You can use the cross-account event delivery feature of ActionTrail to deliver the events of multiple Alibaba Cloud accounts to the Log Service Logstore or Object Storage Bucket (OSS) bucket specified by an Alibaba Cloud account. This helps you archive and monitor auditing data in a centralized manner.

Background information

Before you use the cross-account event delivery feature of ActionTrail, you must understand the concepts of destination account and source account that are described in the following table.

AccountDescriptionOperation
Destination accountThe account to which the events from source accounts are delivered.
  • Create a Log Service Logstore or an OSS bucket for storing events.
  • Create a RAM role for which ActionTrail is selected as the trusted service. The ActionTrail service within source accounts must assume this role to write events to the destination account.
Source accountThe account that needs to write events to the destination account. Use an Alibaba Cloud account to create a trail to deliver events to the Log Service Logstore or OSS bucket specified by the destination account.

If the destination and source accounts are independent Alibaba Cloud accounts that are not in the same organizational structure, you must create a single-account trail for each source account to perform cross-account event delivery. The following example shows you how to deliver events of Alibaba Cloud Account A and Alibaba Cloud Account B to Alibaba Cloud Account C.

Procedure

  1. Create a RAM role by using Alibaba Cloud Account C and grant ActionTrail the permissions to deliver events to Alibaba Cloud Account C.
    1. Log on to the RAM console by using Alibaba Cloud Account C.
    2. Create a RAM role for which ActionTrail is selected as the trusted service.
      1. In the left-side navigation pane, choose Identities > Roles.
      2. On the Roles page, click Create Role.
      3. In the Create Role wizard, select Alibaba Cloud Service as the trusted entity and click Next.
      4. Select Normal Service Role as Role Type.
      5. Enter ActionTrailDeliveryRole in the RAM Role Name field.
      6. Select ActionTrail from the Select Trusted Service drop-down list.
      7. Click OK.
    3. Attach the system policy AliyunActionTrailDeliveryPolicy to the RAM role for precise authorization.
      1. Click Input and Attach in the Actions column that corresponds to the system policy.
      2. Select System Policy for the Type parameter and enter AliyunActionTrailDeliveryPolicy in the Policy Name field.
      3. Click OK and then click Close.

      You can view the details of the AliyunActionTrailDeliveryPolicy policy attached to the ActionTrailDeliveryRole role on the Roles page. For more information, see Manage the permission policy for event delivery.

    4. Change the value of the Service field to a value in the Alibaba Cloud account@actiontrail.aliyuncs.com format in the trust policy of the RAM role.
      For example, the ID of Alibaba Cloud Account A is 159498693825**** and that of Alibaba Cloud Account B is 123435555956****. In this case, change the value of the Service field from actiontrail.aliyuncs.com to ["159498693825****@actiontrail.aliyuncs.com","123435555956****@actiontrail.aliyuncs.com"]. This way, Alibaba Cloud Account A 159498693825**** and Alibaba Cloud Account B 123435555956**** allow ActionTrail to assume the RAM role.
      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "159498693825****@actiontrail.aliyuncs.com",
                          "123435555956****@actiontrail.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }

      For more information, see Edit the trust policy of a RAM role.

  2. Use Alibaba Cloud Account C to create a Log Service project or an OSS bucket.
    For more information, see Create a project and Create buckets.
    Note For data security, we recommend that you configure server-side encryption and retention policies when you create an OSS bucket. For more information, see Server-side encryption and Configure retention policies.
  3. Use Alibaba Cloud Account A to create a single-account trail and set the delivery destination to the Log Service project or OSS bucket created in Step 2.
    1. Log on to the ActionTrail console by using Alibaba Cloud Account A.
    2. In the left-side navigation pane, click Trails.
    3. In the top navigation bar, select the region in which you want to create a single-account trail.
      Note The region that you select becomes the home region of the trail that you want to create.
    4. On the Trails page, click Create Trail.
    5. On the Create Trail page, configure the parameters.
      • In the Basic Information section, configure the basic information about the trail.
        Note By default, the trail delivers events in all regions. We recommend that you set Management Event to All. This way, the trail delivers all types of events that occur in all regions.
      • In the Event Delivery section, configure parameters to deliver events to Log Service, OSS, or both. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.
        • If you select Delivery to Log Service and then select Delivery to Another Account, configure the parameters that are described in the following table.
          ParameterDescription
          Log Service Project ARNEnter the region where the Log Service project resides, the ID of Alibaba Cloud Account C, and the name of the Log Service project.

          The name of the Log Service project created in Step 2 is used.

          RAM Role ARN of Destination AccountEnter the ID of Alibaba Cloud Account C and the name of the RAM role.

          The name of the RAM role created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.

        • If you select Delivery to OSS and then select Delivery to Another Account, configure the parameters that are described in the following table.
          ParameterDescription
          RAM Role ARN of OSS BucketEnter the ID of Alibaba Cloud Account C and the name of the RAM role.

          The name of the RAM role created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.

          Bucket NameEnter the name of the OSS bucket created in Step 2.
          Log File PrefixEnter the prefix of the name of the log file where you want to store the events.
    6. Click Confirm.
  4. Use Alibaba Cloud Account B to create a single-account trail by performing the preceding steps and set the delivery destination to the Log Service project or OSS bucket created in Step 2.

Results

After the trail is created, you can view the events from Alibaba Cloud Account A and Alibaba Cloud Account B in the Log Service project or OSS bucket by using Alibaba Cloud Account C.

Related operations

You can read the following topics to migrate data across Alibaba Cloud accounts: