Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

COMP-264 Updating documentation for audit secret logging (Audit Log section) #2716

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 148 additions & 0 deletions pages/pipelines/audit_log.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,11 @@ SCM_PIPELINE_SETTINGS_UPDATED
SCM_SERVICE_CREATED
SCM_SERVICE_DELETED
SCM_SERVICE_UPDATED
SECRET_CREATED
SECRET_DELETED
SECRET_QUERIED
SECRET_READ
SECRET_UPDATED
SSO_PROVIDER_CREATED
SSO_PROVIDER_DELETED
SSO_PROVIDER_DISABLED
Expand Down Expand Up @@ -100,3 +105,146 @@ USER_UPDATED
```

You can also set up [Amazon EventBridge](/docs/integrations/amazon-eventbridge) to stream Audit Log events.


## Audit logs for secrets

>📘 Audit logs for secrets do not contain the value or sensitive information about the secret.


Audit logs record information of transactions in which secrets are accessed or modified. The following events will be logged:

* `SECRET_CREATED` triggers an audit log when a user of an organization initiates the creation of a secret. Secrets can only be created by a user. Below are the fields captured in the audit log for this event.

```
{
123sarahj123 marked this conversation as resolved.
Show resolved Hide resolved
"data"=> {
"auditEvent" => {
"__typename" => "AuditEvent",
"id" => "QXVkaXRFdmVudC0tLTAxOGUzZjBkLTIwZGUtNDZhZS1iNTMxLTU5NjRkYWJjY2M2Zg==",
"uuid" => "018e3f0d-20de-46ae-b531-5964dabccc6f",
"type" => "SECRET_CREATED",
"subject" => {
"id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMGQtMjBkZS00NmFlLWI1MzEtNTk2NGRhYmNjYzZm",
"type" => "SECRET",
"uuid" => "3d01f85a-0436-49cd-a082-6f8e20dd677e",
"node" => {
"__typename" => "Secret",
"uuid" => "3d01f85a-0436-49cd-a082-6f8e20dd677e",
"organization" => {
"name" => "Sunny Spot"
}
}
}
}
}
}
```

* `SECRET_DELETED` triggers an audit log when a secret is deleted by a user of an organization. This applies exclusively to the destruction of a secret; events related to the revocation or expiration of a secret will not trigger audit logs. Below are the fields captured in the audit log for this event.

```
{
"data" => {
"auditEvent" => {
"__typename" => "AuditEvent",
"id" => "QXVkaXRFdmVudC0tLTAxOGUzZjE1LTk0OTEtNGJjMS1iOTY4LWNkYTdkMzk2ZDU0MA==",
"uuid" => "018e3f15-9491-4bc1-b968-cda7d396d540",
"type" => "SECRET_DELETED",
"subject" => {
"id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMTUtOTQ5MS00YmMxLWI5NjgtY2RhN2QzOTZkNTQw",
"type" => "SECRET",
"uuid" => "d83e4f1f-cc26-43d7-8d2c-d303243d87ee",
"node" => {
"__typename" => "Secret",
"uuid" => "d83e4f1f-cc26-43d7-8d2c-d303243d87ee",
"organization" => {
"name" => "Sunny Spot"
}
}
}
}
}
}
```

* `SECRET_READ` triggers an audit event when an actor accesses or reads the value of a secret. Secrets can be read by an agent running a compute job, or read by a user belonging to an organization. Below are the fields captured in the audit log for this event.

```
{
"data" => {
"auditEvent" => {
"__typename" => "AuditEvent",
"id" => "QXVkaXRFdmVudC0tLTAxOGUzZjE5LTlkODgtNDBmZS1iOGIzLTkxMTk5OWNlMmRmMg==",
"uuid" => "018e3f19-9d88-40fe-b8b3-911999ce2df2",
"type" => "SECRET_READ",
"subject" => {
"id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMTktOWQ4OC00MGZlLWI4YjMtOTExOTk5Y2UyZGYy",
"type" => "SECRET",
"uuid" => "644771e7-10cf-4784-af97-9fdf70402a1c",
"node" => {
"__typename" => "Secret",
"uuid" => "644771e7-10cf-4784-af97-9fdf70402a1c",
"organization" => {
"name" => "Sunny Spot"
}
}
}
}
}
}
```

* `SECRET_QUERIED` triggers an audit event when a user belonging to an organization or system identity (such as an agent) when a query is performed to find a secret (or secrets). This event will be triggered even if a search for a secret yields no results or if the secret does not exist. Below are the fields captured in the audit log for this event.

```
{
"data" => {
"auditEvent" => {
"__typename" => "AuditEvent",
"id" => "QXVkaXRFdmVudC0tLTAxOGUzZjRlLTdiNGUtNDQ1ZS04MDI3LWQyZGU4ZjY3MDI0Yg==",
"uuid" => "018e3f4e-7b4e-445e-8027-d2de8f67024b",
"type" => "SECRET_QUERIED",
"subject" => {
"id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmNGUtN2I0ZS00NDVlLTgwMjctZDJkZThmNjcwMjRi",
"type" => "SECRET",
"uuid" => "d906f471-92a9-4725-aad5-d7388280e654",
"node" => {
"__typename" => "Secret",
"uuid" => "d906f471-92a9-4725-aad5-d7388280e654",
"organization" => {
"name" => "Sunny Spot"
}
}
}
}
}
}
```

* `SECRET_UPDATED` triggers an audit event whenever a user within an organization updates the value or properties of a secret. Given that secrets can exist in multiple versions, the audit logs maintain records of these version identifiers and their corresponding updates. Below are the fields captured in the audit log for this event.

```
{
"data" => {
"auditEvent" => {
"__typename" => "AuditEvent",
"id" => "QXVkaXRFdmVudC0tLTAxOGUzZjUxLWViNTMtNGVlZC1hZmRjLWE2ZTdhZjcyMDFkOQ==",
"uuid" => "018e3f51-eb53-4eed-afdc-a6e7af7201d9",
"type" => "SECRET_UPDATED",
"subject" => {
"id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmNTEtZWI1My00ZWVkLWFmZGMtYTZlN2FmNzIwMWQ5",
"type" => "SECRET",
"uuid" => "87a44525-2a66-441a-89f6-8b559364aed9",
"node" => {
"__typename" => "Secret",
"uuid" => "87a44525-2a66-441a-89f6-8b559364aed9",
"organization" => {
"name" => "Sunny Spot"
}
}
}
}
}
}
```
123sarahj123 marked this conversation as resolved.
Show resolved Hide resolved
Loading