All Products
Search
Document Center

ActionTrail:Create a multi-account trail

最終更新日:Apr 10, 2024

A multi-account trail delivers the events of all members in a resource directory to a Simple Log Service Logstore, an Object Storage Service (OSS) bucket, or a MaxCompute table. This topic describes how to create a multi-account trail in the ActionTrail console.

Prerequisites

A resource directory is enabled. For more information, see Enable a resource directory.

Background information

Procedure

  1. Log on to the ActionTrail console by using a delegated administrator account or a management account.

    For more information about how to configure a delegated administrator account, see Manage a delegated administrator account.

  2. In the left-side navigation pane, click Trails.

  3. In the top navigation bar, select the region in which you want to create a multi-account trail.

    Note

    The region that you select becomes the home region of the trail that you want to create.

  4. On the Trails page, click Create Trail.

  5. On the Create Trail page, configure the parameters.

    • Basic Information

      Parameter

      Description

      Trail Name

      The name of the trail that you want to create. The name must be unique within your Alibaba Cloud account. The name is used for the Logstore in which you want to store the delivered events. Specify the name in the actiontrail_<Trail name> format.

      Log Events

      The category of the event that you want to deliver. By default, Management Event is selected. The system delivers management events that record management operations on cloud resources.

      You can select the type of management event that you want to deliver. Valid values:

      • All: all read and write events. Auditing-related regulations and standards stipulate that all events must be recorded. We recommend that you select All.

      • Write: the events that record the operations to create, delete, or modify cloud resources. Example: the events that are generated when you call the CreateInstance operation to create a subscription or pay-as-you-go Elastic Compute Service (ECS) instance. If you need to export events only for analysis and focus only on the events that affect cloud resources, select Write.

      • Read: the events that record the operations to read information about cloud resources, rather than to create, delete, or modify cloud resources. Example: the events that are generated when you call the DescribeInstances operation to query the details of one or more ECS instances. In most cases, a large number of read events are generated, and these events occupy a large storage space. However, auditing-related regulations and standards stipulate that all events must be recorded. We recommend that you configure a trail to deliver both read and write events. This helps you track the use of AccessKey pairs and access to cloud resources.

      Note

      By default, when you create a trail in the ActionTrail console, the trail delivers events in all regions. To create a trail that delivers events in specific regions, call the CreateTrail operation. Set TrailRegion based on your business requirements when you call the operation, s.

      Apply Trail to All Members

      The application scope of the trail. Valid values:

      • Yes: If you select this option, the trail delivers the events of the management account and all members in the resource directory to a storage service. In this case, a multi-account trail is created. To ensure that all events are delivered, we recommend that you select this option.

      • No: If you select this option, the trail delivers only the events of the current account to a storage service. In this case, a single-account trail is created.

      Note
      • You cannot modify this parameter after you configure the parameter. If you need to change the value of the Apply Trail to All Members parameter, delete the multi-account trail and create another one.

      • After you create a multi-account trail, Multi-account Trail is displayed in the Trail Type column on the Trails page.

    • Event Delivery

      You can create a trail to deliver events to Simple Log Service, OSS, MaxCompute, or all these services. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.

      Note

      The trail delivers only the events that are generated after the multi-account trail takes effect. The events that are generated in the last 90 days are excluded. You can create a data backfill task to deliver the events that are generated in the last 90 days to the delivery destination that you specify for the trail at a time. For more information, see Create a data backfill task.

      • Select Delivery to Log Service.

        • If you select Delivery to Current Account, configure the parameters that are described in the following table.

          Parameter

          Description

          Project

          The project to which you want to deliver events.

          • New Project

          • Existing Project

          Logstore Region

          The region where the Logstore resides.

          Project Name

          The name of the project.

          Note

          The project name is shared by all Alibaba Cloud users and must be unique.

          • If you select New Log Service Project, the system automatically creates a project. You must specify a name for the project. The system also automatically creates a Logstore for the project.

          • If you select Existing Log Service Project, you must select an existing project from the Project Name drop-down list.

          Note

          After you create a trail to deliver events to Simple Log Service, a Logstore whose name is in the actiontrail_<Trail name> format is automatically created and optimally configured for subsequent auditing. Indexes and a dashboard are created for the Logstore to facilitate event queries. You cannot manually write data to the Logstore. This ensures data accuracy. You do not need to create a Logstore in advance.

