To gain insights into user behavior, enterprises collect logs from web applications and analyze key data such as user devices, browsing history, and intra-application interactions. This way, enterprises can improve features and optimize user experience. After the web tracking feature of Alibaba Cloud Simple Log Service is enabled, enterprises automatically collect user logs from browsers to Simple Log Service. This improves data processing efficiency and reduces the burden on application servers. After you enable the web tracking feature for a Logstore, the write permissions on the Logstore are granted to anonymous users. Despite the convenient collection of browser logs, configuration data leaks of browsers in this case may cause dirty data. To reduce this risk and enhance data upload security, we recommend that you use Security Token Service (STS) to provide browsers with tokens that are valid within a specified period of time and allow specific operations. This topic describes how to use Simple Log Service and STS to build a secure and efficient direct data transfer service for web applications to collect browsing behavior logs from browsers to Simple Log Service.
Background information
Enterprise A develops a web application that provides users with an online, feature-rich, and user-friendly platform. This platform is designed to attract users to browse and purchase products and services. To better understand user requirements, optimize user experience, and further improve the website conversion rate, Enterprise A acknowledges the importance of in-depth analysis on user behavior performed on the web application, including clicks, slides, dwelling, search habits, and purchases. In this case, the technical team of Enterprise A collects browser logs from the web application to Simple Log Service for efficient data analysis and processing.
Security risks
To reduce the burden on application servers and improve the efficiency of data processing, the web application is designed to allow user browsers to directly upload logs to Simple Log Service without the need for data transfer and data collection to application servers.
The following figure shows how Enterprise A plans to build a direct data transfer service to collect browser logs to Simple Log Service.
After the web tracking feature is enabled for a Simple Log Service Logstore, the write permissions on the Logstore are granted to anonymous users. In this case, the following risks may occur:
Dirty data generation: Malicious users may upload false or sabotage data, which compromises data quality and the accuracy of analysis results.
Service abuse: Unlimited write operations may be abused to initiate Denial of Service (DoS) attacks. Attackers may initiate a large number of write requests to exhaust resources.
Solution
To handle the risks, Enterprise A adds temporary access authorization. This way, Enterprise A can ensure the efficiency of direct data transfer and achieve the following benefits:
Enhanced authentication and authorization: STS generates tokens that are valid within a specified period of time. This significantly reduces security risks even if the tokens are leaked because the tokens quickly become invalid.
Fine-grained access control: STS allows you to configure permissions based on the principle of least privilege. You can grant only the required permissions to the web application. This helps narrow down the impact scope of token leaks and avoids granting excessive permissions to the web application.
The following figure shows how Enterprise A builds a direct data transfer service to collect browser logs to Simple Log Service.
Solution deployment
This section describes how to use Simple Log Service and STS to build a direct data transfer service for a web application to collect browsing behavior logs from browsers to Simple Log Service.
Quick deployment
Procedure
To deploy the sample project by using Resource Orchestration Service (ROS), perform the following steps:
Log on to the ROS console.
In the upper-left corner, select a region. Example: China (Hangzhou).
In the Configure Parameters step of the Create Stack wizard, configure parameters in the SLS and ECS configure sections and click Next.
Click Create.
After the stack is created, click the Outputs tab. Then, click WebTrackingUrl. On the page that appears, enter a username, select a product, and then click Place Order to simulate user behavior on a browser.
Verification and cleaning
Solution verification
After you complete the preceding steps, you can preview logs to check whether the logs are collected to Simple Log Service.
In the Logstores list, click the Logstore whose logs you want to view and choose
> Consumption Preview to the right of the Logstore. In the Consumption Preview panel, view the collected logs.
Resource cleaning
In this example, you created an Elastic Compute Service (ECS) instance, a Simple Log Service project, a Logstore, a Resource Access Management (RAM) user, and a RAM role. After you verify the solution, you can perform the following operations to release the resources. This way, you can avoid unnecessary fees or security risks.
Log on to the ROS console.
In the left-side navigation pane, click Stacks.
On the Stacks page, find the created stack and click Delete in the Actions column.
Manual deployment
Preparations
Before you start the deployment, you must create a cloud resource.
Create a Simple Log Service project and a Logstore to store and analyze logs that are collected from browsers.
Parameter
Example value
Region
China (Hangzhou)
Project Name
web-tracking-project
Logstore Name
web-tracking-logstore
For more information, see Step 1: Create a project and a Logstore.
Create an ECS instance as your application server to generate STS tokens.
NoteIn your actual deployment, you do not need to create the ECS instance. You can directly integrate STS API into your application server.
