Using CTS to Monitor Access Key Usage
An access key consists of Access Key ID and Secret Access Key. It is used to identify and verify a user. Leaking your access key could put your resources at risk.
CTS can help you monitor access key-related traces and respond to access key usage exceptions.
This section describes how to use the operation audit and audit log transfer to LTS functions of CTS to monitor access key-related traces, and how to use the log alarm function of LTS to generate alarms.
Preparations
- If you log in to Huawei Cloud as the account owner, go to Step 1: Enable CTS and Configure a System Tracker.
- If you log in to Huawei Cloud as an IAM user, first contact your CTS administrator (account owner or a user in the admin user group) to obtain the CTS FullAccess permissions. For details, see Assigning Permissions to an IAM User.
- Contact the LTS administrator (the account owner or a user in the admin user group) to grant the LTS FullAccess permission to the IAM user.
Using log storage of LTS incurs additional charges. For details about LTS pricing, see Product Pricing Details.
Step 1: Enable CTS and Configure a System Tracker
- Log in to the CTS console.
- In the navigation pane on the left, choose Tracker List.
- Click Enable CTS in the upper right corner. A management tracker named system is automatically created.
- Click Configure in the Operation column in the row of the management tracker (named system).
Figure 1 Configuring the tracker
- Configure the basic information of the tracker and click Next.
Parameter
Description
Requirements
Tracker Name
The default value is system and cannot be changed.
system
Enterprise Project
If you have enabled enterprise project management for your account, select an enterprise project.
NOTE:Enterprise projects allow you to manage cloud resources and users by project.
For details about how to enable them, see Creating an Enterprise Project.
default
Excluding DEW traces
This parameter is deselected by default. If this parameter is selected, the createDataKey and decryptDatakey operations on DEW will not be transferred to OBS/LTS.
NOTE:For details about DEW audit operations, see Operations supported by CTS.
Deselect
- On the transfer configuration page, enable Transfer to LTS. The system automatically creates CTS for Log Group and system-trace for the log stream. Operation traces will be transferred to the log stream.
Figure 2 Enabling transfer to LTS
- Click Next and click Configure. The system tracker is configured. You can then check the tracker details on the Tracker List page.
Step 2: Query Traces in LTS
- On the Tracker List page of the CTS console, click the LTS log stream name on the right of the system tracker. The system-trace log stream details page is displayed.
Figure 3 Clicking the log stream nameFigure 4 system-trace log stream page
- Click 15 minutes (From now) in the upper right corner to set the query time range.
- Enter access_key_id:{access_key_id} in the search box and click Search.
- Replace {access_key_id} with your access key ID.
- Message displayed during query: Field access_key_id is not configured with indexing and cannot be queried
- Possible cause: No field indexing is configured.
- Solution: Create an index for field access_key_id in the index settings and run the query statement again. For details, see Configuring Indexes.
Figure 5 Searching for access_key_id - Click
on the right of the search box to create a quick query. Enter a query name and click the confirm button.
Figure 6 Creating a quick search - After creating a quick query, you can select it on the CTS log group page of the LTS console.
Figure 7 Quick search
Step 3: Configure an Alarm in LTS
- On the CTS log group page of the LTS console, click
in the upper right corner to add an alarm.
- On the alarm rule creation panel, set the parameters and click the confirm button. For details, see Configuring Log Alarm Rules.
- Once alarm rules are configured, you will get notifications when the trigger conditions are met. For example, an alarm will be triggered if access_key_id is used within 5 minutes.
- You can manage the added alarms on the Log Alarms page of the LTS console.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot