Configuring a response in Yandex Cloud Logging and Yandex Cloud Functions

You can configure Cloud Functions to automatically respond to audit log events. For example, to send messages through convenient notification channels or automatically modify Yandex Cloud resource settings to compensate for changes.

How it works

In general, you will require the following components to configure a response via Cloud Functions:

1. A trail uploads audit logs to a log group.
2. A log group acts as an interface between a trail and a Cloud Functions trigger.
3. A Yandex Cloud Logging trigger calls the function when adding an entry to a log group.
4. A Cloud Functions function to execute the response logic.
5. An optional auxiliary component, such as a Telegram bot or mail server.

Example implementation

Yc-solution-library-for-security contains an example solution that uses Cloud Functions to provide notification of specified events via a Telegram bot and perform compensating actions on Yandex Cloud resources via API methods.

Notifications are implemented for the following events:

• Security groups: Allowing incoming traffic to all private addresses (0.0.0.0/0).
• Object Storage: Enabling public access to buckets.
• Yandex Lockbox: Assigning access to a secret.

Compensating actions on Yandex Cloud resources:

• Security groups: Delete the rule.
• Yandex Lockbox: Disable assigned access to the secret.

A solution contains the source codes of a Python function and a Terraform script that configures all the Yandex Cloud components required to complete the procedure.

What's next

• Learn more about the audit log format.
• Learn about existing solutions to export audit logs to SIEM.