Deliver the events of multiple Alibaba Cloud accounts to one account - ActionTrail

If you want to manage and maintain multiple Alibaba Cloud accounts, you can create trails in ActionTrail to deliver the events of multiple Alibaba Cloud accounts to Simple Log Service, Object Storage Service (OSS), or MaxCompute of one account. This way, you can archive and monitor audit data in a centralized manner. This topic describes how to deliver the events of multiple Alibaba Cloud accounts to one account.

Background Information

Before you create trails in ActionTrail to deliver events across accounts, you must be familiar with the concepts of a destination account and a source account. The following table describes the concepts.

Account	Description	Operation
Destination account	The account that is used to receive events from source accounts.	Create a storage space to store events, such as a Simple Log Service Logstore, an OSS bucket, or a MaxCompute table. Create a Resource Access Management (RAM) role for which ActionTrail is selected as the trusted service. ActionTrail of source accounts must assume the RAM role to write events to the destination account.
Source account	The account whose events are written to the destination account.	Use an Alibaba Cloud account to create a trail to deliver events to the storage space that you created in the destination account.

If the destination and source accounts are independent Alibaba Cloud accounts that are not in the same organizational structure, you must create a single-account trail for each source account. The following example describes how to deliver events from Alibaba Cloud Account A and Alibaba Cloud Account B to Alibaba Cloud Account C.

Procedure

Use Alibaba Cloud Account C to create a RAM role and grant ActionTrail the permissions to deliver events to Alibaba Cloud Account C.
1. Log on to the RAM console by using Alibaba Cloud Account C.
2. Create a RAM role for which ActionTrail is selected as the trusted service.
  1. In the left-side navigation pane, choose Identities > Roles.
  2. On the Roles page, click Create Role.
  3. In the Select Role Type step on the Create Role page, select Alibaba Cloud Service as the trusted entity and click Next.
  4. Set the Role Type parameter to Normal Service Role.
  5. Enter ActionTrailDeliveryRole in the RAM Role Name field.
  6. Select ActionTrail from the Select Trusted Service drop-down list.
  7. Click OK.
3. Attach the AliyunActionTrailDeliveryPolicy system policy to the RAM role.
  1. Click Input and Attach in the Finish Step.
  2. Click Precise Permission on the Permissions tab. Then, select System Policy for the Type parameter and enter AliyunActionTrailDeliveryPolicy in the Policy Name field.
  3. Click OK and then click Close.
  You can view the details of the AliyunActionTrailDeliveryPolicy policy that is attached to the ActionTrailDeliveryRole role on the Roles page. For more information, see Manage the permission policy for event delivery.
4. Modify the trust policy of the RAM role. Change the value of the Service field to a value in the Alibaba Cloud account@actiontrail.aliyuncs.com format.
  For example, if Alibaba Cloud Account A is 159498693825**** and Alibaba Cloud Account B is 123435555956****, you must change actiontrail.aliyuncs.com in the Service field to "159498693825****@actiontrail.aliyuncs.com","123435555956****@actiontrail.aliyuncs.com". Then, ActionTrail of Alibaba Cloud Account A 159498693825**** and Alibaba Cloud Account B 123435555956**** can assume the RAM role.
```
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "159498693825****@actiontrail.aliyuncs.com",
                    "123435555956****@actiontrail.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
```
  For more information, see Edit the trust policy of a RAM role.
Use Alibaba Cloud Account C to create a Simple Log Service project, an OSS bucket, or a MaxCompute project.
For more information, see Manage a project, Create buckets, and Creates a MaxCompute project.
Note
The name of the MaxCompute project must start with actiontrail_.
To ensure data security, we recommend that you configure server-side encryption and retention policies when you create an OSS bucket. For more information, see Server-side encryption and Configure retention policies.

Use Alibaba Cloud Account A to create a single-account trail and set the delivery destination to the Simple Log Service project, OSS bucket, or MaxCompute project that is created in Step 2.

Use Alibaba Cloud Account A to log on to the ActionTrail console.
In the left-side navigation pane, click Trails.
In the top navigation bar, select the region where you want to create a single-account trail.
Note
The region that you select becomes the home region of the trail that you want to create.
On the Trails page, click Create Trail.

On the Create Trail page, configure the parameters.

In the Basic Information section, configure the basic information about the trail.
Note
By default, the trail delivers events in all regions. We recommend that you set Management Event to All. This way, the trail delivers all types of events that occur in all regions. For more information, see Create a single-account trail.

In the Event Delivery section, configure parameters to deliver events to Simple Log Service, OSS, MaxCompute, or all. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.

Select Delivery to Log Service, set the Destination Account parameter to Delivery to Another Account, and then configure other parameters.

Parameter

Description

Project ARN

Enter the region where the project resides, the ID of Alibaba Cloud Account C, and the name of the project.

In this example, the name of the project that is created in Step 2 is used.

RAM Role ARN of Destination Account

Enter the ID of Alibaba Cloud Account C and the name of the RAM role.

The name of the RAM role created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.

Select Delivery to OSS, set the Destination Account parameter to Delivery to Another Account, and then configure other parameters.

Parameter	Description
RAM Role ARN of OSS Bucket	Enter the ID of Alibaba Cloud Account C and the name of the RAM role. The name of the RAM role that is created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.
Bucket Name	Enter the name of the OSS bucket that is created in Step 2.
Log File Prefix	Enter the prefix of the name of the log file in which you want to store the events.

Select Delivery to MaxCompute, set the Destination Account parameter to Delivery to Another Account, and then configure other parameters.

Parameter

Description

RAM Role ARN of MaxCompute

Enter the ID of Alibaba Cloud Account D and the name of the RAM role.

The name of the RAM role that is created in Step 1 is used. In this example, the name is ActionTrailDeliveryRole.

Project ARN

Enter the region where the MaxCompute project resides, the ID of Alibaba Cloud Account D, and the name of the MaxCompute project. In this example, the name of the MaxCompute project that is created in Step 2 is used.

Click Confirm.

Follow the preceding steps and use Alibaba Cloud Account B to create a single-account trail and set the delivery destination to the Simple Log Service project, OSS bucket, or MaxCompute project that is created in Step 2.

What to do next

After you create the trail, you can use Alibaba Cloud Account C to view events from Alibaba Cloud Account A and Alibaba Cloud Account B in the Simple Log Service project, OSS bucket, or MaxCompute project. For more information, see Query and analyze logs and Real-time log query.

Related operations

For more information about how to migrate data across Alibaba Cloud accounts, you can read the following topics:
- Background information
- Replicate data from a Logstore
For more information about how to analyze the delivered events, you can read the following topics:
Use Simple Log Service to analyze events