Logo of Trend Micro

Enable Global Service (Multi-Region) Logging

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: AlibabaCloud-ActionTrail-001

Ensure that your ActionTrail trails are recording global, multi-region events in order to increase the visibility of the API activity in your Alibaba Cloud account for security and management purposes.

Security

ActionTrail's API call history supports security analysis, resource tracking, and compliance auditing. A multi-regions trail is essential for detecting unexpected activities in unused regions. Enabling Global Service Logging by default ensures event recording for Alibaba Cloud global services in a multi-regions trail. This guarantees the capture of management operations on all resources within an Alibaba Cloud account.

Audit

To determine if your ActionTrail trail is enabled for all supported regions, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to ActionTrail console at https://actiontrail.console.aliyun.com.

03 In the left navigation panel, under ActionTrail, choose Trails.

04 Click on the name (link) of the ActionTrail trail that you want to examine, listed in the Trail Name column.

05 In the Basic Information section, ensure that Trail Status is set to Enabled, and check the Home Region attribute value. If Home Region is not set to All Regions, the selected ActionTrail trail is not configured to record global, multi-region events.

06 Repeat steps no. 4 and 5 for each ActionTrail trail available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run DescribeTrails command (OSX/Linux/UNIX) to describe the configuration details of each ActionTrail trail available in your Alibaba Cloud account: 

aliyun actiontrail DescribeTrails

02 The command output should return the configuration information available for each deployed trail: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TrailList": [
		{
				"CreateTime": "2024-02-02T10:02:11Z",
				"EventRW": "All",
				"HomeRegion": "us-west-1",
				"IsOrganizationTrail": false,
				"IsShadowTrail": 0,
				"MaxComputeProjectArn": "",
				"MaxComputeWriteRoleArn": "",
				"Name": "tm-project-main-trail",
				"OssBucketLocation": "oss-us-west-1",
				"OssBucketName": "tm-project-trail-bucket",
				"OssKeyPrefix": "",
				"OssWriteRoleArn": "",
				"Region": "us-west-1",
				"StartLoggingTime": "2024-02-02T10:02:12Z",
				"Status": "Enable",
				"TrailRegion": "us-west-1",
				"UpdateTime": "2024-02-02T10:02:24Z"
		},
		{
				"CreateTime": "2024-02-02T09:45:44Z",
				"EventRW": "All",
				"HomeRegion": "eu-west-1",
				"IsOrganizationTrail": false,
				"IsShadowTrail": 0,
				"MaxComputeProjectArn": "",
				"MaxComputeWriteRoleArn": "",
				"Name": "tm-project-cloud-trail",
				"OssBucketLocation": "oss-eu-west-1",
				"OssBucketName": "tm-project-trail-bucket",
				"OssKeyPrefix": "",
				"OssWriteRoleArn": "",
				"Region": "eu-west-1",
				"StartLoggingTime": "2024-02-02T09:45:45Z",
				"Status": "Enable",
				"TrailRegion": "eu-west-1",
				"UpdateTime": "2024-02-02T09:45:45Z"
		}
	]
}

Check the "TrailRegion" attribute value for each deployed trail to determine the multi-region logging configuration. If the "TrailRegion" value is not set to "All", the ActionTrail trail is not configured to record global, multi-region events.

Remediation / Resolution

To ensure that at least one ActionTrail trail is configured to record global, multi-region events within your Alibaba Cloud account, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to ActionTrail console at https://actiontrail.console.aliyun.com.

03 In the left navigation panel, under ActionTrail, choose Trails.

04 Click on the name (link) of the ActionTrail trail that you want to configure, listed in the Trail Name column.

05 Ensure that Trail Status is set to Enabled and choose Modify to change the trail region configuration.

06 In the Basic Information section, choose All Regions from the Home Region dropdown list to enable global, multi-region logging for the selected ActionTrail trail. Choose Confirm to apply the configuration changes.

Using Alibaba Cloud CLI

01 Run UpdateTrail command (OSX/Linux/UNIX) with the name of the ActionTrail trail that you want to configure as the identifier parameter, to enable global, multi-region logging for the selected trail by setting the --TrailRegion parameter to All: 

aliyun actiontrail UpdateTrail 
  --Name tm-project-main-trail 
  --OssBucketName tm-project-trail-bucket 
  --TrailRegion All

02 The command output should return the new configuration information available for the modified trail: 

{
	"EventRW": "All",
	"HomeRegion": "eu-west-1",
	"MaxComputeProjectArn": "",
	"MaxComputeWriteRoleArn": "",
	"Name": "tm-project-main-trail",
	"OssBucketName": "tm-project-trail-bucket",
	"OssKeyPrefix": "",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"SlsProjectArn": "",
	"SlsWriteRoleArn": "",
	"TrailRegion": "All"
}

03 Repeat steps no. 1 and 2 for each ActionTrail trail that you want to configure, available within your Alibaba Cloud account.

References

Publication date Feb 22, 2024

Related AlibabaCloud-ActionTrail rules