Parameter
Example value
Billing Method
Pay-as-you-go
Region
China (Hangzhou)
Public IP Address
Assign Public IPv4 Address
Security Group
HTTP-TCP:80-open
For more information, see Create and manage an ECS instance in the console (express version).
Procedure
To manually deploy the project, perform the following steps:
Step 1: Create a RAM user in the RAM console
Create a RAM user and obtain the AccessKey pair of the RAM user. When you create the RAM user, set Access Mode to OpenAPI Access. The AccessKey pair is used as a long-term access credential for accessing and managing your application server.
Log on to the RAM console by using an Alibaba Cloud account or an account administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
Configure the Logon Name and Display Name parameters.
In the Access Mode section, select OpenAPI Access. Then, click OK.
Click Copy in the Actions column and save the AccessKey pair of the RAM user.
Step 2: Grant the RAM user the permissions to call the AssumeRole operation in the RAM console
After the RAM user is created, grant the RAM user the permissions to call the AssumeRole operation of STS. This way, the RAM user can assume a RAM role to obtain STS tokens.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user and click Add Permissions in the Actions column.
In the Grant Permission panel, select the AliyunSTSAssumeRoleAccess system policy.
NoteTo grant a RAM user the permissions to call the AssumeRole operation, you must attach the AliyunSTSAssumeRoleAccess system policy to the RAM user. This policy does not grant the permissions to obtain STS tokens or initiate Simple Log Service requests by using the STS tokens.
Click Grant permissions.
Step 3: Create a RAM role in the RAM console
Create a RAM role that the RAM user can assume to obtain STS tokens and obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see ARN.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role. In the Select Role Type step of the Create Role wizard, set Select Trusted Entity to Alibaba Cloud Account and click Next.
In the Configure Role step of the Create Role wizard, enter a name in the RAM Role Name field and set Select Trusted Alibaba Cloud Account to Current Alibaba Cloud Account.
Click OK. After the RAM role is created, click Close.
On the Roles page, enter the role name in the search box to search for the RAM role. Example:
sls-web-tracking.On the details page of the RAM role, click Copy to save the ARN of the RAM role.
Step 4: Create a custom policy in the RAM console
Create a custom policy based on the principle of least privilege. The custom policy grants the RAM role the permissions to upload logs only to a specified Simple Log Service Logstore.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab. Replace
<Project name>and<Logstore name>in the following policy document with the names of the project and Logstore that are created in the "Preparations" section of this topic.ImportantThe following policy document is provided only for reference. You must configure fine-grained RAM policies based on your business requirements to avoid granting excessive permissions to the RAM role. For more information about how to configure fine-grained RAM policies, see Examples of using custom policies to grant permissions to a RAM user.
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "log:PostLogStoreLogs" ], "Resource":[ "acs:log:*:*:project/<Project name>/logstore/<Logstore name>" ] } ] }After you configure the policy, click Next to edit policy information.
In the Basic information section, specify a policy name. Then, click OK.
Step 5: Attach the custom policy to the RAM role in the RAM console
Attach the custom policy to the RAM role. This way, the RAM user can assume the RAM role to perform the operations that are allowed by the policy.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find the RAM role and click Grant Permission in the Actions column.
In the Policy section of the Grant Permission panel, select Custom Policy from the policy type drop-down list and select the custom policy.
Click Grant permissions.
Step 6: Obtain STS tokens from your application server
Open your web application and integrate STS SDK into your application server to implement the /get_sts_token operation. For more information, see STS SDK overview. When you call the /get_sts_token operation by using the HTTP GET method, the system generates and returns an STS token.
The following procedure describes how to build a web application by using the Flask framework on your ECS instance and obtain STS tokens from the application server:
Connect to the ECS instance.
For more information, see Create and manage an ECS instance in the console (express version).
Install Python 3. For more information, see Python 3.
Create a project folder and switch to the project directory.
mkdir my_web_sample cd my_web_sampleInstall dependencies.
pip3 install Flask pip3 install attr pip3 install yarl pip3 install async_timeout pip3 install idna_ssl pip3 install attrs pip3 install aiosignal pip3 install charset_normalizer pip3 install alibabacloud_tea_openapi pip3 install alibabacloud_sts20150401 pip3 install alibabacloud_credentialsWrite backend code.
