ActionTrail lets you track and record the operations performed on your Alibaba Cloud account for the last 90 days. To retain audit data beyond this period and run SQL-based analysis, create a trail that delivers events to MaxCompute.
How it works
Create a trail in the ActionTrail console. The trail defines which events to capture and where to deliver them.
ActionTrail automatically stores events in the
actiontrail_<Alibaba Cloud account ID>project in MaxCompute.Events are stored in JSON format in the
actiontrail_<trail name>table.
Prerequisites
Before you begin, make sure that you have:
Activated MaxCompute and DataWorks. See Activate MaxCompute and DataWorks
(RAM users only) Permissions to manage single-account trails. See Grant permissions to a RAM user
Create a trail and deliver events to MaxCompute
Step 1: Create a trail
Log on to the ActionTrail console.
In the navigation pane, click Trails. In the top-left corner, select a region.
Trails are classified as single-account trails, multi-account trails, or Inner-ActionTrail trails based on their creator, scope, and content. For details, see Overview of trails.
On the Trails page, click Create Trail.
On the Quickly Create Trail page, click Create Trail in the message box below the title.
When you create a trail, ActionTrail automatically creates a service-linked role named
AliyunServiceRoleForActionTrailand adds it as the Admin role to the destination MaxCompute project. For details, see ActionTrail service-linked role and Role planning.
Step 2: Configure trail settings
In the Basic Information section, enter a Trail Name and select a Trail Event Type.
Single-account trails: suitable for individual users.
Multi-account trails: suitable for enterprise users.
Trail names must be unique within an Alibaba Cloud account.
Step 3: Configure delivery to MaxCompute
In the Management Event Delivery Settings section, select Delivery to MaxCompute.
Deliver to the current account
Set Destination Account to Delivery to Current Account and configure the following parameters:
| Parameter | Description |
|---|---|
| MaxCompute Region | The region where the destination MaxCompute project is located. ActionTrail delivers audit events to the actiontrail_<Alibaba Cloud account ID> project in the selected region. If a project with the same name already exists, events are delivered to that existing project. |
| Project Quota | The quota for MaxCompute. When creating a trail to deliver events to MaxCompute for the first time, select a quota. If no quota is available in the current region, select a different MaxCompute region. |
Deliver to another account
Set Destination Account to Delivery to Another Account and configure the following parameters:
| Parameter | Description |
|---|---|
| Project ARN | The Alibaba Cloud Resource Name (ARN) of the destination MaxCompute project |
| RAM Role ARN of MaxCompute | The ARN of the Resource Access Management (RAM) role that grants ActionTrail permissions to deliver events |
Before you configure cross-account delivery, create a RAM role in the destination account and create the MaxCompute project in advance. See Deliver events from multiple Alibaba Cloud accounts to the same account.
Step 4: Confirm and verify
Click Confirm to create the trail.
After the trail is created, events are stored in JSON format in the actiontrail_<trail name> table of the actiontrail_<Alibaba Cloud account ID> project in MaxCompute.
Billing
Delivering ActionTrail events to MaxCompute incurs two types of charges:
| Charge type | When it applies | Details |
|---|---|---|
| Storage fees | Continuously, after delivery starts | Charged for storing event data in MaxCompute. See Storage fees. |
| Compute fees | Each time you run SQL queries | Charged for querying the delivered data. See Billable items and billing methods. |
Next steps
Query audit data: Connect to MaxCompute and run SQL queries against the
actiontrail_<trail_name>table. See Select a connection tool.Update a trail: Modify trail parameters as needed. See Update a single-account trail or Update a multi-account trail.
Disable a trail: Stop delivering events while retaining the trail configuration. See Disable a single-account trail or Disable a multi-account trail.
Delete a trail: Permanently remove a trail. See Delete a single-account trail or Delete a multi-account trail.