ActionTrail allows you to create trails. You can use trails to deliver events that are generated in cloud services to an Object Storage Service (OSS) bucket or a Simple Log Service Logstore for further analysis and long-term storage. By default, ActionTrail records the events that are generated within your Alibaba Cloud account in the last 90 days. You can query the events in the ActionTrail console. To query events that are generated more than 90 days ago, you must create a trail first to deliver the events to OSS or Simple Log Service. This topic describes how a trail works and the use scenarios of trails.
How a trail works
The following figure shows how a trail works.
Use scenarios
Trails allow you to collect audit logs in a centralized manner over an extended period of time to support various purposes such as security monitoring, compliance audit, fault diagnosis, and resource change tracking. The following list describes specific use scenarios of audit logs:
Security monitoring and assurance
Suspicious event detection: You can monitor unusual API operation calls or requests from unusual geographic locations to detect potential security threats or unauthorized activities.
User behavior analysis: You can analyze user behavior patterns based on audit logs to detect unusual operations.
Permission change tracking: You can use a multi-account trail to monitor changes to Resource Access Management (RAM) policies and permissions. This ensures that only authorized users can perform critical operations.
Compliance audit
Operation log retention: To meet the requirements of laws and regulations, enterprises need to retain their operation logs for a long period of time. Multi-account trails can deliver operation logs to OSS for future review.
Compliance report: You can use delivered data to generate reports on compliance with specific security standards and policies.
Resource change management
Resource lifecycle management: You can record the creation, modification, and deletion events of resources to manage the entire lifecycle of resources.
Environmental change audit: In the collaborative environment, you can use multi-account trails to record the users who made changes to the environment and the point in time at which the changes are made. This helps ensure the stability of the environment.
Troubleshooting and O&M
Service failure analysis: If an event on service interruption or performance degradation occurs, you can use delivered data to analyze the operations before and after the event. This helps you identify the cause of the issue.
Configuration change tracking: You can record all changes to the configurations of cloud resources. This helps you identify configuration errors that may cause service interruption.
Terms
Term | Description |
trail | A trail is used to deliver events to an OSS bucket or a Simple Log Service Logstore for storage and further analysis. ActionTrail supports single-account trails, multi-account trails, and trails for the Inner-ActionTrail feature. These types of trails vary based on the creator, effective scope, and delivery content. |
single-account trail | An individual user can create a single-account trail to deliver events to Simple Log Service or OSS. An individual user can create multiple single-account trails to perform the following operations:
For more information about single-account trails, see Single-account trail overview. |
multi-account trail | After an enterprise user creates a resource directory, the management account of the resource directory can create a multi-account trail to deliver the events of all members in the resource directory to a Simple Log Service Logstore or an OSS bucket. For more information about multi-account trails, see Overview. |
trail for the Inner-ActionTrail feature | An individual user can create a trail for the Inner-ActionTrail feature to deliver events that are generated when the Alibaba Cloud O&M team maintains services of the user to a Simple Log Service Logstore. For more information, see the Inner-ActionTrail overview. |
management account | A management account is used to enable a resource directory and serves as the super administrator of the resource directory. The management account has all administrative permissions on the resource directory and the members in the resource directory. You can use only an Alibaba Cloud account that passed enterprise real-name verification as a management account. Each resource directory can have only one management account. |
member | A member serves as a container for resources and is also an organizational unit in a resource directory. A member indicates a project or application. The resources of different members are isolated. You can use a management account to grant RAM users, user groups, or RAM roles the permissions to access the resources of members. You can also use the management account to create a member in the resource directory or invite an Alibaba Cloud account to join the resource directory as a member. |
delegated administrator account | The management account of a resource directory can be used to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory. For more information about delegated administrator accounts, see Manage a delegated administrator account. |
Differences between multi-account trails and single-account trails
Trail type | Creator account | Scope of events to deliver | Event query method | Maximum number of trails allowed | Creation method |
Single-account trail | All Alibaba Cloud accounts | Events of an Alibaba Cloud account |
| Five in a region | |
multi-account trail | Delegated administrator account or management account | Events of all members | Delegated administrator account or management account:
| One in all regions |