ActionTrail:How do I query Alibaba Cloud services that are accessed by using an AccessKey pair and the call records of the AccessKey pair?

Query Alibaba Cloud services that are accessed by using an AccessKey pair

1. Log on to the ActionTrail console.

2. In the left-side navigation pane, click AccessKey Pair Audit.

3. On the AccessKey Pair Audit page, enter the AccessKey ID that you want to query and click the icon to query information about the AccessKey pair. The information includes the Resource Access Management (RAM) user to which the AccessKey pair belongs, the Alibaba Cloud services that are accessed by using the AccessKey pair, and the time when the AccessKey pair was last called.

   

4. Perform the following operations based on your business requirements:

   • Query events

     1. Find the required Alibaba Cloud service and click Event List in the Actions column to query the events that are generated for the Alibaba Cloud service and the time when each event was last accessed.

     2. Find the event that you want to view and click View Details in the Actions column to view the details of the event.

   • Query IP addresses

     1. Find the required Alibaba Cloud service and click IP Address List in the Actions column to query the source IP addresses of requests and the time when a request was last sent from each IP address.

     2. Find the IP address that you want to view and click View Details in the Actions column to view the details of the event that was last generated.

   • Query resources

     1. Find the required Alibaba Cloud service and click Resource List in the Actions column to query accessed resources and the time when each resource was last accessed.

     2. Find the type of the resource that you want to view and click View Details in the Actions column to view the details of the event that was last generated for the resource.

Query the call records of an AccessKey pair

1. Log on to the ActionTrail console.

2. In the left-side navigation pane, click Event Detail Query.

3. In the top navigation bar, select the region of the event that you want to query from the drop-down list.

4. On the Event Detail Query page, select AccessKey ID as the query condition and enter the AccessKey ID.

5. Specify a time range and click the icon.

6. Optional. If the advanced event query feature is enabled for your Alibaba Cloud account, choose Events > Advanced Event Query in the ActionTrail console to query the call records of the AccessKey pair in all regions.

   Note

   • The advanced event query feature allows you to query only specific events.

   • You can query the call records of an AccessKey pair in simple query mode. In this case, enter the AccessKey ID that you want to query in the AccessKey ID field, specify a time range, and then click Run.

   • You can turn off the simple query mode, enter the event.userIdentity.accessKeyId:* conditional clause, specify a time range, and then click Run.

Additional information

You can query all Alibaba Cloud services that are accessed by using an AccessKey pair. You can query only events that are supported by ActionTrail. For more information, see Services that work with ActionTrail.

If the results of your query show that an Alibaba Cloud service is accessed by using an AccessKey pair but no information about the access is displayed in the event list, IP address list, or resource list or the time when the Alibaba Cloud service last was accessed does not match the actual access time, ActionTrail does not support the Alibaba Cloud service or event.

References

• You can enable the advanced event query feature and use a system template to query the details of events related to an AccessKey pair. For more information, see Query events of an Alibaba Cloud account or an AccessKey pair.

• You can configure query conditions to query events related to an AccessKey pair in SQL query mode. For more information, see Perform custom event queries.