ActionTrail records the operations performed on your Alibaba Cloud resources as events for you to query. You can troubleshoot issues and perform security analysis for your enterprise based on these events. In addition, the events are important classified data of your enterprise because they reflect the way in which your enterprise manages IT resources in the cloud. For security reasons, you must protect these events from data tempering and illegal access when you store and use them. To ensure the integrity of auditing and the security of events, you must adopt necessary security protection measures and regulations. This topic describes some practices of security protection measures and regulations. You can adopt them based on your business requirements.
Complete auditing and security analysis based on trails
| Expected result | Solution | Description | Related topic |
|---|---|---|---|
| Events can be retained for a longer period of time. The ActionTrail console can record only events that were generated in the last 90 days. However, Multi-Level Protection Scheme (MLPS) 2.0 requires that an enterprise must retain events that were generated in the last 180 days or even earlier. | Creates a trail. | ActionTrail records the events that were generated in the last 90 days in the ActionTrail
console. If you do not deliver the events to specified storage services, the events
are cleared from the earliest day as time goes on. If you need to retain events for
more than 90 days, you must create a trail.
You can create a trail to deliver events to Object Storage Service (OSS) for long-term storage. You can also create a trail to deliver events to Log Service for monitoring and analysis. If you need only to archive and store events, we recommend that you create a trail to deliver events to OSS. |
|
| Events from all regions are recorded to meet the requirements of national regulations and industry standards. | Create a trail that delivers all types of events from all regions. | To obtain all events of an Alibaba Cloud account, we recommend that you create a trail
in the ActionTrail console. This way, events in all regions can be recorded. When
new regions of Alibaba Cloud become available, the trail automatically delivers events
from these regions. You do not need to modify the configurations.
To meet the compliance requirements, both read and write events must be recorded. When you create a trail, we recommend that you set the Event Type parameter to All Events. |
|
|
Deliver events to OSS or Log Service. | You can create a trail to deliver events to OSS or Log Service.
|
Security protection regulations for events
| Expected result | Solution | Description | Related topic |
|---|---|---|---|
| Events are encrypted when they are delivered to OSS. This ensures the security of the events. | Implement server-side encryption by using KMS-managed keys (SSE-KMS). | By default, if you create a trail to deliver events to OSS, server-side encryption
by using OSS-managed keys (SSE-OSS) is implemented.
If you need to use encryption keys that can be directly managed, you can implement SSE-KMS. You can perform the following operations:
|
|
| Events are encrypted when they are delivered to Log Service. This ensures the security of the events. | Encrypt destination Logstores by using KMS-managed keys or service keys of Log Service. | If you create a trail to deliver events to Log Store, ActionTrail automatically creates
a Logstore named in the format of actiontrail_<Trail name> You can encrypt the Logstore by using a KMS-managed key or the service key generated
by Log Service for the Logstore.
|
Encrypt data |
| The events cannot be modified or deleted when they are stored in OSS or Log Service. This ensures the reliability of the events. | Configure a retention policy for OSS objects to meet the compliance requirements. | If you create a trail to deliver events to OSS, you must configure a retention policy
for OSS objects. For example, when you create a time-based retention policy, you can
configure a protection period during which users are not allowed to modify or delete
events.
Note Events that are stored in Log Service cannot be deleted or modified. You do not need
to configure a retention policy for these events.
|
Retention policy |
| The access permissions on events are strictly managed. | Grant the access permissions on OSS or Log Service based on the principle of least privilege. | Before you create a trail to deliver events to OSS or Log Service by using your Alibaba
Cloud account or as a RAM user, make sure that your account or the RAM user has the
permissions to access OSS or Log Service. In addition, you must grant relevant employees
the read permissions on the events.
We recommend that you grant permissions based on the principle of least privilege. This prevents service instances from being deleted or tampered due to improper authorization and unauthorized employees from accessing events. |
|
| The permissions of ActionTrail administrators are strictly managed. | Properly grant the permissions of ActionTrail administrators to necessary employees. | After the AliyunActionTrailFullAccess policy is attached to a RAM user, the RAM user
is granted the permissions of ActionTrail administrators and can modify or delete
a trail. If a trail is modified or deleted, the delivery, tracking, and auditing of
events are all affected.
Therefore, we recommend that you attach this policy only to necessary RAM users. |