All Products
Search
Document Center

ActionTrail:Query events

Last Updated:Jun 03, 2026

Use ActionTrail to audit events from the last 90 days and verify compliance. The following example shows how to identify which RAM user performed an operation by querying NAT gateway events.

Example scenario

A team manager uses an Alibaba Cloud account to create multiple RAM users for team members and grants them administrator permissions.

A RAM user associates an elastic IP address (EIP) with a NAT gateway, but the gateway already has an EIP bound. Because all RAM users have administrator permissions, you cannot tell which one performed the association. Query NAT gateway events in ActionTrail to identify the responsible user.

image.png

Procedure

  1. Log on to the ActionTrail console.

  2. In the left-side navigation pane, choose Events > Event Query.

  3. In the top navigation bar, select the target region.

  4. From the drop-down list, select Resource Name.

    Note

    Other available query conditions: Read/Write Type, Operator, Service Name, Event Name, Resource Type, AccessKey ID, Sensitive Operation, and Event ID. Only one condition can be applied at a time.

  5. Enter the instance ID of the elastic IP address, and then click the search icon 1.

  6. In the Actions column of the target event, click View Event Details to view the event details and record code.

    Note

    The View Event Details panel shows that a RAM user associated an EIP with the NAT gateway at 13:42:03 on December 20, 2023.

    image.png

References

For more information about the fields in events, see Management event structure.