Join us at the Cloud Engineering Summit on October 20th for a free day of learning. Save your spot.

Audit Logs

Overview

Audit logs enable you to track the activity of users within an organization. They attempt to answer what a user did, when they did it and where. They help answer these questions by recording user actions.

Pulumi’s audit logs allow you to account for the activity your users are taking within your organization. These logs are available to organizations with an Enterprise level subscription. The logs are immutable and and record all user actions. Auditing makes the activity of members in an organization attributable. The logs capture the UNIX timestamp of the event, the user who invoked the action, the event that took place, and the source IP of the call the user made.

View Audit Logs

Audit logs are an Enterprise feature. Only organization admins can view audit logs.

To view audit logs:

  1. Navigate to the organization’s Settings.
  2. Navigate to Audit Logs.

This will show the most recent events in descending order. You can also filter logs by a particular user by selecting their profile picture.

Automated Export

To configure the export of audit logs to AWS S3 using the console:

  1. Navigate to the organization’s Settings.
  2. Navigate to Audit Logs.
  3. Use the three dot menu and select Configure Audit Logs to S3.
  1. Follow the instructions to create an AWS S3 bucket.
  2. Provide bucket name and a filepath where Pulumi audit logs will be exported eg: ‘Pulumi-audit-logs’.
  3. Copy the provided policy.
  4. In the AWS console create an IAM role.
  5. Select Another AWS Account and check Require external ID.
  6. Provide the Account ID and External ID, then attach the policy you created.
  7. Provide the arn of the IAM role.
  8. Test your configuration.
  1. After a successful test, select Save and Apply.
  2. After an hour, verify that logs have successfully started exporting.

Manual Export

Export Audit Logs Using the Console

To export audit logs using the console:

  1. Navigate to the organization’s Settings.
  2. Navigate to Audit Logs.
  3. Select Download.

Exporting Audit Logs Using the API

Supported Audit Log Formats

The Pulumi Service REST API supports multiple formats for exporting audit log events.

JSON Format

The JSON format is composed of the following fields:

FieldDescription
timestampthe RFC3339 timestamp of when the event was recorded
sourceIPIP Address of the client originating the request to invoke this event
eventthe name of the event
decscriptiondetailed description of the event that occurred
userdetails of the user invoking the event (login, name, and avatar URL)

CSV Format

The CSV (comma separated values) format is composed of the following fields:

Timestamp, Name, Login, Event, Description, SourceIP, RequireOrgAdmin, RequireStackAdmin, AuthenticationFailure
FieldDescription
Timestampthe RFC3339 timestamp of when the event was recorded
Namename of the user invoking the event
Loginusername of the user invoking the event
Eventthe name of the event
Descriptiondetailed description of the event that occurred
SourceIPIP Address of the client originating the request to invoke this event
RequireOrgAdminindicates whether the event required organizational admin level permissions, the value will either be “true” or “false”
RequireStackAdminindicates whether the event required stack admin level permissions, the value will either be “true” or “false”
AuthenticationFailureindicates whether the event occurred due to an authentication failure, the value will either be “true” or “false”

CEF Format

CEF (common event format) is an audit and logging event format supported by a wide range of SIEM (security information and event management) systems.

The format is as follows:

MMM dd hh:mm:ss host CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

The following fields are part of the standard header defined by CEF:

Device Vendor, Device Product, Device Version: these are strings that uniquely identify the sending device

Device Event Class ID: string or integer identifying the type of event reported

Name: a human readable description of the event

Severity: severity level reflecting the importance of the event

Extensions: the extensions field is collection of key-value pairs. These keys come from a pre-defined set as well as some keys that we have defined on our own. The following is a list of the keys we are setting on the extention field.

Pre-defined keys by the CEF standard:

KeyDescription
dvchostidentifies the device host name.
rtidentifies the time at which the event related to the activity was received.
srcidentifies the source that an event refers to in an IP network.
suseridentifies the source user by user name.

Custom defined keys:

KeyDescription
orgIDthe ID of the organization this event belongs to.
userIDthe ID of the user who invoked this event.
requireOrgAdminindicates whether the event required organizational admin level permissions, the value will either be “true” or “false”
requireStackAdminindicates whether the event required stack admin level permissions, the value will either be “true” or “false”
authenticationFailureindicates whether the event occurred due to an authentication failure, the value will either be “true” or “false”

List of Audit Log Events

EventDescription
Auth Failure Organization Roleindicates that a user tried to perform an operation but did not have the necessary organization role to do so
Auth Failure SCIM Access Tokenindicates that a request to use an organization’s SCIM support was made, but the provided auth token was invalid
Auth Failure Stack Permissionindicates that a user tried to perform an operation but did not have the necessary stack permissions to do so
Member Addedindicates the adding of a member to an organization
Member Removedindicates the removal of a member from an organization
Member Role Changedindicates the changing of a member’s role in an organization
Organization Settings Changedindicates a change in organization settings
Policy Group Createdindicates the creation of a policy group
Policy Group Deletedindicates the deletion of a policy group
Policy Group Updatedindicates the updating of a policy group
Policy Pack Createdindicates the creation of a policy pack
Policy Pack Deletedindicates the deletion of a policy pack
Policy Pack Disabledindicates the disabling of a policy pack
Policy Pack Enabledindicates the enabling of a policy pack
Secret Decryptedindicates the decryption of a secret value associated with a stack
Stack Collaborator Addedindicates the adding of a collaborator to a stack
Stack Collaborator Permissions Changedindicates a change in permissions for a stack collaborator
Stack Collaborator Removedindicates the removal of a collaborator to a stack
Stack Created From Templateindicates the creation of a stack from a template
Stack Createdindicates the creation of a stack
Stack Deletedindicates the deletion of a stack
Stack Exportedindicates the exporting of a stack
Stack Importedindicates the importing of a stack
Stack Renamedindicates the renaming of a stack
Stack Transferred to Organizationindicates the transfer of a stack from one organization to another
Stack Update Canceledindicates the canceling of a stack update
Stack Update Completedindicates the completion of a stack update
Stack Update Startedindicates the starting of a stack update
Team Createdindicates the creation of a team in an organization
Team Deletedindicates the deletion of a team from organization
Team Updatedindicates the updating of a team in an organization
User Added New Identity to Their Accountindicates a user has associated a new identity with their Pulumi account
User Loginindicates a user has successfully logged into the Pulumi Console
User Login Failedindicates a user tried and failed to log into the Pulumi Console
SAML Configuration Updatedindicates the organization’s SAML configuration has been updated