console or configure ActionTrail to deliver these events to Log Service Logstores or Object Storage Service (OSS) buckets. Then, you can perform behavior analysis, security analysis, resource change tracking, and compliance auditing based on the events.

The following figure shows how ActionTrail works. principle

Functions and features

  • Out-of-the-box service: ActionTrail can track the operations of your Alibaba Cloud account without manual intervention. By default, it tracks the operations performed in the last 90 days and records these operations as events. You can query these events in the ActionTrail console.
  • Self-service management: You can configure ActionTrail to deliver events to a Log Service Logstore as logs or to an OSS bucket as log files by creating a trail. You can use the retrieval and analysis features of Log Service to manage the logs. You can also transfer the logs to big data services for management. For example, you can authorize other services to access the logs, define the lifecycle rules of the logs, archive, retrieve, and analyze the logs, and configure alert rules based on the logs.
  • Multi-dimensional event query: ActionTrail allows you to query events from multiple dimensions, such as the event time, username, resource type, resource name, and event name.

Common scenarios

  • Compliance with MLPS requirements: Multi-Level Protection Scheme (MLPS) 2.0 stipulates that the operations of your Alibaba Cloud account must be recorded and the corresponding records must be stored for at least 180 days. To comply with these requirements, you can use ActionTrail to record the operations as events. Then, you can configure ActionTrail to deliver the events to Log Service Logstores or OSS buckets for long-term storage.
  • Security analysis: ActionTrail records the operations of your Alibaba Cloud account in detail as events so that you can identify security issues of your Alibaba Cloud account based on the events.
    For example, you can configure a trail to deliver events to a specific Log Service Logstore as logs. This not only allows you to store the logs for a longer period of time but also allows you to execute SQL statements to analyze the logs. senerio
  • Resource change tracking: You can locate the cause of an anomaly that occurs during the use of your resources based on the events recorded by ActionTrail. For example, if one of your Elastic Compute Service (ECS) instances is shut down, you can use ActionTrail to locate the person who performed the shutdown operation, the time when the shutdown operation was performed, and the IP address from which the shutdown operation was performed.
  • Compliance auditing: If you use the Resource Access Management (RAM) service to manage the members in your organization, ActionTrail records the operations of each member in detail as events. This ensures that the operations of all members in your organization are recorded for compliance auditing. You can create trails to track different types of operations that are performed in different regions and deliver the events to different OSS buckets or Log Service Logstores based on the responsibilities of auditors.

    For example, if you have deployed resources on the Alibaba Cloud sites both in and outside China, you can create trails to track the operations that are performed in different countries and regions and deliver the events to local storage objects based on the specific data security requirements of each country or region.

Benefits

  • Quick recording: ActionTrail records the operations that you perform by using the Alibaba Cloud Management Console or APIs and the operations that Alibaba Cloud services trigger by using RAM roles. When an operation is performed, ActionTrail tracks and records the operation in 10 minutes.
  • Detailed records: ActionTrail records the detailed contextual information of your operations. You can query events corresponding to the operations performed in the last 90 days in the ActionTrail console or by calling API operations. For example, you can obtain the following information about a specific operation: the person who performed the operation, the time when the operation was performed, the object on which the operation was performed, the IP address from which the operation was performed, whether the operation was performed by using the Alibaba Cloud Management Console or APIs, the result of the operation, and the cause of failure in cases where the operation failed.
  • High stability and reliability: You can configure ActionTrail to deliver events to Log Service or OSS. Log Service and OSS are highly available and allow you to encrypt the audit data and manage access permissions on the audit data. This ensures high security of the audit data. When an event is delivered, ActionTrail sends you a notification.
  • Custom tracking: ActionTrail allows you to create up to five trails in each region to deliver events to OSS buckets or Log Service Logstores. This helps you track different types of operations that are performed in different regions and back up various types of data for organization members according to their responsibilities.
    Note Do not deliver events that are of the same type and are generated in the same region to a single OSS bucket or Log Service Logstore.
  • Transparent O&M: ActionTrail records operations related to Alibaba Cloud services as events and stores the events in a near real-time manner. If you configure ActionTrail to deliver events to Log Service as logs, you can query and analyze logs, configure alerts, and generate reports. Backed by these transparent O&M features, ActionTrail can meet your requirements on analyzing and auditing operations related to Alibaba Cloud services.