All Products
Search

This Product

    ActionTrail:Monitor RAM user creation

    Document Center

    ActionTrail:Monitor RAM user creation

    Last Updated:Feb 14, 2026

    This tutorial shows you how to use ActionTrail and Simple Log Service (SLS) to create an alert that sends a notification whenever a new Resource Access Management (RAM) user is created in your account.

    Overview

    Monitoring the creation of new RAM users is a critical security practice. Unauthorized user creation can lead to security breaches and data leakage. By creating an alert for RAM user creation events, you can ensure that your security team is immediately notified of such activities, allowing for a swift response.

    Prerequisites

    Simple Log Service (SLS) is activated. If you have not used SLS before, log on to the SLS console and follow the prompts to activate the service.

    Important

    Using SLS for this tutorial incurs costs for data storage, queries, and notifications. For details, see SLS billing overview.

    Step 1: Create a trail to deliver events

    Create an ActionTrail trail that delivers events to an SLS Logstore.

    When you create the trail, ensure it is configured as follows:

    • For the Read/Write Type of management events, All is selected.

    • Delivery to Simple Log Service is selected, and a destination SLS project is specified.

    For complete instructions, see Create a single-account trail or Create a multi-account trail.

    Step 2: Create the alert rule

    Create a custom alert rule that triggers when a RAM user is created.

    1. Log on to the ActionTrail console.

    2. In the left-side navigation pane, click Alerts.

    3. On the Alert Rules tab, click Create Alert.

    4. In the Create Alert panel, configure the alert rule with the following settings:

      Parameter

      Description

      Query Statistics

      • Select the Logstore associated with your trail from the Logstore dropdown list. The Logstore name is in the format actiontrail_.

      • Enter the following query statement to find RAM user creation events:

        (event.serviceName:Ram or event.serviceName:Ims) and event.eventName:CreateUser 
| SELECT
  "event.userIdentity.principalId" as operator,
  "event.resourceName" as user,
  date_format(__time__, '%Y-%m-%d %H:%i:%s') as time
        Note

        This query searches for CreateUser events from the RAM and IMS services. The SELECT statement extracts key information (the operator who performed the action, the name of the new user, and the time) and aliases them as new fields (operator, user, and time) that can be used in notification templates.

      Trigger Condition

      • Set the trigger condition to Data is returned. This means the alert will trigger whenever the query returns one or more results.

      • Set the Severity for the alert (such as Medium).

      Destination and Alert Policy

      Configure the notification destination and action policy:

      1. In the Destination section, click Simple Log Service Notification and enable the notification toggle.

      2. In the Alert Policy section, select a mode (such as Standard Mode).

      3. From the Action Policy dropdown list, choose the policy that defines your notification logic:

        • For basic notifications, you can select a default policy.

        • To apply custom routing, select the action policy you created in the optional steps.

    5. Click OK.

    Step 3: Configure advanced notification settings (Optional)

    For more advanced control over how you receive notifications, you can create custom contacts, notification templates, and action policies.

    Create contacts and contact groups

    You can create contacts to receive notifications via channels like email or SMS, and organize them into groups.

    1. To create a contact:

      1. Navigate to Alerts > Notification Objects > User Management and click Create.

      2. In the Create User dialog box, enter the user's details and click OK.

    2. To create a contact group:

      1. Navigate to Alerts > Notification Objects > User Group Management and click Create.

      2. In the Add User Group dialog box, enter an ID and name, select the users to add to the group, and click OK.

    Create notification templates

    You can create custom templates to control the format and content of notifications. The following example shows a template that formats the alert for a CreateUser event.

    1. Navigate to Notification Management > Alert Template and click Create.

    2. In the Add Alert Template dialog box, enter an ID and name for the template. For a channel like SMS, you can add the following content:

      Account: {{ alert.aliuid }}
Alert: {{ alert.alert_name }}
Severity: {{ alert.severity | format_severity }}
{% for result in alert.fire_results %}
A new user {{ result.user }} was created by {{ result.operator }} at {{ result.time }}.
{% endfor %}
      Note

      This template uses variables like {{ alert.alert_name }} to include dynamic data. The {% for %} loop iterates over the query results to extract the custom fields (operator, user, and time) defined in the alert rule's query. For a full list of variables, see Syntax for new alert templates.

    3. Click Confirm.

    Create action policies

    Action policies provide advanced routing and throttling for notifications. For example, you can use them to send high-severity alerts to one contact group and low-severity alerts to another.

    1. Navigate to Notification Management > Action Policy and click Create.

    2. In the Add Action Policy dialog box, enter an ID and name.

    3. Configure the policy logic by adding Condition and Action Group nodes. For example, create a condition that matches alerts with a specific name, and then create an action group to send a notification to a specific contact group using your custom template.

    4. Click Confirm.

    Step 4: Verify the alert rule

    1. Log on to the RAM console and create a test RAM user.

    2. Within a few minutes, you should receive a notification on your configured channel. If you used the example template, the notification will look similar to this:

      [Alibaba Cloud] Simple Log Service alert: One alert in total. Alert details:
Account: 159498693826****
Alert: alert-for-ram-user-creation
Severity: Medium
A new user test-user@example.onaliyun.com was created by 27723316148169**** at 2023-07-14 17:31:00.

    FAQ

    A RAM user cannot create a trail or an alert rule. What permissions are needed?

    To manage ActionTrail resources, a RAM user needs the appropriate permissions. You can grant access by attaching the AliyunActionTrailFullAccess system policy. For more information, see Grant permissions to a RAM user.