ActionTrail is an Alibaba Cloud service that you can use to query and deliver operation records for the resources in your Alibaba Cloud account. You can use it for security analytics, resource change tracking, and compliance auditing.
Security risk
Security compliance standards, such as MLPS 2.0, require that operations and changes are logged. These logs must be retained for a specified number of days. ActionTrail records cloud operations performed by users and Alibaba Cloud services (through role assumption or using user permissions) to meet compliance requirements. The logs also record details about abnormal operations, such as failed authentication and authorization operations, the source IP address of the request, the ID of the cloud credential used, request parameters, and other metadata. This information helps you analyze abnormal behavior and detect potential malicious activities.
Best practices
1. Enable ActionTrail log tracking
By default, ActionTrail records events for the last 90 days. If you do not save these events, the oldest records are purged daily. To store events for more than 90 days, you can create a single-account trail or a multi-account trail. This lets you continuously deliver events to Object Storage Service (OSS) or Simple Log Service (SLS) for monitoring and analysis. If you only need to archive the events, you can store them in OSS.
2. Set up ActionTrail event alerting
The event alerting feature of ActionTrail helps you monitor and quickly respond to abnormal activities on your cloud resources in real time. When an alert rule detects a potential security threat or a non-compliant operation, it sends an alert notification to users and user groups through various notification methods. This lets you respond quickly. For more information, see Set up event alerting.
You can create alert rules using templates. The templates include many predefined security-related alert rules, such as alerts for consecutive logon failures, consecutive logons by the root account, logons from unauthorized IP addresses, and logons outside of business hours.
You can also create custom alert rules and specify the fields and alert conditions to monitor. For more information, see Create a custom alert rule.
3. Use Insights for intelligent log analysis
Insights is an intelligent analysis tool that uses mathematical models. It analyzes key operations for deviations from their historical call patterns, such as a significant increase in an API call rate. When Insights detects a major deviation, it generates an Insights event. This helps you promptly identify management risks on the cloud and take remedial action. Insights can detect risky API call events, API error events, IP request events, AccessKey call events, permission change events, password change events, and anomalous trail events. For more information, see Overview of Insights events.