Use ActionTrail to audit events from the last 90 days and verify compliance. The following example shows how to identify which RAM user performed an operation by querying NAT gateway events.
Example scenario
A team manager uses an Alibaba Cloud account to create multiple RAM users for team members and grants them administrator permissions.
A RAM user associates an elastic IP address (EIP) with a NAT gateway, but the gateway already has an EIP bound. Because all RAM users have administrator permissions, you cannot tell which one performed the association. Query NAT gateway events in ActionTrail to identify the responsible user.

Procedure
-
Log on to the ActionTrail console.
-
In the left-side navigation pane, choose .
-
In the top navigation bar, select the target region.
-
From the drop-down list, select Resource Name.
NoteOther available query conditions: Read/Write Type, Operator, Service Name, Event Name, Resource Type, AccessKey ID, Sensitive Operation, and Event ID. Only one condition can be applied at a time.
-
Enter the instance ID of the elastic IP address, and then click the search icon
. -
In the Actions column of the target event, click View Event Details to view the event details and record code.
NoteThe View Event Details panel shows that a RAM user associated an EIP with the NAT gateway at 13:42:03 on December 20, 2023.

References
For more information about the fields in events, see Management event structure.