The command audit feature of Workbench allows you to check whether historical commands meet security requirements after you used Workbench to connect to an Elastic Compute Service (ECS) instance and ran commands on the instance. The feature helps you detect abnormal operations and risk events. The command audit feature also records information about commands, such as the command syntax and the execution time of commands, which facilitate the subsequent analysis and auditing. This topic describes how to use the command audit feature of Workbench.
Procedure
Grant the required permissions to view the list of command lines that you want to audit.
Create a custom policy. For more information, see the Create a custom policy on the JSON tab section of the "Create custom policies" topic.
Sample custom policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ecs-workbench:ListTerminalCommands", "Resource": "*" } ] }Attach the custom policy to a Resource Access Management (RAM) user. For more information, see Grant permissions to a RAM user.
View the list of comment lines that you want to audit and command line content.
Use the ECS console
Connect to an ECS instance by using Workbench.
For more information, see Connect to an instance by using Workbench.
In the top navigation bar of Workbench, choose .
In the command audit list, click View in the Actions column to view the details of the commands, logon user, and execution paths.
Call an API operation
You can call the ListTerminalCommands operation to view the list of commands that were run on all ECS instances in a specific region.