All Products
Search

This Product

    ActionTrail:Use ActionTrail to monitor the use of an Alibaba Cloud account

    Document Center

    ActionTrail:Use ActionTrail to monitor the use of an Alibaba Cloud account

    更新時間:Jan 16, 2024

    The Alibaba Cloud account is the owner of Alibaba Cloud resources. If the Alibaba Cloud account is disclosed, your resources are at risk. You can create a trail in the ActionTrail console to deliver events to Simple Log Service. Then, you can configure alert rules to monitor the use of your Alibaba Cloud account.

    Prerequisites

    Simple Log Service is activated.

    If Simple Log Service is not activated, log on to the Simple Log Service console and follow the on-screen instructions to activate the service.

    Step 1: Create a trail

    This section describes how to create a single-account trail to deliver events to Simple Log Service.

    1. Log on to the ActionTrail console.

    2. In the left-side navigation pane, click Trails.

    3. In the top navigation bar, select the region where you want to create a single-account trail.

      Note

      The region that you select becomes the home region of the trail that you want to create.

    4. On the Trails page, click Create Trail.

    5. On the Create Trail page, configure the parameters.

      • In the Basic Information section, configure the basic information about the trail.

        Parameter

        Description

        Trail Name

        The name of the trail. The name must be unique within your Alibaba Cloud account.

        Log Events

        The type of events that you want to deliver. Set the Management Event parameter to All.

      • In the Event Delivery section, configure parameters to deliver events to a new project within the current account. You must select the region of the Logstore and enter the name of the new project.

    6. Click Confirm.

    Step 2: Query events and configure an alert rule

    1. In the ActionTrail console, click Trails.

    2. Find the required trail, move the pointer over SLS or SLS & OSS in the Storage Service column, and then click the name of the Logstore.

    3. In the upper-right corner of the page, click Last 15 Minutes and specify a time range.

    4. In the search box, enter the event.userIdentity.type:"root-account"| select count(1) as use_root query statement. Then, click Search & Analyze.

    5. Click the Save Search icon or the Save as Alert icon.

      • Save Search: Click the Save Search icon in the upper-right corner. In the Saved Search Details panel, set the Saved Search Name parameter and click OK.

        Note

        After you save the query, you can select it in the Simple Log Service console to initiate the query.

        For more information, see Saved search.

      • Save as Alert: Click the Save as Alert > icon in the upper-right corner. In the Alert Monitoring Rule panel, configure the parameters and click OK.

        For more information about how to configure alert rules, see Configure an alert rule.

        Note

        After you configure the alert rule, you can receive alert notifications when the alert is triggered.

    What to do next

    You can manage the saved queries and alert rules in the Simple Log Service console.

    image.png

    References

    • After you deliver events to Simple Log Service, you can use other methods to configure alert rules in the Simple Log Service console. This allows you to implement monitoring and alerting for your Alibaba Cloud account. For more information, see Configure an alert monitoring rule in Simple Log Service.

    • After you deliver events to Simple Log Service, you can configure alert rules in the ActionTrail console. For more information, see Enable and configure alerts.