ActionTrail provides several ways to find event details for an access key pair. You can use the AccessKey Pair Audit feature to find information such as which cloud services were accessed and from which IP addresses. Alternatively, you can use the Event Query feature to look up detailed event records. This topic explains how to use these features to find the cloud services that an access key pair accessed and review its detailed call records.
Query cloud services accessed by an access key pair
-
You can query all cloud services that a specific access key pair has accessed since the AccessKey Pair Audit feature was launched.
-
Data latency can be up to several hours, so use caution when making changes to an access key pair based on this information.
-
Log on to the ActionTrail console.
-
In the left-side navigation pane, click AccessKey Pair Audit.
-
On the AccessKey Pair Audit page, enter an AccessKey ID and click the
icon. You can then view details about the access key pair, including the associated RAM user, the cloud services it has accessed, and the last used time.The basic information section of the query results also includes the account ID and RAM user ID. In the Accessed Cloud Services table below, each cloud service entry provides links to the Event List, IP Address List, and Resource List for further investigation.
-
As needed, review the Event List, IP Address List, and Resource List.
Query detailed call records for an access key pair
Specific events for an access key pair can be queried only for the cloud services and events that ActionTrail supports. For more information, see Cloud services and events supported by ActionTrail.
-
Log on to the ActionTrail console.
-
In the left-side navigation pane, click Event Detail Query.
-
In the top navigation bar, select the region where you want to query events.
-
On the Event Detail Query page, set the filter condition to AccessKey ID and enter the AccessKey ID.
-
Set the time range for the query and click the
icon. -
(Optional) If Advanced Event Query is enabled for your account, you can select Events > Advanced Query in the ActionTrail console to query the call records for the access key pair across all regions.
Note-
Advanced Event Query supports only certain detailed events.
-
You can use simple query mode, set the filter condition to AccessKey ID, enter the ID, select a time range, and then click Run.
-
You can also turn off simple query mode, enter the condition statement event.userIdentity.accessKeyId:*, select a time range, and then click Run.
-
Notes
ActionTrail allows you to query all cloud services accessed by an access key pair. However, specific events can be queried only for the cloud services and event types that are supported by ActionTrail. For more information, see Cloud services and events supported by ActionTrail.
If a query shows that an access key pair accessed a cloud service but the Event List, IP Address List, or Resource List is empty or shows a mismatched last access time, this means ActionTrail does not yet support that cloud service or event.
References
-
You can also enable the Advanced Event Query feature and use a system template to query event details about an access key pair. For more information, see Query events for an Alibaba Cloud account or access key pair.
-
You can also use SQL query mode and set query conditions to find events related to an access key pair. For more information, see Custom event queries.