        • If you select Delivery to Another Account, configure the Project ARN and RAM Role ARN of Destination Account parameters.

          To deliver events to a different account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and then create a project before you create the trail. For more information, see Deliver the events of multiple members in a resource directory to one account.

      • Select Delivery to OSS.

        • If you select Delivery to Current Account, configure the parameters that are described in the following table.

          Parameter

          Description

          OSS Bucket

          The bucket to which you want to deliver events.

          • New OSS Bucket

          • Existing OSS Bucket

          Bucket Name

          The name of the OSS bucket. The bucket name must be unique within the current Alibaba Cloud account.

          • If you select New OSS Bucket, you must enter an OSS bucket name. ActionTrail creates an OSS bucket with the name that you enter.

          • If you select Existing OSS Bucket, you must select an existing bucket from the Bucket Name drop-down list.

          Important

          You must complete real-name registration on the Real-name Registration page before you create a bucket in a region within the Chinese mainland.

          Log File Prefix

          The prefix of the names of the log files in which the delivered events are stored. The prefix helps you find the events in subsequent operations.

          Server Encryption

          Specifies whether and how to encrypt the log files in the OSS bucket. If you select New OSS Bucket, you must configure this parameter. Valid values:

          • Disable

          • Fully Managed by OSS

          • KMS

          Note

          For more information about the server-side encryption feature of OSS, see Server-side encryption.

          Retention Policy

          Specifies whether to configure a retention policy for OSS buckets to protect your data from being deleted or modified.

          Valid values:

          • Disable

          • Enable

        • If you select Delivery to Another Account, configure the RAM Role ARN of OSS Bucket, Bucket Name, and Log File Prefix parameters.

          To deliver events to another account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and then create an OSS bucket before you create the trail. For more information, see Deliver the events of multiple members in a resource directory to one account.

      • Select Delivery to MaxCompute.

        • If you select Delivery to Current Account, configure the parameters that are described in the following table.

          Parameter

          Description

          MaxCompute Region

          The region of the MaxCompute project to which you want to deliver events.

          Note

          ActionTrail delivers audit logs to the actiontrail_<Alibaba Cloud account ID> project in the specified region. The names and IDs of MaxCompute projects are unique. If the actiontrail_<Alibaba Cloud account ID> project exists in the current account, ActionTrail delivers audit logs to the existing project by default.

          Project Quota

          The quota provided for computing jobs.

          Note

          When you create a trail to deliver events to MaxCompute for the first time, you must select a quota. If no quota is available in the current region, select another region.

        • If you select Delivery to Another Account, configure the Project ARN and RAM Role ARN of MaxCompute parameters.

          To deliver events to a different account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and then create a MaxCompute project before you create the trail. For more information, see Deliver the events of multiple Alibaba Cloud accounts to one account.

  6. Click Confirm.

What to do next

After you create a multi-account trail, the trail delivers events to a Simple Log Service Logstore, an OSS bucket, or a MaxCompute table that you specify in the JSON format for query and analysis. You can query the events that are stored in the Simple Log Service Logstore, OSS bucket, or MaxCompute table by using the management account.

Note

You can use the management account to query the events of members in the resource directory only in OSS, Simple Log Service, or MaxCompute. You cannot use the management account to query the events on the Event Detail Query page of the ActionTrail console or by calling the LookupEvents operation.

  • Query events in the Simple Log Service console: ActionTrail automatically creates a Logstore whose name is in the actiontrail_<Trail name> format. On the Trails page, move the pointer over SLS or SLS & OSS in the Storage Service column and click the name of the Logstore.

  • Query events in the OSS console: Global events that are generated within members are delivered together with the events that are generated in the home region of the trail. Non-global events that are generated for the resources in a specific region are delivered to the corresponding storage paths with the specific region ID. You can analyze the events by using E-MapReduce (EMR) or a third-party log analysis service.

    Alternatively, on the Trails page, move the pointer over OSS or SLS & OSS in the Storage Service column and click the name of the OSS bucket. Then choose Files > Objects. For more information about storage paths in OSS, see What is the storage path of an event that is delivered to an OSS bucket?

  • Query events in the MaxCompute console: ActionTrail automatically creates a table named actiontrail_<Trail name>. On the Trails page, move the pointer over the content shown in the Storage Service column and click the MaxCompute project name. Query the log data of the actiontrail_<Trail name> table in the MaxCompute project by using DataWorks.

References