Configure audit alerts for operations on ASM resources - Alibaba Cloud Service Mesh

To audit and monitor resource operations in a service mesh, enable mesh audit and configure alerts in Simple Log Service (SLS). This enables audit alerts for changes to ASM resources, such as VirtualServices and DestinationRules. When an important resource is changed, an alert notification is promptly sent to alert contacts to ensure the security and compliance of the service mesh. This topic describes how to configure audit alerts for resource operations in a service mesh and shows how to send a text message notification to an alert contact when a virtual service is deleted.

Prerequisites

You have activated Simple Log Service (SLS). For more information about the billing of SLS, see Billing overview.
An ASM instance is created.

Step 1: Enable mesh audit

After you enable mesh audit, the KubeAPI operation logs for the ASM instance are collected in SLS. These logs serve as the data source for subsequent alert configurations.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Mesh Security Center > KubeAPI Operation Audit.
On the KubeAPI Operation Audit page, select Enable Mesh Audit and click OK.

The following figure shows that mesh audit is enabled.

Step 2: Add an alert recipient

In this example, alerts are sent to the built-in Service Mesh user group in SLS. You must add an account that can receive notifications to this user group.

Ensure that the test Resource Access Management (RAM) user account has a mobile phone number that can receive text messages. For more information, see Create a user.
Add the test RAM user to the user group.
1. Log on to the Simple Log Service console.
2. In the Project List area, click the name of the target project. In the navigation pane on the left, click Alerts.
  - If you created a new project instead of reusing an existing one when you created the mesh or enabled the audit feature, the project name is in the format mesh-log-<Mesh ID>.
  - If you reused an existing project, click the name of that project.
3. On the Alert Center page, click Notification Recipient > User Group Management.
4. On the User Group Management tab, find SLS Service Mesh Built-in User Group and click Modify in the Actions column.
  
  The Identifier for the SLS Service Mesh Built-in User Group is sls.app.asm.builtin.
5. In the Modify User Group dialog box, add the test RAM user and click OK.

Step 3: Configure audit alerts

Configure an alert to send a text message notification when a virtual service resource is deleted.

Log on to the Simple Log Service console.
In the Project List area, click the name of the target project. In the navigation pane on the left, click Alerts.
On the Alert Center page, click the Alert Rules tab, and then click Create Alert.

In the Create Alert panel, configure the parameters and click OK.

The following table describes some of the parameters. For more information about all parameters, see Create an alert monitoring rule.

Parameter	Description
Rule Name	Set to Delete Virtual Service.
Check Frequency	Set to 1 minute to quickly verify the result in this example.
Query and Analyze	Click Add. On the Advanced Configuration tab of the Query and Analyze dialog box, select a Logstore that starts with audit. Set Query Time Range to the same value as Check Frequency, 1 minute (relative), to avoid repeated alarms or false negatives. In the Query text box, enter `(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: virtualservices and objectRef.apiGroup: "networking.istio.io" and ( verb: delete )`. Click Preview to confirm the query, and then click OK.
Trigger Condition	Set to trigger an alert with a High severity level when data is found.
Add Annotation	You can modify the title and desc as needed to configure the title and content of the alert. For more information, see Content template variables (New).
Outputs	Select SLS Notification and turn on the Enable switch. For Action Policy, select SLS Service Mesh Built-in Action Policy (sls.app.asm.builtin).

告警规则.png

Step 4: Verify the audit alert

Delete a virtual service resource to verify the audit alert that you configured in Step 3.

Create and delete a virtual service.
1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > VirtualService. On the page that appears, click Create from YAML.
3. On the Create page, set Namespace to default and Scenario Template to Basic HTTP Routing. Then, click Create.
4. On the Virtual Services page, find the newly created reviews-route virtual service and click Delete in the Actions column. In the Confirm dialog box, click OK.
Check whether the audit alert was successful.
1. Log on to the Simple Log Service console.
2. In the Project List area, click the name of the target project. In the navigation pane on the left, click Dashboard > Dashboard List.
3. In the Dashboard list, click Alert History Statistics to view the execution record of each alert and check whether an alert was triggered.
  
  The deletion of the virtual service in the previous step triggers an alert in the Alert History area.
4. In the navigation pane on the left, click Log Storage. Find and click the internal-alert-history Logstore, and then click Search & Analysis on the right side of the page.
  
  You can view an alert log where AlertDisplayName is Delete Virtual Service. The Fired field for this log is true.
5. Check whether the mobile phone number attached to the test account received a text message alert notification.

Related information

Details of the built-in Service Mesh action policy in SLS

Alert Severity	Action
Critical	Voice call
High	Text message notification
Other	Email notification

Reference for common alert condition queries

Create, update, or delete an ASM gateway (IstioGateway)

(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: istiogateways and objectRef.apiGroup: "istio.alibabacloud.com" and ( verb: create or verb: delete or verb: update )

Delete a gateway rule (Gateway)

(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: gateways and objectRef.apiGroup: "networking.istio.io" and ( verb: delete )

Delete a certificate (ASMCredential)

(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: asmcredentials and objectRef.apiGroup: "istio.alibabacloud.com" and ( verb: delete )

Delete a virtual service (VirtualService)

(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: virtualservices and objectRef.apiGroup: "networking.istio.io" and ( verb: delete )

Delete a destination rule (DestinationRule)

(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: destinationrules and objectRef.apiGroup: "networking.istio.io" and ( verb: delete )

Deleting Observability Telemetry

(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: telemetries and objectRef.apiGroup: "telemetry.istio.io" and ( verb: delete )

Delete an authorization policy (AuthorizationPolicies)

(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: authorizationpolicies and objectRef.apiGroup: "security.istio.io" and ( verb: delete )

Delete an Envoy filter (EnvoyFilter)

(responseStatus.code: 200 or responseStatus.code: 201) and objectRef.resource: envoyfilters and objectRef.apiGroup: "networking.istio.io" and ( verb: delete )

References

To grant a RAM user read-only or management permissions for Simple Log Service alerts, see Grant permissions to a RAM user to manage alerts.
You can configure workload identity, peer authentication, request authentication, and authorization policies in the mesh to manage mesh resources with greater granularity and improve mesh security. For more information, see Zero trust security overview.