Get started
Yandex Audit Trails

Uploading organization audit logs to Object Storage

Written by

Follow these instructions to create a new trail that will upload audit logs of all of an organization's resources to an Object Storage bucket.

Tip

For additional security of your audit logs, use bucket encryption.

Prepare the environment

To collect organization audit logs:

  1. Create a new bucket to use for uploading audit logs.

  2. Create a service account.

  3. Assign roles to the service account:

    If you don't have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    • audit-trails.viewer for the organization whose audit logs will be collected:

      yc organization-manager organization add-access-binding \
  --role audit-trails.viewer \
  --id <organization_ID> \
  --service-account-id <service_account_ID>

      Where:

      • role: The role assigned.
      • id: The ID of the organization from whose resources the audit logs will be collected.
      • service-account-id: The ID of your service account.

    • storage.uploader for the folder to host the trail:

      yc resource-manager folder add-access-binding \
  --role storage.uploader \
  --id <folder_ID> \
  --service-account-id <service_account_ID>

      Where:

      • role: The role assigned.
      • id: The ID of the folder to host the trail.
      • service-account-id: The ID of your service account.

  4. On the Access bindings page, make sure you have the following roles:

    • iam.serviceAccounts.user for the service account.
    • audit-trails.editor for the folder to host the trail.
    • audit-trails.viewer for the organization whose audit logs will be collected.
    • storage.viewer for the bucket or the folder.

Encrypting a bucket

To store logs in encrypted form:

  1. Create an encryption key in Yandex Key Management Service.

  2. Enable bucket encryption using the previously created key.

  3. Assign the previously created service account the kms.keys.encrypterDecrypter role for the key:

    yc kms symmetric-key add-access-binding \
    --role kms.keys.encrypterDecrypter \
    --id <encryption_key_ID> \
    --service-account-id <service_account_ID>

    Where:

    • role: The role assigned.
    • id: The ID of the encryption key.
    • service-account-id: The ID of your service account.

Create a trail

To create the first trail in Audit Trails and start the audit log management process:

  1. In the management console, select the folder where you wish to host the trail.

  2. Select Audit Trails.

  3. Click Create trail and specify:

    • Name: The name of the trail being created.
    • Description: A description of the trail (optional).

  4. Under Filter, set up the audit log scope:

    • Resource: Select Organization.
    • Organization: An automatically populated field containing the name of the current organization.

  5. Under Destination, set up the destination object:

    • Destination: Object Storage.
    • Bucket: The name of the bucket where you want to upload audit logs.
    • Object prefix: An optional parameter used in the full name of the audit log file.

    Note

    Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

  6. Under Service account, select the service account that the trail will use to upload audit log files to the bucket.

  7. Click Create.

What's next

In this article: