Basic tutorial on using ActionTrail to monitor AccessKeys - ActionTrail

An AccessKey includes an AccessKey ID and an AccessKey secret. They are used to identify and authenticate a user. A leaked AccessKey threatens the security of your resources. ActionTrail helps you monitor AccessKey-related events so you can respond quickly to abnormal usage.

Prerequisites

Simple Log Service is activated. For more information, see Activate Simple Log Service.

Note

Activating Simple Log Service (SLS) is free of charge. However, you are charged when ActionTrail delivers audit events to SLS and you use its query and analysis features. For more information about billing, see Billing overview.

Background information

You can use ActionTrail to query AccessKey-related events. You can also deliver events to Simple Log Service and set alerts to monitor AccessKey usage.

To query AccessKey-related events from the last 90 days, on the Event Query page of the ActionTrail console, set the filter condition to AccessKey ID. For more information, see Query events in the ActionTrail console.
Query AccessKey-related events older than 90 days: Follow the steps in this topic to query events older than 90 days and set alerts.

Step 1: Create a trail

This section uses a single-account trail as an example to show how to create a trail and deliver events to Simple Log Service (SLS).

Log on to the ActionTrail console.
In the navigation pane on the left, click Trail.
In the top navigation bar, select the region where you want to create a single-account trail.
Note
This region becomes the home region for the single-account trail.
On the Trails page, click Create Trail.
On the Create Trail page, set the trail parameters.
- In the Basic Information area, you can set the log event.
  Parameter
  Description
  Trail Name
  The name of the trail. The name must be unique within your Alibaba Cloud account.
  Trail Event Type
  Default: Management Event.
- In the Management Event Delivery area:
  - Set Read/Write Type to All Events.
  - Select Deliver management events to Simple Log Service.
  - Set Destination Account to Deliver to Current Account.
  - For Project, select Create Project. Then, select a Logstore Region and enter a Project Name.
Click Confirm.

Step 2: Query events and set alerts in Simple Log Service

In the ActionTrail console, click Trails.
Find the target trail. In the Storage Service column, hover over SLS or SLS&OSS and click the Logstore name.
In the upper-right corner of the page, click Last 15 Minutes to set the query time range.
In the search box, enter the query statement: event.userIdentity.accessKeyId: "<YourAccessKeyId>" | select count(1) as use_ak_<YourAccessKeyId> and click Search/Analyze.
Note
Replace <YourAccessKeyId> with your AccessKey ID.
Save an event As a Saved Search or As an Alert.
- Save as Saved Search: In the upper-right corner, click the icon, enter a Saved Search Name, and click OK.
  Note
  After you save the query as a saved search, you can select it directly in the Simple Log Service console.
  For more information, see Saved search.
- Save as Alert: Click the icon in the upper-right corner. In the Alerting Rule panel, set the parameters and click OK.
  For more information, see Set an alert.
  Note
  After you save the query as an alert, you will receive a notification when the alert is triggered. For example, after you set the alert as described, an alert is triggered if the accessKeyId is used within a 5-minute period.

Results

You can manage the created saved searches and alerts in the Simple Log Service console.

Parameter	Description
Trail Name	The name of the trail. The name must be unique within your Alibaba Cloud account.
Trail Event Type	Default: Management Event.