Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 2.1 Ensure that ActionTrail are configured to export copies of all Log entries

Description

ActionTrail is a web service that records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the Alibaba Cloud service. ActionTrail provides a history of API calls for an account, including API calls made via the Management Console, SDKs, command line tools.

Remediation

Perform the following to enable global (Multi-region) ActionTrail logging:

Using the management console:

  1. Logon to ActionTrail Console.
  2. Click on Trails on the left navigation pane.
  3. Click Add new trail.
    • Enter a trail name in the Trail name box.
    • Set Yes for Apply Trail to All Regions.
    • Specify an OSS bucket name in the OSS bucket box.
    • Specify an SLS project name in the SLS project box.
    • Click Create.

Using CLI:

aliyun actiontrail CreateTrail --Name <trail_name> --OssBucketName <oss_bucket_for_actiontrail> --RoleName aliyunactiontraildefaultrole --SlsProjectArn <sls_project_arn_for_actiontrail> --SlsWriteRoleArn <sls_role_arn_for_actiontrail> --EventRW <api_type_for_actiontrail>


aliyun actiontrail UpdateTrail --Name <trail_name> --OssBucketName <oss_bucket_for_actiontrail> --RoleName aliyunactiontraildefaultrole --SlsProjectArn <sls_project_arn_for_actiontrail> --SlsWriteRoleArn <sls_role_arn_for_actiontrail> --EventRW <api_type_for_actiontrail>

Default Value:

By default, there are no trails configured. Once the trail is enabled, it applies to all regions by default.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_2_1 --share

SQL

This control uses a named query:

select
  'acs:actiontrail:' || home_region || ':' || account_id || ':actiontrail/' || name as resource,
  case
    when
      trail_region = 'All'
      and oss_bucket_name is not null
      and sls_project_arn is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when
      trail_region = 'All'
      and oss_bucket_name is not null
      and sls_project_arn is not null then title || ' is configured to export copies of all log entries.'
    else title || ' is not configured to export copies of all log entries.'
  end as reason
  , account_id as account_id, region as region
from
  alicloud_action_trail;

Tags

category = Compliance
cis = true
cis_item_id = 2.1
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/ActionTrail