ActionTrail:Aggregate events across Alibaba Cloud accounts

Procedure

1. Create a RAM role by using Alibaba Cloud Account C and grant ActionTrail the permissions to deliver events to Alibaba Cloud Account C.
   1. Log on to the RAM console by using Alibaba Cloud Account C.
   2. Create a RAM role for which ActionTrail is selected as the trusted service.
      1. In the left-side navigation pane, choose Identities > Roles.
      2. On the Roles page, click Create Role.
      3. In the Create Role wizard, select Alibaba Cloud Service as the trusted entity and click Next.
      4. Select Normal Service Role as Role Type.
      5. Enter ActionTrailDeliveryRole in the RAM Role Name field.
      6. Select ActionTrail from the Select Trusted Service drop-down list.
      7. Click OK.
   3. Attach the system policy AliyunActionTrailDeliveryPolicy to the RAM role for precise authorization.
      1. Click Input and Attach in the Actions column that corresponds to the system policy.
      2. Select System Policy for the Type parameter and enter AliyunActionTrailDeliveryPolicy in the Policy Name field.
      3. Click OK and then click Close.

      You can view the details of the AliyunActionTrailDeliveryPolicy policy attached to the ActionTrailDeliveryRole role on the Roles page. For more information, see Manage the permission policy for event delivery.

   4. Change the value of the Service field to a value in the Alibaba Cloud account@actiontrail.aliyuncs.com format in the trust policy of the RAM role.
      For example, the ID of Alibaba Cloud Account A is 159498693825**** and that of Alibaba Cloud Account B is 123435555956****. In this case, change the value of the Service field from actiontrail.aliyuncs.com to ["159498693825****@actiontrail.aliyuncs.com","123435555956****@actiontrail.aliyuncs.com"]. This way, Alibaba Cloud Account A 159498693825**** and Alibaba Cloud Account B 123435555956**** allow ActionTrail to assume the RAM role.

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "159498693825****@actiontrail.aliyuncs.com",
                          "123435555956****@actiontrail.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }

      For more information, see Edit the trust policy of a RAM role.

2. Use Alibaba Cloud Account C to create a Log Service project or an OSS bucket.
   For more information, see Create a project and Create buckets.

   Note For data security, we recommend that you configure server-side encryption and retention policies when you create an OSS bucket. For more information, see Server-side encryption and Configure retention policies.
3. Use Alibaba Cloud Account A to create a single-account trail and set the delivery destination to the Log Service project or OSS bucket created in Step 2.
   1. Log on to the ActionTrail console by using Alibaba Cloud Account A.
   2. In the left-side navigation pane, click Trails.
   3. In the top navigation bar, select the region in which you want to create a single-account trail.
      Note The region that you select becomes the home region of the trail that you want to create.
   4. On the Trails page, click Create Trail.
   5. On the Create Trail page, configure the parameters.
      • In the Basic Information section, configure the basic information about the trail.
        Note By default, the trail delivers events in all regions. We recommend that you set Management Event to All. This way, the trail delivers all types of events that occur in all regions.
      • In the Event Delivery section, configure parameters to deliver events to Log Service, OSS, or both. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.
        • If you select Delivery to Log Service and then select Delivery to Another Account, configure the parameters that are described in the following table.

          Parameter	Description
          Log Service Project ARN	Enter the region where the Log Service project resides, the ID of Alibaba Cloud Account C, and the name of the Log Service project. The name of the Log Service project created in Step 2 is used.
          RAM Role ARN of Destination Account	Enter the ID of Alibaba Cloud Account C and the name of the RAM role. The name of the RAM role created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.

        • If you select Delivery to OSS and then select Delivery to Another Account, configure the parameters that are described in the following table.

          Parameter	Description
          RAM Role ARN of OSS Bucket	Enter the ID of Alibaba Cloud Account C and the name of the RAM role. The name of the RAM role created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.
          Bucket Name	Enter the name of the OSS bucket created in Step 2.
          Log File Prefix	Enter the prefix of the name of the log file where you want to store the events.

   6. Click Confirm.
4. Use Alibaba Cloud Account B to create a single-account trail by performing the preceding steps and set the delivery destination to the Log Service project or OSS bucket created in Step 2.

Results

After the trail is created, you can view the events from Alibaba Cloud Account A and Alibaba Cloud Account B in the Log Service project or OSS bucket by using Alibaba Cloud Account C.

Related operations

You can read the following topics to migrate data across Alibaba Cloud accounts:

• Online data migration between OSS buckets
• Online data migration between Log Service Logstores