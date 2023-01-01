Search
Yandex Audit Trails

Service-level event audit log

You can track service-level (Data Plane) events to make sure only authorized users can access and update your data. This will help you ensure your cloud infrastructure's compliance with legal regulations and industry standards. For example, you can track granting employees access permissions to sensitive data stored in buckets.

You can analyze service-level event logs to optimize the use of resources in your infrastructure. Thus, you can determine what resources are used most often and enhance their performance, or identify rarely used resources that can be grouped or removed to cut costs.

This feature is in the Preview stage. To get access, contact tech support or your account manager.

When setting up collection of service-level events for an Object Storage bucket, we do not recommend using the same bucket as a destination object for uploading logs. This may cause automatic recursive generation of audit logs and, consequently, an increase in the size of generated logs (by about 16 MB per month per bucket object).

A service-level (Data Plane) audit log is a JSON object with a record of events that occurred to Yandex Cloud resources.

The log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.

An event object is the service resource that the operation is performed with. An event subject is an account to perform the operation under.

Sample service-level audit log created when requesting the contents of a secret

If a federated user requests the contents of a secret in Yandex Lockbox, the following entry is written in the audit log:

{
    "event_id": "<event_ID>",
    "event_source": "lockbox",
    "event_type": "yandex.cloud.audit.lockbox.GetPayload",
    "event_time": "<event_date>",
    "authentication": {
        "authenticated": true,
        "subject_type": "FEDERATED_USER_ACCOUNT",
        "subject_id": "<user_ID>",
        "subject_name": "<username>",
        "federation_id": "<federation_ID>",
        "federation_name": "<federation_name>",
        "federation_type": "<federation_type>"
    },
    "authorization": {
        "authorized": true
    },
    "resource_metadata": {
        "path": [
            {
                "resource_type": "organization-manager.organization",
                "resource_id": "<organization_ID>",
                "resource_name": "<organization_name>"
            },
            {
                "resource_type": "resource-manager.cloud",
                "resource_id": "<cloud_ID>",
                "resource_name": "<cloud_name>"
            },
            {
                "resource_type": "resource-manager.folder",
                "resource_id": "<folder_ID>",
                "resource_name": "<folder_name>"
            }
        ]
    },
    "request_metadata": {
        "remote_address": "cloud.yandex",
        "user_agent": "Yandex Cloud",
        "request_id": "<request_ID>"
    },
    "event_status": "DONE",
    "details": {
        "secret_id": "<secret_ID>",
        "secret_name": "<secret_name>",
        "secret_version_id": "<secret_version_ID>",
        "secret_kms_key_id": "<ID_of_secret_encryption_key_in_KMS>",
        "secret_status": "<secret_status>",
        "secret_version_status": "<secret_version_status>",
        "secret_version_payload_entry_keys": [
            "<secret_version_entry_keys>"
        ]
    },
    "request_parameters": {
        "secret_id": "<secret_ID>",
        "version_id": "<secret_version_ID>"
    },
    "response": {
        "version_id": "<version_ID>",
        "entry_keys": [
            "<entry_keys>"
        ]
    }
}

Data schema

{
  "event_id": string,
  "event_source": string,
  "event_type": string,
  "event_time": string,
  "authentication": {
    "authenticated": boolean,
    "subject_type": string,
    "subject_id": string,
    "subject_name": string,
    "federation_id": string,
    "federation_name": string,
    "federation_type": string

  },
  "authorization": {
    "authorized": boolean
  },
  "resource_metadata": {
    "path": [{
      "resource_type": string,
      "resource_id": string,
      "resource_name": string
    }]
  },
  "request_metadata": {
    "remote_address": string,
    "user_agent": string,
    "request_id": string
  },
  "event_status": string,
  "error": {
    "code": number,
    "message": string,
    "details": {
      object
    }
  },
  "details": {
    object
  }
  "request_parameters": {
    object
  }
  "response": {
    object
  }
}
Field Description
event_id string
Event ID
event_source string
Name of the event source service
event_type string
Event type, which is determined by the event source service. For more information, see Configuration-level event reference.
event_time string
Time when the event occurred.
authentication object
Authentication data of the event subject
authentication.authenticated boolean
Authentication result. The possible values include:
  • true: Authentication is successful.
  • false: Authentication failed.
authentication.subject_type string
Subject type. The possible values include:
  • YANDEX_PASSPORT_USER_ACCOUNT: Yandex account
  • SERVICE_ACCOUNT: Service account
  • FEDERATED_USER_ACCOUNT: Federated account
authentication.subject_id string
Subject ID
authentication.subject_name string
Subject name
authentication.federation_id* string
ID of the federation the federated user belongs to
authentication.federation_name* string
Name of the federation the federated user belongs to
authentication.federation_type* string
Federation type. The possible value is:
  • PRIVATE_FEDERATION: Federation managed by Yandex Cloud clients
authorization object
Authorization data of the event subject
authorization.authorized boolean
Authorization result. The possible values include:
  • true: Authorization is successful.
  • false: Authorization failed.
resource_metadata object
Metadata of the event object
resource_metadata.path[] array
Path to the resource where the event occurred.
resource_metadata.path[].resource_type string
Resource type
resource_metadata.path[].resource_id string
Resource ID
resource_metadata.path[].resource_name string
Resource name
request_metadata object
Details of a query triggering the event
request_metadata.remote_address string
IP address of an event subject
request_metadata.user_agent string
User-agent of an event subject
request_metadata.request_id string
Query ID
event_status string
Event status, which is determined by the source service and the event type. The possible values include:
  • STARTED: The operation started.
  • ERROR: The operation failed.
  • DONE: The operation completed successfully.
  • CANCELLED: The operation is canceled.
error object
Status error. google.rpc.Status object:
details object
Event details, which are determined by the source service and the event type.
request_parameters object
Request parameters
response object
Obtained data

* The field is available when subject_type = FEDERATED_USER_ACCOUNT

If the action was run by a Yandex Cloud infrastructure service or a support representative, the remote address field will include cloud.yandex and the user agent field will include Yandex Cloud.

Audit log format

Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:

  • If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
  • If the destination object is a log group, the message includes a single JSON object from an audit log.

Audit log file in a bucket

Below is the template for the full name of an audit log file in a bucket:

<object prefix>/<trail ID>/<year>/<month>/<file_name.json>

Log group entry

Log group entries have the following values:

  • Time: Event_time field value of the event
  • JSON: JSON object of the event
  • Level: Calculated depending on the event_status value:
    • ERROR: For the ERROR value
    • WARN: For the CANCELLED value
    • INFO: For all other cases
  • Message: Includes the values of the event_status, event_type, subject_name, cloud_name, and resource_name fields.