Create a file named
main.py.Add the following Python code to the file:
import json from flask import Flask, render_template from alibabacloud_tea_openapi.models import Config from alibabacloud_sts20150401.client import Client as Sts20150401Client from alibabacloud_sts20150401 import models as sts_20150401_models from alibabacloud_credentials.client import Client as CredentialClient app = Flask(__name__) # Replace <YOUR_ROLE_ARN> with the ARN of the RAM role. role_arn_for_oss_upload = '<YOUR_ROLE_ARN>' # Specify the region of STS. Example: cn-hangzhou. region_id = 'cn-hangzhou' @app.route("/") def hello_world(): return render_template('index.html') @app.route('/get_sts_token', methods=['GET']) def get_sts_token(): # If you do not specify parameters when you initialize CredentialClient, the default credential chain is used. # If you run a program on your computer, you can specify the AccessKey pair by configuring the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables. # If you run a program on ECS, Elastic Container Instance (ECI), or Container Service for Kubernetes (ACK), you can specify the role of the bound instance by configuring the ALIBABA_CLOUD_ECS_METADATA environment variable. The SDK automatically obtains STS tokens. config = Config(region_id=region_id, credential=CredentialClient()) sts_client = Sts20150401Client(config=config) assume_role_request = sts_20150401_models.AssumeRoleRequest( role_arn=role_arn_for_oss_upload, # Replace <YOUR_ROLE_SESSION_NAME> with the custom name of the session. role_session_name='<YOUR_ROLE_SESSION_NAME>' ) response = sts_client.assume_role(assume_role_request) token = json.dumps(response.body.credentials.to_map()) return token app.run(host="0.0.0.0", port=80)Replace
<YOUR_ROLE_ARN>with the ARN that is obtained in Step 3.Replace
<YOUR_ROLE_SESSION_NAME>with the custom name of the session. Example:role_session_test.
Start the web application by using the AccessKey pair that is obtained in Step 1.
ALIBABA_CLOUD_ACCESS_KEY_ID=<YOUR_AK_ID> ALIBABA_CLOUD_ACCESS_KEY_SECRET=<YOUR_AK_SECRET> python3 main.pyVisit
http://<The public IP address of the ECS instance>/get_sts_tokenin your browser.The following figure shows a success response.
Step 7: Use an STS token in your browser to upload logs to Simple Log Service
After you implement the /get_sts_token operation on your application server, integrate the @aliyun-sls/web-track-browser frontend instrumentation SDK and the @aliyun-sls/web-sts-plugin STS plug-in of Simple Log Service into the frontend code of the web application. This helps monitor user behavior in real time and upload related logs. When you create a tracker, the tracker automatically calls the /get_sts_token operation to obtain an STS token. This way, the user behavior data generated during website interactions can be securely transferred to Simple Log Service. The user behavior data includes the data of logons, product browsing, and order submission.
The following procedure describes how to compile and pack the frontend instrumentation SDK and the STS plug-in of Simple Log Service by using the Parcel packaging tool and integrate the SDK and plug-in into the frontend code of the web application:
Press
Ctrl+Cto stop the web application.Install npm.
yum install npmInstall Parcel.
npm install -g parcel-bundlerCreate frontend project directories.
mkdir templates static srcInstall project dependencies.
npm install --save @aliyun-sls/web-track-browser npm install --save @aliyun-sls/web-sts-pluginWrite frontend code.
