All Products
Search

This Product

    ActionTrail:Use ActionTrail to monitor the use of AccessKey pairs

    Document Center

    ActionTrail:Use ActionTrail to monitor the use of AccessKey pairs

    Last Updated:Dec 11, 2024

    An AccessKey pair consists of an AccessKey ID and an AccessKey secret, which are used to identify a user and verify the key of the user. If the AccessKey pair is disclosed, your resources become at risk. ActionTrail helps you monitor AccessKey pair-related events. This way, you can respond to the abnormal use of AccessKey pairs with high efficiency.

    Prerequisites

    Simple Log Service is activated. For more information, see Activate Simple Log Service.

    Note

    You are not charged for activating Simple Log Service. If ActionTrail delivers audit events to Simple Log Service, you are charged for querying and analyzing data in Simple Log Service. For more information about billing in Simple Log Service, see Billing overview.

    Background information

    You can use ActionTrail to query AccessKey pair-related events. You can also deliver events to Simple Log Service and configure alert rules to monitor the use of AccessKey pairs.

    • Query AccessKey pair-related events that are generated in the last 90 days: On the Event Query page of the ActionTrail console, select AccessKey ID from the drop-down list to query AccessKey pair-related events that are generated in the last 90 days. For more information, see Query events in the ActionTrail console.

    • Query AccessKey pair-related events that are generated more than 90 days ago: Perform the steps described in this topic to query AccessKey pair-related events that are generated 90 days ago and configure alert rules to monitor the use of AccessKey pairs.

    Step 1: Create a trail

    This section describes how to create a single-account trail to deliver events to Simple Log Service.

    1. Log on to the ActionTrail console.

    2. In the left-side navigation pane, click Trails.

    3. In the top navigation bar, select the region where you want to create a single-account trail.

      Note

      The region that you select becomes the home region of the trail that you want to create.

    4. On the Trails page, click Create Trail.

    5. On the Create Trail page, configure the parameters.

      • In the Basic Information section, configure the basic information about the trail.

        Parameter

        Description

        Trail Name

        The name of the trail. The name must be unique within your Alibaba Cloud account.

        Trail Event Type

        The default value is Management Event.

      • In the Management Event Delivery Settings section, perform the following operations:

        • Select All for Read/Write Type.

        • Select Delivery to Simple Log Service.

        • Select Delivery to Current Account for Destination Account.

        • Select New Project for Project. Then, configure Logstore Region and Project Name.

    6. Click Confirm.

    Step 2: Query events and configure an alert rule to monitor the use of AccessKey pairs in Simple Log Service

    1. In the ActionTrail console, click Trails.

    2. Find the required trail, move the pointer over SLS or OSS&SLS in the Storage Service column, and then click the name of the Logstore.

    3. In the upper-right corner of the page that appears, click Last 15 Minutes and specify a time range.

    4. In the search box, enter a query statement in the event.userIdentity.accessKeyId: "<YourAccessKeyId>" | select count(1) as use_ak_<YourAccessKeyId> format. Then, click Search & Analyze.

      Note

      Replace <YourAccessKeyId>with your AccessKey ID.

    5. Click Save as Saved Search or Save as Alert.

      • Save as Saved Search: In the upper-right corner of the page, click the image.png icon. Then, configure Saved Search Name and click OK.

        Note

        After you save the query statement as a saved search, you can select the saved search in the Simple Log Service console to perform a quick query operation.

        For more information, see Saved search.

      • Save as Alert: In the upper-right corner of the page, click the image.png icon. In the Alert Monitoring Rule panel, configure the parameters and click OK.

        For more information, see Configure an alert rule.

        Note

        After you configure the alert rule, you can receive an alert notification when the alert is triggered. For example, Simple Log Service checks the use of your AccessKey ID every 5 minutes based on the alert rule. If your AccessKey ID is used in the last 5 minutes, Simple Log Service generates an alert.

    What to do next

    You can manage saved searches and alert rules in the Simple Log Service console.

    image.png