- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Overview
- Querying Traces
- Management Trackers
- Data Trackers
- Organization Trackers
- Creating a Key Event Notification
- Application Examples
- Trace References
- Cross-Tenant Transfer Authorization
- Verifying Trace File Integrity
- Auditing
- Permissions Management
- Quota Management
- Supported Services and Operations
- Best Practices
- API Reference
- SDK Reference
-
FAQs
- Must I Use an IAM User (Sub Account) to Configure Transfer on CTS and Perform Operations on an OBS Bucket?
- What Information Is on the Trace List?
- How Will CTS Be Affected If My Account Balance Is Insufficient?
- What Are the Recommended Users of CTS?
- What Will Happen If I Have Enabled Trace Transfer But Have Not Configured an Appropriate Policy for an OBS Bucket?
- Does CTS Support Integrity Verification of Trace Files?
- Why Are There Some Null Fields on the View Trace Page?
- Why Is an Operation Recorded Twice in the Trace List?
- What Services Are Supported by Key Event Notifications?
- How Can I Store Trace Files for a Long Time?
- Why Are user and source_ip Null for Some Traces with trace_type as SystemAction?
- How Do I Find Out Who Created a Specific ECS?
- How Do I Find Out the Login IP Address of an IAM User?
- Why Are Two deleteMetadata Traces Generated When I Buy an ECS in Pay-per-Use or Yearly/Monthly?
- What If I Cannot Query Traces?
- Can I Disable CTS?
- How Do I Make the Log Retention Period 180 Days?
- What Can I Do If a Tracker Cannot Be Created on the CTS Console?
- What Should I Do If I Cannot Enable CTS as an IAM User?
- How Do I Enable Alarm Notifications for EVS?
- Can I Receive Duplicate Traces?
- What Should I Do If I Fail to Transfer Data to an OBS Bucket Authorized by a Key of Another Tenant?
- Does the cts_admin_trust Agency Include OBS Authorization?
- Does CTS Record ECS Creation Failures?
- Glossary
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
- Querying Traces
- Management Trackers
- Data Trackers
- Application Examples
- Trace References
- Cross-Tenant Transfer Authorization
- Verifying Trace File Integrity
- Auditing
- Permissions Management
- Supported Services and Operations
-
FAQs
- Must I Use an IAM User (Sub Account) to Configure Transfer on CTS and Perform Operations on an OBS Bucket?
- What Information Is on the Trace List?
- How Will CTS Be Affected If My Account Balance Is Insufficient?
- What Are the Recommended Users of CTS?
- What Will Happen If I Have Enabled Trace Transfer But Have Not Configured an Appropriate Policy for an OBS Bucket?
- Does CTS Support Integrity Verification of Trace Files?
- Why Are There Some Null Fields on the View Trace Page?
- Why Is an Operation Recorded Twice in the Trace List?
- What Services Are Supported by Key Event Notifications?
- How Can I Store Trace Files for a Long Time?
- Why Are user and source_ip Null for Some Traces with trace_type as SystemAction?
- How Do I Find Out Who Created a Specific ECS?
- How Do I Find Out the Login IP Address of an IAM User?
- Why Are Two deleteMetadata Traces Generated When I Buy an ECS?
- What If I Cannot Query Traces?
- Can I Disable CTS?
- How Do I Enable Alarm Notifications for EVS?
- Can I Receive Duplicate Traces?
- Does CTS Record ECS Creation Failures?
- API Reference (ME-Abu Dhabi Region)
-
User Guide (Paris)
- Service Overview
- Getting Started
- Querying Traces
- Management Trackers
- Application Examples
- Trace References
- Cross-Tenant Transfer Authorization
- Verifying Trace File Integrity
- Auditing
- Permissions Management
- Supported Services and Operations
-
FAQs
- Must I Use an IAM User (Sub Account) to Configure Transfer on CTS and Perform Operations on an OBS Bucket?
- How Will CTS Be Affected If My Account Balance Is Insufficient?
- What Are the Recommended Users of CTS?
- What Will Happen If I Have Enabled Trace Transfer But Have Not Configured an Appropriate Policy for an OBS Bucket?
- Does CTS Support Integrity Verification of Trace Files?
- Why Are There Some Null Fields on the View Trace Page?
- Why Is an Operation Recorded Twice in the Trace List?
- What Services Are Supported by Key Event Notifications?
- How Can I Store Trace Files for a Long Time?
- Why Are user and source_ip Null for Some Traces with trace_type as SystemAction?
- How Do I Find Out Who Created a Specific ECS?
- How Do I Find Out the Login IP Address of an IAM User?
- Why Are Two deleteMetadata Traces Generated When I Buy an ECS?
- What If I Cannot Query Traces?
- Can I Disable CTS?
- How Do I Enable Alarm Notifications for EVS?
- Can I Receive Duplicate Traces?
