Security Auditing

Scenarios

You can query operation records matching specified conditions and check whether operations have been performed by authorized users for security analysis.

This section describes how to use CTS to audit EVS creation and deletion operations performed in the last two weeks.

Constraints

To store operation records for longer than seven days, you must configure transfer to OBS or LTS for trackers so that you can view them in OBS buckets or LTS log groups.

Prerequisites

You have enabled CTS and trackers are running properly.

Viewing Real-Time Traces

The following takes the records of EVS disk creation and deletion in the last week as an example.

1. Log in to the management console as a CTS administrator.
2. Click in the upper left corner to select the desired region and project.
3. Click in the upper left corner and choose Management & Deployment > Cloud Trace Service. The CTS console is displayed.
4. Choose Trace List in the navigation pane.
5. Set the time range to Last 1 week.
6. Set filters above the trace list to query the EVS disk creation and deletion operations.
   • To query disk creation operations, set Trace Type to Management, Trace Source to EVS, Resource Type to evs, and Search by to Trace name. Enter createVolume in the text box on the right of Trace name.
   • To query disk deletion operations, set Trace Type to Management, Trace Source to EVS, Resource Type to evs, and Search by to Trace name. Enter deleteVolume in the text box on the right of Trace name.

7. Click Query to check the filtering results.

8. Check the user information in the results to identify unauthorized operations or operations that do not conform to security rules.
9. (Optional) To query operation records older than seven days, go to the OBS bucket or LTS log group. For details, see Querying Transferred Traces.