Uploading audit logs to a bucket
Follow these instructions to create a new trail that will upload audit logs of cloud resources to an Object Storage bucket with encryption enabled.
The setup is similar for buckets where encryption is disabled. The only difference is that you don't have to assign Yandex Key Management Service roles.
Before you start
- Create a new bucket to upload audit logs to it.
- Create an encryption key in KMS.
- Enable bucket encryption using the encryption key generated.
- Create a service account and assign the following roles to it:
audit-trails.viewerfor the cloud.
storage.uploaderfor the bucket or the folder.
kms.keys.encrypterDecrypterfor the encryption key.
- Make sure that the user has the following roles:
iam.serviceAccounts.userfor the service account.
audit-trails.editorfor the folder to host the trail.
audit-trails.viewerfor the cloud from which audit logs will be collected.
storage.viewerfor the bucket or the folder.
Creating a trail
To create the first trail in Audit Trails and start the audit log management process:
- In the management console, select the folder where you want to host the trail.
- Select Audit Trails.
- Click Create audit log and specify:
- Name: The name of the trail being created.
- Description: A description of the trail (optional).
- Service account: Select the service account on behalf of which the trail will upload audit log files to the bucket.
- Destination: Object Storage.
- Bucket: The name of the bucket where you want to upload audit logs.
- Object prefix: An optional parameter used in the full name of the audit log file.
- Resource: Select
- Cloud: Select the name of the cloud hosting the current trail.
- Folders: Leave the field empty.
- Resource: Select
- Click Create.
The trail will be created and begin uploading audit logs to the bucket.