If you want to manage multiple members within an account, you can use the trails feature in ActionTrail to deliver the events of multiple members in a resource directory to Simple Log Service, Object Storage Service (OSS), or MaxCompute of one account. This way, you can archive and monitor audit data in a centralized manner. This topic describes how to deliver the events of multiple members in a resource directory to one account.
Background Information
Before you use the trails feature of ActionTrail to deliver events across accounts, you must be familiar with the concepts of a destination account and a source account. The following table describes the concepts.
Account | Description | Operation |
Destination account | The account that is used to receive events from source accounts. |
|
Source account | The account whose events are written to the destination account. | Use the management account of members to create a trail to deliver events to the storage space that you created in the destination account. |
The members in a resource directory are mutually trusted. If the destination and source accounts are in the same resource directory, a few configuration steps are required for cross-account event delivery. In this case, the procedure for configuring cross-account event delivery varies based on the type of destination account.
If the destination account is the management account, create a multi-account trail to deliver the events of all members in the resource directory to the Simple Log Service Logstore, OSS bucket, or MaxCompute table that you created in the management account. For more information, see Create a multi-account trail.
If the destination account is a member in the resource directory, perform the steps described in this topic to configure cross-account event delivery.
Procedure
Create a RAM role by using the destination account and grant ActionTrail the permissions to deliver events to the destination account.
Log on to the RAM console by using the destination account.
Create a RAM role for which ActionTrail is selected as the trusted service.
In the left-side navigation pane, choose
.On the Roles page, click Create Role.
In the Select Role Type step on the Create Role page, select Alibaba Cloud Service as the trusted entity and click Next.
Set the Role Type parameter to Normal Service Role.
Enter ActionTrailDeliveryRole in the RAM Role Name field.
Select ActionTrail from the Select Trusted Service drop-down list.
Click OK.
Attach the AliyunActionTrailDeliveryPolicy system policy to the RAM role.
Click Input and Attach in the Finish Step.
Click Precise Permission on the Permissions tab. Then, select System Policy for the Type parameter and enter AliyunActionTrailDeliveryPolicy in the Policy Name field.
Click OK and then click Close.
You can view the details of the AliyunActionTrailDeliveryPolicy policy that is attached to the ActionTrailDeliveryRole role on the Roles page. For more information, see Manage the permission policy for event delivery.
Modify the trust policy of the RAM role. Change the value of the
Service
field toManagement Account@actiontrail.aliyuncs.com
.For example, if the management account is
159498693826****
, you must changeactiontrail.aliyuncs.com
in theService
field to159498693826****@actiontrail.aliyuncs.com
. Then, ActionTrail of the159498693826****
management account can assume the RAM role.{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "159498693826****@actiontrail.aliyuncs.com" ] } } ], "Version": "1" }
For more information, see Edit the trust policy of a RAM role.
Use the destination account to create a Simple Log Service project, an OSS bucket, or a MaxCompute project.
For more information, see Manage a project, Create buckets, and Creates a MaxCompute project.
NoteThe name of the MaxCompute project must start with
actiontrail_
.To ensure data security, we recommend that you configure server-side encryption and retention policies when you create an OSS bucket. For more information, see Server-side encryption and Configure retention policies.
Use the management account to create a multi-account trail and set the delivery destination to the storage space that is created in Step 2.
Use the management account to log on to the ActionTrail console.
In the left-side navigation pane, click Trails.
In the top navigation bar, select the region in which you want to create a multi-account trail.
NoteThe region that you select becomes the home region of the trail that you want to create.
On the Trails page, click Create Trail.
On the Create Trail page, configure the parameters.
In the Basic Information section, configure the basic information about the trail.
NoteSet the Apply to All Members parameter to Yes.
By default, the trail delivers events in all regions. We recommend that you set the Management Event parameter to All. This way, the trail delivers all types of events that are generated in all regions.
For more information, see Create a multi-account trail.
In the Event Delivery section, configure parameters to deliver events to Simple Log Service, OSS, MaxCompute, or all. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.
Select Delivery to Log Service, set the Destination Account parameter to Delivery to Another Account, and then configure other parameters.
Parameter
Description
Project ARN
Enter the region in which the project resides, the ID of the destination account, and the name of the project.
The name of the project that is created in Step 2 is used.
RAM Role ARN of Destination Account
Enter the ID of the destination account and the name of the RAM role.
In this example, the name of the RAM role that is created in Step 1 is used. The name of the RAM role is ActionTrailDeliveryRole.
Select Delivery to OSS, set the Destination Account parameter to Delivery to Another Account, and then configure other parameters.
Parameter
Description
RAM Role ARN of OSS Bucket
Enter the ID of the destination account and the name of the RAM role.
In this example, the name of the RAM role that is created in Step 1 is used. The name of the RAM role is ActionTrailDeliveryRole.
Bucket Name
Enter the name of the OSS bucket that is created in Step 2.
Log File Prefix
Enter the prefix of the name of the log file in which you want to store the events.
Select Delivery to MaxCompute, set the Destination Account parameter to Delivery to Another Account, and then configure other parameters.
Parameter
Description
RAM Role ARN of MaxCompute
Enter the ID of the destination account and the name of the RAM role.
In this example, the name of the RAM role that is created in Step 1 is used. The name of the RAM role is ActionTrailDeliveryRole.
Project ARN
Enter the region where the MaxCompute project resides, the ID of the destination account, and the name of the MaxCompute project. In this example, the name of the MaxCompute project that is created in Step 2 is used.
Click Confirm.
What to do next
After you create the trail, you can use the destination account to view events from multiple members in the Simple Log Service project, OSS bucket, or MaxCompute table. For more information, see Query and analyze logs and Real-time log query.