Using CTS to Audit OBS
Cloud Trace Service (CTS) records operations on cloud resources in your account. You can use the logs to perform security analysis, track resource changes, audit compliance, and locate faults.
After you enable CTS and configure a tracker, CTS can record management and data traces of OBS for auditing.
For details about how to enable and configure CTS, see Getting Started.
For details about OBS management and data traces that can be tracked by CTS, see Cloud Trace Service.
Procedure
- Log in to the Cloud Eye console.
- Configure the cloud audit for OBS by referring to Configuring a Tracker in the Cloud Trace Service User Guide.
|
Tracker Type |
Operation |
Resource |
Trace Name |
|---|---|---|---|
|
Management |
Creating a bucket |
Bucket |
createBucket |
|
Management |
Deleting a bucket |
Bucket |
deleteBucket |
|
Management |
Listing buckets |
Bucket |
listAllMyBuckets (If you use OBS Console to list buckets, relevant traces will be recorded in CN-Hong Kong or AP-Singapore. For Latin America, traces of listing buckets are recorded as follows: those in LA-Santiago are recorded in LA-Santiago, those in LA-Sao Paulo1, LA-Buenos Aires1, and LA-Lima1 are recorded in LA-Sao Paulo1, and those in LA-Mexico City1 and LA-Mexico City2 are recorded in LA-Mexico City2.) |
|
Management |
Obtaining bucket metadata |
Bucket |
headBucket |
|
Management |
Obtaining the bucket location |
Bucket |
getBucketLocation |
|
Management |
Listing objects in a bucket |
Bucket |
listObjects |
|
Management |
Listing initiated multipart uploads in a bucket |
Bucket |
listMultipartUploads |
|
Management |
Obtaining the storage usage of a bucket |
Bucket |
getBucketStorageInfo |
|
Management |
Configuring a CORS Rule for a Bucket |
Bucket |
setBucketCors |
|
Management |
Obtaining the CORS configuration of a bucket |
Bucket |
getBucketCors |
|
Management |
Deleting the CORS configuration of a bucket |
Bucket |
deleteBucketCors |
|
Management |
Configuring a user-defined domain name for a bucket |
Bucket |
setBucketCustomdomain |
|
Management |
Obtaining the user-defined domain name of a bucket |
Bucket |
getBucketCustomdomain |
|
Management |
Deleting the user-defined domain name of a bucket |
Bucket |
deleteBucketCustomdomain |
|
Management |
Configuring the bucket lifecycle rules |
Bucket |
setBucketLifecycle |
|
Management |
Obtaining the lifecycle configuration of a bucket |
Bucket |
getBucketLifecycle |
|
Management |
Deleting the lifecycle configuration of a bucket |
Bucket |
deleteBucketLifecycle |
|
Management |
Configuring the cross-region replication function for buckets |
Bucket |
setBucketReplication |
|
Management |
Obtaining the cross-region replication configuration of a bucket |
Bucket |
getBucketReplication |
|
Management |
Deleting the cross-region replication configuration of a bucket |
Bucket |
deleteBucketReplication |
|
Management |
Configuring the bucket tag |
Bucket |
setBucketTagging |
|
Management |
Obtaining the tags of a bucket |
Bucket |
getBucketTagging |
|
Management |
Deleting the tag configuration of a bucket |
Bucket |
deleteBucketTagging |
|
Management |
Configuring static website hosting for a bucket |
Bucket |
setBucketWebsite |
|
Management |
Obtaining the static website hosting configuration of a bucket |
Bucket |
getBucketWebsite |
|
Management |
Deleting the static website hosting configuration of a bucket |
Bucket |
deleteBucketWebsite |
|
Management |
Configuring a bucket policy |
Bucket |
setBucketPolicy |
|
Management |
Deleting a bucket policy |
Bucket |
deleteBucketPolicy |
|
Management |
Configuring a bucket ACL |
Bucket |
setBucketAcl |
|
Management |
Obtaining a bucket ACL |
Bucket |
getBucketAcl |
|
Management |
Configuring logging for a bucket |
Bucket |
setBucketLogging |
|
Management |
Obtaining the logging configuration of a bucket |
Bucket |
getBucketLogging |
|
Management |
Configuring event notifications for a bucket |
Bucket |
setBucketNotification |
|
Management |
Obtaining the event notification configuration of a bucket |
Bucket |
getBucketNotification |
|
Management |
Configuring a storage quota for a bucket |
Bucket |
setBucketQuota |
|
Management |
Obtaining the storage quota of a bucket |
Bucket |
getBucketQuota |
|
Management |
Configuring the storage class for a bucket |
Bucket |
setBucketStorageclass |
|
Management |
Obtaining the storage class of a bucket |
Bucket |
getBucketStorageclass |
|
Management |
Configuring versioning for a bucket |
Bucket |
setBucketVersioning |
|
Management |
Obtaining the versioning status of a bucket |
Bucket |
getBucketVersioning |
|
Management |
Configuring server-side encryption for a bucket |
Bucket |
setBucketEncryption |
|
Management |
Obtaining the server-side encryption configuration of a bucket |
Bucket |
getBucketEncryption |
|
Management |
Deleting the server-side encryption configuration of a bucket |
Bucket |
deleteBucketEncryption |
|
Management |
Obtaining the Block Public Access configuration of a bucket |