- Does CTS Record ECS Creation Failures?
- API Reference (Paris)
-
User Guide (Kuala Lumpur Region)
- Service Overview
- Getting Started
- Querying Traces
- Management Trackers
- Trackers
- Organization Trackers
- Application Examples
- Trace References
- Cross-Tenant Transfer Authorization
- Verifying Trace File Integrity
- Auditing
- Permissions Management
- Supported Services and Operations
-
FAQs
- Must I Use an IAM User (Sub Account) to Configure Transfer on CTS and Perform Operations on an OBS Bucket?
- What Information Is on the Trace List?
- How Will CTS Be Affected If My Account Balance Is Insufficient?
- What Are the Recommended Users of CTS?
- What Will Happen If I Have Enabled Trace Transfer But Have Not Configured an Appropriate Policy for an OBS Bucket?
- Does CTS Support Integrity Verification of Trace Files?
- Why Are There Some Null Fields on the View Trace Page?
- Why Is an Operation Recorded Twice in the Trace List?
- What Services Are Supported by Key Event Notifications?
- How Can I Store Trace Files for a Long Time?
- Why Are user and source_ip Null for Some Traces with trace_type as SystemAction?
- How Do I Find Out Who Created a Specific ECS?
- How Do I Find Out the Login IP Address of an IAM User?
- Why Are Two deleteMetadata Traces Generated When I Buy an ECS?
- What If I Cannot Query Traces?
- Can I Disable CTS?
- How Do I Enable Alarm Notifications for EVS?
- Can I Receive Duplicate Traces?
- Does CTS Record ECS Creation Failures?
- API Reference (Kuala Lumpur Region)
-
User Guide (ME-Abu Dhabi Region)
- Videos
- General Reference
Copied.
Security Auditing
Scenario
You can query operation records matching specified conditions and check whether operations have been performed by authorized users for security analysis.
Prerequisites
You have enabled CTS and trackers are running properly.
Procedure (for New Console)
The following takes the records of EVS disk creation and deletion in the last two weeks as an example.
- Log in to the management console as a CTS administrator.
- Click
in the upper left corner to select the desired region and project.
- Click
in the upper left corner and choose Management & Governance > Cloud Trace Service. The CTS console is displayed.
- Choose Trace List in the left navigation pane.
- Set the time range to Last 1 week and set filters as follows:
- For creation operations: Select EVS for Trace Source, evs for Resource Type, and createVolume for Trace Name. View the filtering result.
- For deletion operations: Select EVS for Trace Source, evs for Resource Type, and deleteVolume for Trace Name. View the filtering result.
NOTE:
- By default, all EVS creation or deletion operations performed in the last hour are queried. You can also set the time range to query all EVS creation or deletion operations performed in the last seven days at most.
- For all cloud services and operations that can be audited by CTS, see Supported Services and Operations.
To obtain the operation records of the last week, query them in the OBS bucket. Choose Tracker List in the left navigation pane. In the displayed tracker list, click the OBS bucket name in the row of the management tracker.NOTE:
To store operation records for more than seven days, you must configure the management tracker to transfer them to an OBS bucket. Otherwise, you cannot query the operation records generated seven days ago.
- For creation operations: Select EVS for Trace Source, evs for Resource Type, and createVolume for Trace Name. View the filtering result.
- Download traces older than seven days or all traces by following the instructions in Querying Transferred Traces.
- In the trace files, search traces using keywords createVolume or deleteVolume.
- Check the traces obtained in steps 5 and 7 to see whether there are any unauthorized operations or operations that do not conform to security rules.
Procedure (for Old Console)
The following takes the records of EVS disk creation and deletion in the last two weeks as an example.
- Log in to the management console as a CTS administrator.
- Click
in the upper left corner to select the desired region and project.
- Click
in the upper left corner and choose Management & Governance > Cloud Trace Service. The CTS console is displayed.
- Choose Trace List in the left navigation pane.
- Set the time range to Last 1 week, set filters in sequence, and click Query.
NOTE:
Select Management for Trace Type, evs for Trace Source, evs for Resource Type, Trace name for Search By, select createVolume or deleteVolume, and click Query. By default, all EVS disk creation or deletion operations performed in the last hour are queried. You can also set the time range to query all EVS creation or deletion operations performed in the last seven days at most.
- To obtain the operation records of the last week, query them in the OBS bucket. Choose Tracker List in the navigation pane on the left.
NOTE:
To store operation records for more than seven days, you must configure the management tracker to transfer them to an OBS bucket. Otherwise, you cannot query the operation records generated seven days ago.
- Download traces older than seven days or all traces by following the instructions in Querying Transferred Traces.
- In the trace files, search traces using keywords createVolume or deleteVolume.
- Check the traces obtained from steps 5 and 8 to see whether there are any unauthorized operations or operations that do not conform to security rules.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot