Before You Start

Cloud Trace Service (CTS) is a log audit service designed to strengthen cloud security. It allows you to collect, store, and query resource operation records. You can use these records to perform security analysis, track resource changes, audit compliance, and locate faults.

This document describes how to use application programming interfaces (APIs) to perform operations on CTS, such as creating and deleting a tracker. For details about all supported operations, see API Overview.

Before calling CTS APIs, ensure that you are familiar with CTS concepts and functions. For details, see CTS Service Overview.

Endpoints

An endpoint is the request address for calling an API. Endpoints vary depending on services and regions. To obtain the regions and endpoints, contact the enterprise administrator.

Constraints

A maximum of 100 data trackers and one management tracker can be created in an account. The quotas cannot be modified.
For more constraints, see API description.

Basic Concepts

Tracker
Before using CTS, you need to enable it. A tracker is automatically created when CTS is enabled. The tracker identifies and associates with all cloud services you are using, and records all operations on the services.

A management tracker and 100 data trackers can be created for a tenant.

Trace
Traces are cloud resource operation logs captured and stored by CTS. You can view traces to identify when operations were performed by which users for tracking.

There are two types of traces. Management traces are operation records reported by cloud services, whereas data traces are read/write operation records reported by Object Storage Service (OBS).

Account
An account is created upon successful registration. The account has full access permissions for all of its cloud services and resources. It can be used to reset user passwords and grant user permissions. The account is a payment entity and should not be used directly to perform routine management. For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management.
User
An IAM user is created using an account to use cloud services. Each IAM user has their own identity credentials (password and access keys).

The account name, username, and password will be required for API authentication.
Region
Regions are divided based on geographical location and network latency. Public services, such as Elastic Cloud Server (ECS), Elastic Volume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud (VPC), Elastic IP (EIP), and Image Management Service (IMS), are shared within the same region. Regions are classified into universal regions and dedicated regions. A universal region provides universal cloud services for common tenants. A dedicated region provides specific services for specific tenants.
AZ
An Availability Zone (AZ) comprises of one or more physical data centers equipped with independent ventilation, fire, water, and electricity facilities. Compute, network, storage, and other resources in an AZ are logically divided into multiple clusters. AZs within a region are interconnected using high-speed optical fibers to allow you to build cross-AZ high-availability systems.
Project
A project corresponds to a region. Projects group and isolate resources (including compute, storage, and network resources) across physical regions. Users can be granted permissions in a default project to access all resources in the region associated with the project. For more refined access control, create sub-projects under a project and create resources in the sub-projects. Users can then be assigned permissions to access only specific resources in the sub-projects.

Figure 1 Project isolation model