Bucket |
getBucketPublicAccessBlock |
|
Management |
Configuring Block Public Access for a bucket |
Bucket |
putBucketPublicAccessBlock |
|
Management |
Deleting the Block Public Access configuration of a bucket |
Bucket |
deleteBucketPublicAccessBlock |
|
Management |
Obtaining the public access status of a bucket policy |
Bucket |
getBucketPolicyPublicStatus |
|
Management |
Obtaining the public access status of a bucket |
Bucket |
getBucketPublicStatus |
|
Management |
Configuring an inventory for a bucket |
Bucket |
setBucketInventoryConfiguration |
|
Management |
Obtaining the inventory configuration of a bucket |
Bucket |
getBucketInventoryConfiguration |
|
Management |
Deleting the inventory configuration of a bucket |
Bucket |
deleteBucketInventoryConfiguration |
|
Management |
Configuring direct reading for objects in a bucket |
Bucket |
setBucketDirectColdAccess |
|
Management |
Obtaining the Direct Reading policy of a bucket |
Bucket |
getBucketDirectColdAccess |
|
Management |
Deleting the Direct Reading policy of a bucket |
Bucket |
deleteBucketDirectColdAccess |
|
Management |
Configuring a back-to-source by mirroring rule |
Bucket |
setBucketBackToSource |
|
Management |
Obtaining a back-to-source by mirroring rule |
Bucket |
getBucketBackToSource |
|
Management |
Deleting a back-to-source by mirroring rule |
Bucket |
deleteBucketBackToSource |
|
Management |
Configuring a default WORM policy for a bucket |
Bucket |
setBucketObjectLockConfiguration |
|
Management |
Obtaining the default WORM policy of a bucket |
Bucket |
getBucketObjectLockConfiguration |
|
Management |
Sending an OPTIONS request to a bucket |
Bucket |
optionsBucket |
|
Management |
Configuring a bucket trigger |
Bucket |
putTriggerPolicy |
|
Management |
Deleting a bucket trigger |
Bucket |
deleteTriggerPolicy |
|
Management |
Creating a workflow template |
Bucket |
createWorkflowTemplate |
|
Management |
Deleting a workflow template |
Bucket |
deleteWorkflowTemplate |
|
Management |
Creating a workflow |
Bucket |
createWorkflow |
|
Management |
Deleting a workflow |
Bucket |
deleteWorkflow |
|
Management |
Updating a workflow |
Bucket |
updateWorkflow |
|
Management |
Creating a workflow |
Bucket |
directCreateWorkflow |
|
Management |
Enabling workflow authorization |
Bucket |
openWorkflowAuthorization |
|
Management |
Resuming a failed workflow instance |
Bucket |
restoreFailedWorkflowExecution |
|
Management |
Triggering a workflow using an API |
Bucket |
asyncAPIStartWorkflow |
|
Management |
Creating a public action template |
Bucket |
createMyActionTemplate |
|
Management |
Modifying a submitted public action template |
Bucket |
updateMyActionTemplate |
|
Management |
Deleting a submitted public action template |
Bucket |
deleteMyActionTemplate |
|
Management |
Disabling a submitted public action template |
Bucket |
forbidMyActionTemplate |
|
Management |
Agreeing to the service agreement |
Bucket |
openWorkflowAgreements |
|
Tracker Type |
Operation |
Resource |
Trace Name |
|---|---|---|---|
|
Data_Read |
Downloading an object |
Object |
GET.OBJECT |
|
Data_Read |
Querying the object ACL |
Object |
GET.OBJECT.ACL |
|
Data_Read |
Querying the bucket website configuration |
Object |
GET.OBJECT.WEBSITE |
|
Data_Read |
Accessing an object through the website |
Object |
HEAD.OBJECT.WEBSITE |
|
Data_Read |
Querying the object metadata |
Object |
HEAD.OBJECT |
|
Data_Read |
Listing part data |
Object |
LIST.OBJECT.UPLOAD |
|
Data_Write |
Deleting an object |
Object |
DELETE.OBJECT |
|
Data_Write |
Canceling a part |
Object |
DELETE.UPLOAD |
|
Data_Write |
Queries the cross-domain requests for objects |
Object |
OPTIONS.OBJECT |
|
Data_Write |
Uploading an object |
Object |
POST.OBJECT |
|
Data_Write |
Deleting objects in batches |
Object |
POST.OBJECT.MULTIDELETE |
|
Data_Write |
Restoring Archive objects |
Object |
POST.OBJECT.RESTORE |
|
Data_Write |
Merging parts |
Object |
POST.UPLOAD.COMPLETE |
|
Data_Write |
Initializing multipart tasks |
Object |
POST.UPLOAD.INIT |
|
Data_Write |
Uploading an object |
Object |
PUT.OBJECT |
|
Data_Write |
Configuring the object ACL |
Object |
PUT.OBJECT.ACL |
|
Data_Write |
Copying an object |
Object |
PUT.OBJECT.COPY |
|
Data_Write |
Configuring the object storage class |
Object |
PUT.OBJECT.STORAGECLASS |
|
Data_Write |
Uploading a part |
Object |
PUT.PART |
|
Data_Write |
Copying a part |
Object |
PUT.PART.COPY |
Follow-up Operations
You can click Disable under the Operation column on the right of a tracker to disable the tracker. After the tracker is disabled, the system will stop recording operations, but you can still view existing operation records.
You can click Delete under the Operation column on the right of a tracker to delete the tracker. Deleting a tracker has no impact on existing operation records. When you enable CTS again, you can view operation records that have been generated.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
