All Products
Search
Document Center

ActionTrail:Deliver the events of multiple Alibaba Cloud accounts to one account

Last Updated:Feb 01, 2024

If you want to manage and maintain multiple Alibaba Cloud accounts, you can use the trails feature of ActionTrail to deliver the events of multiple Alibaba Cloud accounts to Simple Log Service or Object Storage Service (OSS) of one account. This way, you can archive and monitor audit data in a centralized manner. This topic describes how to deliver the events of multiple Alibaba Cloud accounts to one account.

Background information

Before you use the trails feature of ActionTrail to deliver events across accounts, you must be familiar with the concepts of a destination account and a source account. The following table describes the concepts.

Account

Description

Operation

Destination account

The account that is used to receive events from source accounts.

  • Create a Simple Log Service Logstore or an OSS bucket to store events.

  • Create a Resource Access Management (RAM) role for which ActionTrail is selected as the trusted service. ActionTrail of source accounts must assume the RAM role to write events to the destination account.

Source account

The account whose events are written to the destination account.

Use an Alibaba Cloud account to create a trail to deliver events to the Simple Log Service Logstore or OSS bucket that you created in the destination account.

If the destination and source accounts are independent Alibaba Cloud accounts that are not in the same organizational structure, you must create a single-account trail for each source account. The following example describes how to deliver events from Alibaba Cloud Account A and Alibaba Cloud Account B to Alibaba Cloud Account C.

Procedure

  1. Use Alibaba Cloud Account C to create a RAM role and grant ActionTrail the permissions to deliver events to Alibaba Cloud Account C.

    1. Log on to the RAM console by using Alibaba Cloud Account C.

    2. Create a RAM role for which ActionTrail is selected as the trusted service.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. On the Roles page, click Create Role.

      3. In the Select Role Type step on the Create Role page, select Alibaba Cloud Service as the trusted entity and click Next.

      4. Set the Role Type parameter to Normal Service Role.

      5. Enter ActionTrailDeliveryRole in the RAM Role Name field.

      6. Select ActionTrail from the Select Trusted Service drop-down list.

      7. Click OK.

    3. Attach the AliyunActionTrailDeliveryPolicy system policy to the RAM role.

      1. Click Input and Attach in the Finish Step.

      2. Click Precise Permission on the Permissions tab. Then, select System Policy for the Type parameter and enter AliyunActionTrailDeliveryPolicy in the Policy Name field.

      3. Click OK and then click Close.

      You can view the details of the AliyunActionTrailDeliveryPolicy policy that is attached to the ActionTrailDeliveryRole role on the Roles page. For more information, see Manage the permission policy for event delivery.

    4. Modify the trust policy of the RAM role. Change the value of the Service field to a value in the Alibaba Cloud account@actiontrail.aliyuncs.com format.

      For example, if Alibaba Cloud Account A is 159498693825**** and Alibaba Cloud Account B is 123435555956****, you must change actiontrail.aliyuncs.com in the Service field to "159498693825****@actiontrail.aliyuncs.com","123435555956****@actiontrail.aliyuncs.com". Then, ActionTrail of Alibaba Cloud Account A 159498693825**** and Alibaba Cloud Account B 123435555956**** can assume the RAM role.

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "159498693825****@actiontrail.aliyuncs.com",
                          "123435555956****@actiontrail.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }

      For more information, see Edit the trust policy of a RAM role.

  2. Use Alibaba Cloud Account C to create a Simple Log Service project or an OSS bucket.

    For more information, see Manage a project and Create buckets.

    Note

    To ensure data security, we recommend that you configure server-side encryption and retention policies when you create a Simple Log Service project or an OSS bucket. For more information, see Server-side encryption and Configure retention policies.

  3. Use Alibaba Cloud Account A to create a single-account trail and set the delivery destination to the project or bucket that is created in Step 2.

    1. Use Alibaba Cloud Account A to log on to the ActionTrail console.

    2. In the left-side navigation pane, click Trails.

    3. In the top navigation bar, select the region where you want to create a single-account trail.

      Note

      The region that you select becomes the home region of the trail that you want to create.

    4. On the Trails page, click Create Trail.

    5. On the Create Trail page, configure the parameters.

      • In the Basic Information section, configure the basic information about the trail.

        Note

        By default, the trail delivers events in all regions. We recommend that you set the Management Event parameter to All. This way, the trail delivers all types of events that occur in all regions. For more information, see Create a single-account trail.

      • In the Event Delivery section, configure the parameters to deliver events to Simple Log Service, OSS, or both. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.

        • Select Delivery to Log Service, set the Destination Account parameter to Delivery to Another Account, and then configure other parameters.

          Parameter

          Description

          Project ARN

          Enter the region where the project resides, the ID of Alibaba Cloud Account C, and the name of the project.

          In this example, the name of the project that is created in Step 2 is used.

          RAM Role ARN of Destination Account

          Enter the ID of Alibaba Cloud Account C and the name of the RAM role.

          In this example, the name of the RAM role that is created in Step 1 is used. The name of the RAM role is ActionTrailDeliveryRole.

        • Select Delivery to OSS, set the Destination Account parameter to Delivery to Another Account, and then configure other parameters.

          Parameter

          Description

          RAM Role ARN of OSS Bucket

          Enter the ID of Alibaba Cloud Account C and the name of the RAM role.

          In this example, the name of the RAM role that is created in Step 1 is used. The name of the RAM role is ActionTrailDeliveryRole.

          Bucket Name

          Enter the name of the OSS bucket that is created in Step 2.

          Log File Prefix

          Enter the prefix of the name of the log file in which you want to store the events.

    6. Click Confirm.

  4. Follow the preceding steps and use Alibaba Cloud Account B to create a single-account trail and set the delivery destination to the project or bucket that is created in Step 2.

What to do next

After you create the trails, you can use Alibaba Cloud Account C to view the events of Alibaba Cloud Account A and Alibaba Cloud Account B in the Simple Log Service project or OSS bucket. For more information, see Query and analyze logs and Real-time log query.

Related operations