Audit Log Streaming
Introduction
HCP Boundary supports near real-time streaming of audit events to existing customer managed accounts of supported providers. Audit events capture all create, list, update or delete operations performed by a authenticated Boundary client (Desktop, CLI or the browser based admin UI) on any of the following resources within Boundary. This includes the user ID performing the operation, the timestamp and the full request and response payloads.
- Sessions
- Scopes
- Workers
- Credential Stores, Credential Libraries, Credentials
- Auth Methods, Roles, Managed Groups, Groups, Users, Accounts, Grants
- Host Catalogs, Host Sets, Host, Targets
Audit logs allow administrators to track user activity and enable security teams to ensure compliance in accordance with regulatory requirements.
The following section outlines the steps required to enable and configure audit logs streaming to supported providers. Currently Datadog and AWS CloudWatch are supported and customers may only stream to one account at a time.
AWS Cloudwatch
Note: Before you begin, you will need to have an IAM role that can be assumed by the HashiCorp logging AWS account. Below are steps to create the IAM role with the specific HashiCorp information you will need.
Creating an IAM Role From the AWS Console
Create IAM Policy
AWS Console -> IAM Service -> Policies -> Create Policy
Choose JSON and use this policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "HCPLogStreaming", "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup", "logs:TagLogGroup" ], "Resource": "*" } ]}
Finish the rest of the setup
Create IAM Role
- AWS Console -> IAM Service -> Roles -> Create a New Role
- Choose AWS account
- Trusted entity type: choose AWS Account
- An AWS account: choose Another AWS account
- Account ID: 711430482607
- Options: select Require external ID
- External ID: Use what is provided on the HCP Audit log page for you. Reference the screenshots below of the Enable Log Streaming page for AWS CloudWatch.
- Create custom policy
- Attach the new policy to the role
- Finish the rest of the creation steps
Create IAM Role Using Terraform
Note: You will need the Hashicorp generated external ID on the HCP Audit log page within the Portal.
data "aws_iam_policy_document" "allow_hcp_to_stream_logs" { statement { effect = "Allow" actions = [ "logs:PutLogEvents", # To write logs to cloudwatch "logs:DescribeLogStreams", # To get the latest sequence token of a log stream "logs:DescribeLogGroups", # To check if a log group already exists "logs:CreateLogGroup", # To create a new log group "logs:CreateLogStream" # To create a new log stream ] resources = [ "*" ] }} data "aws_iam_policy_document" "trust_policy" { statement { sid = "HCPLogStreaming" effect = "Allow" actions = ["sts:AssumeRole"] principals { identifiers = ["711430482607"] type = "AWS" } condition { test = "StringEquals" variable = "sts:ExternalId" values = [ "<ExternalID-generated-by-Hashicorp>" ] } }} resource "aws_iam_role" "role" { name = "hcp-log-streaming" description = "iam role that allows hcp to send logs to cloudwatch logs" assume_role_policy = data.aws_iam_policy_document.trust_policy.json inline_policy { name = "inline-policy" policy = data.aws_iam_policy_document.allow_hcp_to_stream_logs.json }}
Once you have finished your AWS setup, you can complete the log streaming setup in the HCP Portal.
From the HCP Boundary Overview page, select the Audit Logs view.
Click Enable Log Streaming.
From the Enable audit logs streaming view, select AWS CloudWatch as the provider
Under the provider, enter your Destination name, Role ARN, and select the AWS region that matches where you want your data stored.
Click Save Logs should arrive within your AWS CloudWatch environment in a few minutes after Boundary usage.
Note: We dynamically create the log group and log streams for you. You can find the Log group in your AWS CloudWatch with the prefix “/hashicorp” after setting up your configuration. This will allow you to clearly see logs coming from HashiCorp separately from other log inputs you may have in CloudWatch.
Refer to the AWS documentation for details on log exploration.
Datadog
Note: You will need to know which region your Datadog account is in and have your Datadog API key handy.
From the HCP Boundary Overview page, select the Audit Logs view.
Click Enable Log Streaming.
From the Enable audit logs streaming view, select Datadog as the provider
Under the provider, enter your Destination name, API Key and select the Datadog site region that matches your existing Datadog environment.
Click Save
Logs should arrive within your Datadog environment in a few minutes after Boundary usage. Refer to the Datadog documentation for details on log exploration.
Testing Streaming Configuration
During the streaming configuration setup, you may test that the streaming configuration is working within HCP. This can be helpful when you want to verify you entered correct credentials and other parameters on the configuration plan. To test, enter the needed parameters for the logging provider you wish to test, then press the “Test connection” button.
HCP will send a test message to the logging provider and share the status of success or failure within the “Enable log streaming” page.
Testing a configuration also works when you are updating your streaming configuration that you have already configured.
Updating Streaming Configuration
After you have configured streaming, you may want to update the configuration for various reasons. You may want to rotate a secret used for your logging provider or you may want to switch logging providers all together.
- Select the “Edit streaming configuration” button under the Manage menu on the “Audit logs” page.
- If you wish to select a new provider, do so now.
- Enter new parameters for the provider.
- (Optional) Test the connection by pressing the “Test connection” button
- Press “Save”
Retention
Audit logs are stored within the platform for a minimum of 1 year. HCP began archiving audit logs in October of 2022. The logs are also available after the deletion of the cluster that created them. Please contact HashiCorp Support if you need access to logs from deleted clusters or have further questions.