turbot/alicloud
steampipe plugin install alicloud

Table: alicloud_action_trail - Query Alibaba Cloud Action Trails using SQL

Action Trail is a feature within Alibaba Cloud that records and audits user activity within an Alibaba Cloud account. It provides detailed information about API calls, including the caller identities, IP addresses, time of the calls, request parameters, and response elements. Action Trail helps in security analysis, resource change tracking, compliance auditing, and troubleshooting.

Table Usage Guide

The alicloud_action_trail table provides insights into user activity within Alibaba Cloud. As a security analyst, you can explore trail-specific details through this table, including the name, home region, role name, and other associated metadata. Utilize it to uncover information about trails, such as delivery location, trail status, and the creation time, which can aid in auditing and compliance tasks.

Examples

Basic info

Explore the status and regional details of your Alicloud action trails to understand which trails are active and where they are operating. This can help in managing and optimizing your security audit trails.

select
name,
home_region,
event_rw,
status,
trail_region
from
alicloud_action_trail;
select
name,
home_region,
event_rw,
status,
trail_region
from
alicloud_action_trail;

List enabled trails

Discover the segments that are actively monitoring your Alibaba Cloud resources. This query will help you understand which of your action trails are currently enabled and actively logging events, providing insights into your system's security and compliance.

select
name,
home_region,
event_rw,
status,
trail_region
from
alicloud_action_trail
where
status = 'Enable';
select
name,
home_region,
event_rw,
status,
trail_region
from
alicloud_action_trail
where
status = 'Enable';

List multi-account trails

This query is useful for identifying all the action trails that are set up across multiple accounts in your organization. It helps in understanding the configuration and status of these trails, which can be beneficial for auditing and compliance purposes.

select
name,
home_region,
is_organization_trail,
status,
trail_region
from
alicloud_action_trail
where
is_organization_trail;
select
name,
home_region,
is_organization_trail,
status,
trail_region
from
alicloud_action_trail
where
is_organization_trail = 1;

List shadow trails

Determine the areas in which Alicloud's action trails are active across all regions, but their home region is different. This can be useful for understanding the distribution and operation of action trails in different regions.

select
name,
region,
home_region
from
alicloud_action_trail
where
trail_region = 'All'
and home_region <> region;
select
name,
region,
home_region
from
alicloud_action_trail
where
trail_region = 'All'
and home_region <> region;

Schema for alicloud_action_trail

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The Alicloud Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
create_timetimestamp with time zoneThe time when the trail was created.
event_rwtextThe read/write type of the delivered events.
home_regiontextThe home region of the trail.
is_organization_trailbooleanIndicates whether the trail was created as a multi-account trail.
nametext=The name of the trail.
oss_bucket_nametextThe name of the OSS bucket to which events are delivered.
oss_key_prefixtextThe prefix of log files stored in the OSS bucket.
regiontextThe Alicloud region in which the resource is located.
role_nametextThe name of the Resource Access Management (RAM) role that ActionTrail is allowed to assume.
sls_project_arntextThe ARN of the Log Service project to which events are delivered.
sls_write_role_arntextThe ARN of the RAM role assumed by ActionTrail for delivering logs to the destination Log Service project.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
start_logging_timetimestamp with time zoneThe most recent date and time when logging was enabled for the trail.
statustextThe status of the trail.
stop_logging_timetimestamp with time zoneThe most recent date and time when logging was disabled for the trail.
titletextTitle of the resource.
trail_regiontextThe regions to which the trail is applied.
update_timetimestamp with time zoneThe most recent time when the configuration of the trail was updated.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloud

You can pass the configuration to the command with the --config argument:

steampipe_export_alicloud --config '<your_config>' alicloud_action_trail