All Products
Search
Document Center

ActionTrail:Query cloud services and call records for an access key pair

Last Updated:Jun 20, 2026

ActionTrail provides several ways to find event details for an access key pair. You can use the AccessKey Pair Audit feature to find information such as which cloud services were accessed and from which IP addresses. Alternatively, you can use the Event Query feature to look up detailed event records. This topic explains how to use these features to find the cloud services that an access key pair accessed and review its detailed call records.

Query cloud services accessed by an access key pair

Note
  • You can query all cloud services that a specific access key pair has accessed since the AccessKey Pair Audit feature was launched.

  • Data latency can be up to several hours, so use caution when making changes to an access key pair based on this information.

  1. Log on to the ActionTrail console.

  2. In the left-side navigation pane, click AccessKey Pair Audit.

  3. On the AccessKey Pair Audit page, enter an AccessKey ID and click the 查询按钮 icon. You can then view details about the access key pair, including the associated RAM user, the cloud services it has accessed, and the last used time.

    The basic information section of the query results also includes the account ID and RAM user ID. In the Accessed Cloud Services table below, each cloud service entry provides links to the Event List, IP Address List, and Resource List for further investigation.

  4. As needed, review the Event List, IP Address List, and Resource List.

    • Query the event list

      1. In the Actions column for a cloud service, click Event List to view the events initiated by the access key pair and the last call time for each event.

      2. In the Actions column for an event, click View Details to view the details of the last recorded event.

    • Query the IP address list

      1. In the Actions column for a cloud service, click IP Address List to view the source IP addresses of the requests and the time each was last used.

      2. In the Actions column for an IP address, click View Details to view the details of the last recorded event.

    • Query the resource list

      1. In the Actions column for a cloud service, click Resource List to view the specific resources accessed by the access key pair and their last access time.

      2. In the Actions column for a resource type, click View Details to view the details of the last recorded event.

Query detailed call records for an access key pair

Note

Specific events for an access key pair can be queried only for the cloud services and events that ActionTrail supports. For more information, see Cloud services and events supported by ActionTrail.

  1. Log on to the ActionTrail console.

  2. In the left-side navigation pane, click Event Detail Query.

  3. In the top navigation bar, select the region where you want to query events.

  4. On the Event Detail Query page, set the filter condition to AccessKey ID and enter the AccessKey ID.

  5. Set the time range for the query and click the 查询按钮 icon.

  6. (Optional) If Advanced Event Query is enabled for your account, you can select Events > Advanced Query in the ActionTrail console to query the call records for the access key pair across all regions.

    Note
    • Advanced Event Query supports only certain detailed events.

    • You can use simple query mode, set the filter condition to AccessKey ID, enter the ID, select a time range, and then click Run.

    • You can also turn off simple query mode, enter the condition statement event.userIdentity.accessKeyId:*, select a time range, and then click Run.

Notes

ActionTrail allows you to query all cloud services accessed by an access key pair. However, specific events can be queried only for the cloud services and event types that are supported by ActionTrail. For more information, see Cloud services and events supported by ActionTrail.

If a query shows that an access key pair accessed a cloud service but the Event List, IP Address List, or Resource List is empty or shows a mismatched last access time, this means ActionTrail does not yet support that cloud service or event.

References