Investigating Suspicious AccessKey Activity with Alibaba Cloud Observability MCP

Environment Preparation

Operation audit logs are streamed to Alibaba Cloud Log Service (SLS), which records fields such as AccessKey usage, user identity, event type, and timestamps. The MCP-Server-Aliyun-Observability component enables natural‑language queries over SLS and ARMS data. It supports two execution modes:

stdio mode : the client launches the server as a subprocess and communicates via standard input/output.

SSE mode : the server runs independently and listens on a port for client connections.

Common MCP clients include Claude Desktop, Cursor, Cherry Studio, and VSCode extensions (Cline/Continue).

JSON Configuration for stdio Mode

{
  "mcpServers": {
    "aliyun_observability": {
      "command": "uvx",
      "args": [
        "mcp-server-aliyun-observability",
        "--access-key-id", "YOUR_AK_ID",
        "--access-key-secret", "YOUR_AK_SECRET"
      ]
    }
  }
}

AK Auditing Scenarios

Trace a suspicious AK : query SLS for all events of a specific AccessKey and list operation type and timestamp.

Identify high‑risk operations : find users who performed delete or update actions in the last week, returning user, service, and event name.

Monitor Root account usage : retrieve all root AccessKey usage in the past 30 days with user information and event names.

System activity overview : list the ten most recent cloud‑service access events.

Logstore and Field Dictionary

# Logstore information
- Region: cn-heyuan
- Project: aliyun-product-data-155xxxxx2981-cn-heyuan
- Logstore: actiontrail_security-actiontrail-1743562654649

# Field list
- __topic__: log topic (actiontrail_event)
- __time__: event timestamp
- owner_id: Alibaba Cloud account ID
- event.eventId: unique event identifier
- event.eventName: name of the operation
- event.eventSource: source service
- event.eventType: type of event
- event.serviceName: service name
- event.resourceName: resource identifier
- event.resourceType: resource type
- event.userIdentity.accessKeyId: AccessKey ID used
- event.userIdentity.accountId: requester account ID
- event.userIdentity.principalId: credential ID
- event.userIdentity.type: credential type
- event.userIdentity.userName: user name
- event.errorCode: error code if the event failed
- event.errorMessage: error message if the event failed
- addionalEventData.isMFAChecked: MFA status of the login
- addionalEventData.loginAccount: login account name

Example Natural‑Language Queries

“Show me what AK ‘LN…7’ has done recently, including operation types and times.”

“Who performed dangerous delete or update operations in the last week? List the user, service, and event name.”

“Show me every use of the root AK in the past month, with user info and event names.”

“Give me the latest 10 cloud service access events.”

Integrating operation audit logs with the MCP server allows security teams to conduct interactive, real‑time investigations, dramatically reducing response time and turning log analysis into a proactive, dialogue‑driven process.