Create a file named
src/index.jsin thesrcdirectory.vim src/index.jsAdd the following JavaScript code to the file:
import SlsTracker from "@aliyun-sls/web-track-browser"; import createStsPlugin from "@aliyun-sls/web-sts-plugin"; const opts = { host: "cn-hangzhou.log.aliyuncs.com", // The Simple Log Service endpoint for the region where your Simple Log Service project resides. Example: cn-hangzhou.log.aliyuncs.com. project: "${project}", // The project name. logstore: "${logstore}", // The Logstore name. time: 10, // The interval at which logs are uploaded to Simple Log Service. Default value: 10. Unit: seconds. count: 10, // The number of logs that are uploaded to Simple Log Service. Default value: 10. topic: "topic", // The topic of the logs. You can specify a custom value. source: "source", tags: { tags: "tags", }, }; const stsOpt = { accessKeyId: "", accessKeySecret: "", securityToken: "", // The following code provides an example on how to use the refreshSTSToken function: refreshSTSToken: () => new Promise((resolve, reject) => { const xhr = new window.XMLHttpRequest(); xhr.open("GET", "http://<The public IP address of the ECS instance>/get_sts_token", true); xhr.send(); xhr.onreadystatechange = () => { if (xhr.readyState === 4) { if (xhr.status === 200) { let credential = JSON.parse(xhr.response); // The function is used to configure a temporary AccessKey pair and an STS token. stsOpt.accessKeyId = credential.AccessKeyId; stsOpt.accessKeySecret = credential.AccessKeySecret; stsOpt.securityToken = credential.SecurityToken; resolve(); } else { reject("Wrong status code."); } } }; }), // refreshSTSTokenInterval: 300000, // stsTokenFreshTime: undefined, }; const tracker = new SlsTracker(opts); // Create an STS plug-in. const stsPlugin = createStsPlugin(stsOpt); // Use the STS plug-in. tracker.useStsPlugin(stsPlugin); // Track user logons. document.getElementById("loginButton").addEventListener("click", () => { const username = document.getElementById("username").value; tracker.send({ eventType: "login", username: username, }); console.log("Login event tracked for:", username); }); // Track product browsing. document.querySelectorAll(".product").forEach((productButton) => { productButton.addEventListener("click", (event) => { const productName = event.target.getAttribute("data-product-name"); const productPrice = event.target.getAttribute("data-price"); tracker.send({ eventType: "view_product", productName: productName, price: productPrice, }); console.log("Product view tracked for:", productName); }); }); // Track order submission. document.getElementById("orderButton").addEventListener("click", () => { tracker.send({ eventType: "place_order", orderDetails: "Order placed for example items", }); console.log("Order placed event tracked"); });For more information about the
optsandstsOptparameters, see Use the STS plug-in of web tracking SDK for JavaScript to upload logs.Replace
${project}and${logstore}with the names of the project and Logstore that are created in the "Preparations" section of this topic.Replace
<The public IP address of the ECS instance>with the public IP address of the ECS instance that is created in the "Preparations" section of this topic. For more information about how to view public IP addresses, see View IP addresses.
Create an HTML file.
Create a file named
index.htmlin thetemplatesdirectory.vim templates/index.htmlAdd the following HTML code to the HTML file:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Web Tracking Static Example</title> </head> <body> <h1>Welcome to Simple Web Store</h1> <!-- User logons --> <div> <label for="username">Username:</label> <input type="text" id="username" name="username"> <button id="loginButton">Login</button> </div> <!-- List of products --> <div> <h2>Products</h2> <button class="product" data-product-name="Laptop" data-price="1200">Laptop - $1200</button> <button class="product" data-product-name="Smartphone" data-price="800">Smartphone - $800</button> <button class="product" data-product-name="Tablet" data-price="500">Tablet - $500</button> </div> <!-- Order submission --> <div> <h2>Your Order</h2> <button id="orderButton">Place Order</button> </div> <script type="module" src="{{ url_for('static', filename='js/index.js') }}"></script> </body> </html>
Pack static resources in the
my_web_sampleroot directory.Start the web application by using the AccessKey pair that is obtained in Step 1.
Visit
http://<The public IP address of the ECS instance>in your browser. On the page that appears, enter a username, select a product, and then click Place Order to simulate user behavior on a browser.
parcel build src/index.js --out-dir static/js --public-url ./jsALIBABA_CLOUD_ACCESS_KEY_ID=<YOUR_AK_ID> ALIBABA_CLOUD_ACCESS_KEY_SECRET=<YOUR_AK_SECRET> python3 main.pyVerification and cleaning
Solution verification
After you complete the preceding steps, you can preview logs to check whether the logs are collected to Simple Log Service.
In the Logstores list, click the Logstore whose logs you want to view and choose
> Consumption Preview to the right of the Logstore. In the Consumption Preview panel, view the collected logs.
Resource cleaning
In this example, you created an ECS instance, a Simple Log Service project, a Logstore, a RAM user, and a RAM role. After you verify the solution, you can perform the following operations to release the resources. This way, you can avoid unnecessary fees or security risks.
Release the ECS instance. For more information, see Release an instance.
Delete the Logstore and then delete the project. For more information, see Manage a Logstore and Manage a project.
Delete the RAM user and the RAM role. For more information, see Delete a RAM user and Delete a RAM role.
What to do next
After you collect user logs from browsers to Simple Log Service, you can perform the following operations:
Query and analyze the logs to gain insights into user behavior. For more information, see Query and analyze logs.
Display query and analysis results in dashboards, charts, and third-party visualization tools. For more information, see Overview of visualization.
Analyze user behavior logs to detect potential security threats, including failed logon attempts, abnormal access modes, and suspected data leaks. If the system detects the preceding threats, alerts are triggered. Then, the security team can respond to the threats at the earliest opportunity. For more information, see Introduction to the alerting feature.