Use ActionTrail to monitor RAM user creation - ActionTrail

This topic describes how to use the trail and alerting features of ActionTrail to monitor the creation of Resource Access Management (RAM) users and send alert notifications by text message.

Scenarios

As enterprises undergo digital transformation and cloud account usage becomes widespread, managing cloud account security is increasingly important. Creating accounts without authorization can expose sensitive information. These accounts can also be used for illegal activities, such as network attacks, fraud, and unfair competition. This can cause significant losses for businesses and individuals. This topic shows you how to use the trail and alerting features of ActionTrail to monitor the creation of RAM users and send alerts by text message.

Prerequisites

Make sure that you have activated Simple Log Service. If you are using Simple Log Service for the first time, log on to the Simple Log Service console and follow the on-screen instructions to activate the service. For more information, see What is Simple Log Service?.

Important

Using Simple Log Service incurs fees for services such as log storage and text message notifications. For more information about the pricing details, see Billing overview.

Step 1: Create a trail

Create a trail that meets the following conditions:

Trail Region: All regions.
Trail event type: All management events.
The trail delivers both read and write events.
The trail delivers events to Simple Log Service (SLS).

For more information, see Create a single-account trail or Create a multi-account trail.

Step 2: Select the Logstore for the trail

Log on to the ActionTrail console.
In the navigation pane on the left, click Advanced Event Query. On the page that appears, for Query Range, select the trail that you created in Step 1: Create a trail.
In the left navigation pane, click Event Alerting.
In Alert Center, select Alert Rules.
Select the Logstore for the trail. The name of the Logstore is in the format `actiontrail_`.

Step 3: Configure a custom alert

Create an alert rule

Log on to the ActionTrail console.
In the left navigation pane, click Event Alerting.

On the Alert Rules tab, click Create Alert and follow the prompts to configure the rule.

Note the following parameters. Configure other parameters as needed.

Configuration Item	Requirement
Query Statistics	Set the Logstore to be the same as the destination SLS Logstore for the trail created in Step 1. The format is actiontrail_Trail name. Set the query statement to: `(event.serviceName:Ram or event.serviceName:Ims) and event.eventName:CreateUser \| SELECT "event.userIdentity.principalId" as operator, "event.resourceName" as user, date_format(__time__, '%Y-%m-%d %H:%i:%s') as time` Note The preceding statement queries for RAM user creation events using the `event.serviceName` field to specify the Alibaba Cloud service and the `event.eventName` field to specify the operation. The `SELECT` statement retrieves information from the event, such as the operator, the created account, and the operation time, to include in the alert notification. For more information about the Alibaba Cloud services and operations that ActionTrail supports, see Supported Alibaba Cloud services. For the definition of the ActionTrail management event structure, see Management event structure. For more information about the SLS query syntax, see Query syntax and functions.
Trigger Condition	Set Trigger Condition to "Data is available". Set Alert Severity as needed.

Click OK.

Create an alert content template

In the left navigation pane, click Event Alerting.
On the Alert Center page, choose Notification Policy > Content Template.
On the Content Template management page, click Create and configure the content template.
Set the content template type to Text Message and set the content to the following:
```
Alibaba Cloud User: {{ alert.aliuid }}
Alert Rule Name: {{ alert.alert_name }}
Alert Severity: {{ alert.severity | format_severity }}
{% for result in alert.fire_results %}
Operator: {{ result.operator }} created RAM user: {{ result.user }} at {{ result.time }}
{% endfor %}
```
Note
In the content template, {{ parameter_name }} references a template variable. The {% for result in alert.fire_results %} statement iterates through all query results. Use {{ result.parameter_name }} to retrieve a specific parameter from the event. For more information about content template parameters and syntax, see Content template syntax (new version).
Click Confirm.

Create an alert notification recipient

In the left navigation pane, click Event Alerting.
On the Alert Center page, choose Notification Recipient > User Management.
On the User Management page, click Create. In the Add User panel, enter the required information.
- Phone Number: The mobile phone number that receives alert information. This setting must be enabled to receive alerts.
- Enable: This must be enabled to receive alerts.
Click the Confirm button.

Create an action policy

In the left navigation pane, click Event Alerting.
On the Alert Center page, go to Notification Policy > Action Policy.

On the Action Policy page, click Create. In the Add Action Policy panel, enter the required information.

In the first action list, configure the condition and action group.

Configuration Item	Requirement
Condition Settings	Click the icon. In the Condition dialog box, select the monitoring rule that you created in Create an alert rule.
Action Group	Set Channel to Text Message. Set Recipient to the user created in Create an alert contact.

Click Confirm.

Enable the alert and associate the action policy

In the left navigation pane, click Event Alerting.
On the Alert Center page, click the Alert Rules tab.

Find the rule you created in the Create an alert rule step and click Edit in the Actions column. In the Alerting and Monitoring Rule settings panel, enable alerting and associate an action policy.

Configuration Item	Requirement
Output Destination	Switch to SLS Notification.
Enable	The status of the monitoring rule. Switch this to the enabled state.
Alert Policy	Policy Type: Select Standard Mode. Action Policy: Select the action policy that you created in Create an action policy.

Click Confirm.

Step 4: Verify the alert rule

Log on to the RAM console and create a RAM user.

Check the received text message. The following is a sample notification:

[Alibaba Cloud] Simple Log Service Alert: 1 alert in total. Details:
Alibaba Cloud User: 159498693826****
Alert Rule Name: Monitor RAM User Creation
Alert Severity: Medium
Operator: 27723316148169**** created RAM user: test-create-a***@actiontrail-test.onaliyun.com at 2023-07-14 17:08:15
Operator: 27723316148169**** created RAM user: test-create-u***@actiontrail-test.onaliyun.com at 2023-07-14 17:31:00

FAQ

A RAM user receives a 'no permission' error when creating a trail in the ActionTrail console.

If you use a RAM user to perform this configuration, you must grant the RAM user the required permissions to access and manage ActionTrail. For more information, see Grant permissions to a RAM user.