All Products
Search

This Product

    Elastic Compute Service:Audit cloud operations with ActionTrail

    Document Center

    Elastic Compute Service:Audit cloud operations with ActionTrail

    Last Updated:Apr 27, 2026

    Record, deliver, and analyze cloud resource operations with ActionTrail for security analytics, resource change tracking, and compliance auditing.

    Security risks

    Security compliance standards, such as MLPS 2.0, require logging all operations and retaining the logs for a specified number of days. ActionTrail records cloud operations performed by users and Alibaba Cloud services (through role assumption or user permissions) to meet compliance requirements. The logs capture details about abnormal operations, such as failed authentication and authorization, source IP addresses, credential IDs, request parameters, and other metadata. This helps you analyze abnormal behavior and detect potential malicious activities.

    Best practices

    Enable ActionTrail log tracking

    By default, ActionTrail retains events for 90 days. Older records are purged daily. To store events beyond 90 days, create a single-account trail or a multi-account trail to deliver events to OSS or Simple Log Service (SLS) for monitoring and analysis. To only archive events, store them in OSS.

    Set up event alerting

    Event alerting monitors your cloud resources in real time. When a rule detects a potential security threat or non-compliant operation, it notifies users and user groups. See Set up event alerting.

    Alert rule templates include predefined security rules, such as alerts for consecutive logon failures, root account logons, logons from unauthorized IP addresses, and logons outside business hours.

    You can also create a custom alert rule to specify the fields and conditions to monitor.

    Analyze logs with Insights

    Insights uses mathematical models to analyze key operations for deviations from historical call patterns, such as a significant increase in an API call rate. When a major deviation is detected, Insights generates an Insights event to help you identify cloud management risks. Detectable event types include risky API calls, API errors, IP requests, AccessKey calls, permission changes, password changes, and anomalous trail events. See Overview of Insights events.