1. Docs
  2. Pulumi Cloud
  3. Audit Logs

Pulumi Cloud audit logs

    Audit Logs are available to organizations using the Enterprise and Business Critical editions. To learn more about editions, visit the pricing page.

    Overview

    Audit logs enable you to track the activity of users within an organization. They display what a user did, when they did it and where by recording user actions.

    Pulumi’s audit logs allow you to account for the activity your users are taking within your organization. The logs are immutable and and record all user actions. Auditing makes the activity of members in an organization attributable. The logs capture the UNIX timestamp of the event, the user who invoked the action, the event that took place, and the source IP of the call the user made.

    View Audit Logs

    Audit logs are a Enterprise Edition and Business Critical feature. Only organization admins can view audit logs.

    To view audit logs:

    1. Navigate to the organization’s Settings.
    2. Navigate to Audit Logs.

    This will show the most recent events in descending order. You can also filter logs by a particular user by selecting their profile picture.

    Automated Export

    This feature is only available on the Pulumi Business Critical Edition. If you don’t see it in your organization, contact sales.

    To configure the export of audit logs to AWS S3 using the console:

    1. Navigate to the organization’s Settings.
    2. Navigate to Audit Logs.
    3. Use the three dot menu and select Configure Audit Logs to S3.
    1. Follow the instructions to create an AWS S3 bucket.
    2. Provide bucket name and a filepath where Pulumi audit logs will be exported eg: ‘Pulumi-audit-logs’.
    3. Copy the provided policy.
    4. In the AWS console create an IAM role.
    5. Select Another AWS Account and check Require external ID.
    6. Provide the Account ID and External ID, then attach the policy you created.
    7. Provide the arn of the IAM role.
    8. Test your configuration.
    1. After a successful test, select Save and Apply.
    2. After an hour, verify that logs have successfully started exporting.

    Manual Export

    Export Audit Logs Using the Console

    To export audit logs using the console:

    1. Navigate to the organization’s Settings.
    2. Navigate to Audit Logs.
    3. Select Download.

    Exporting Audit Logs Using the API

    See Pulumi Cloud REST API for full details of the API endpoint to export audit log events. This API is rate-limited and only intended for occasional use, see automated export section above if you need frequent export.

    Supported Audit Log Formats

    The Pulumi Cloud REST API supports multiple formats for exporting audit log events.

    JSON Format

    The JSON format is composed of the following fields:

    FieldDescription
    timestampthe Unix timestamp of when the event was recorded
    sourceIPIP Address of the client originating the request to invoke this event
    eventthe name of the event
    descriptiondetailed description of the event that occurred
    userdetails of the user invoking the event (login, name, and avatar URL)

    CSV Format

    The CSV (comma separated values) format is composed of the following fields:

    Timestamp, Name, Login, Event, Description, SourceIP, RequireOrgAdmin, RequireStackAdmin, AuthenticationFailure
    
    FieldDescription
    Timestampthe Unix timestamp of when the event was recorded
    Namename of the user invoking the event
    Loginusername of the user invoking the event
    Eventthe name of the event
    Descriptiondetailed description of the event that occurred
    SourceIPIP Address of the client originating the request to invoke this event
    RequireOrgAdminindicates whether the event required organizational admin level permissions, the value will either be “true” or “false”
    RequireStackAdminindicates whether the event required stack admin level permissions, the value will either be “true” or “false”
    AuthenticationFailureindicates whether the event occurred due to an authentication failure, the value will either be “true” or “false”

    CEF Format

    CEF (common event format) is an audit and logging event format supported by a wide range of SIEM (security information and event management) systems.

    The format is as follows:

    MMM dd hh:mm:ss host CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
    

    The following fields are part of the standard header defined by CEF:

    Device Vendor, Device Product, Device Version: these are strings that uniquely identify the sending device

    Device Event Class ID: string or integer identifying the type of event reported

    Name: a human readable description of the event

    Severity: severity level reflecting the importance of the event

    Extensions: the extensions field is collection of key-value pairs. These keys come from a pre-defined set as well as some keys that we have defined on our own. The following is a list of the keys we are setting on the extention field.

    Pre-defined keys by the CEF standard:

    KeyDescription
    dvchostidentifies the device host name.
    rtidentifies the time at which the event related to the activity was received.
    srcidentifies the source that an event refers to in an IP network.
    suseridentifies the source user by user name.

    Custom defined keys:

    KeyDescription
    orgIDthe ID of the organization this event belongs to.
    userIDthe ID of the user who invoked this event.
    requireOrgAdminindicates whether the event required organizational admin level permissions, the value will either be “true” or “false”
    requireStackAdminindicates whether the event required stack admin level permissions, the value will either be “true” or “false”
    authenticationFailureindicates whether the event occurred due to an authentication failure, the value will either be “true” or “false”

    List of Audit Log Events

    EventDescription
    Auth Failure Organization Roleindicates that a user tried to perform an operation but did not have the necessary organization role to do so
    Auth Failure SCIM Access Tokenindicates that a request to use an organization’s SCIM support was made, but the provided auth token was invalid
    Auth Failure Stack Permissionindicates that a user tried to perform an operation but did not have the necessary stack permissions to do so
    Member Addedindicates the adding of a member to an organization
    Member Removedindicates the removal of a member from an organization
    Member Role Changedindicates the changing of a member’s role in an organization
    Organization Settings Changedindicates a change in organization settings
    Policy Group Createdindicates the creation of a policy group
    Policy Group Deletedindicates the deletion of a policy group
    Policy Group Updatedindicates the updating of a policy group
    Policy Pack Createdindicates the creation of a policy pack
    Policy Pack Deletedindicates the deletion of a policy pack
    Policy Pack Disabledindicates the disabling of a policy pack
    Policy Pack Enabledindicates the enabling of a policy pack
    Secret Decryptedindicates the decryption of a secret value associated with a stack
    Stack Collaborator Addedindicates the adding of a collaborator to a stack
    Stack Collaborator Permissions Changedindicates a change in permissions for a stack collaborator
    Stack Collaborator Removedindicates the removal of a collaborator to a stack
    Stack Created From Templateindicates the creation of a stack from a template
    Stack Createdindicates the creation of a stack
    Stack Deletedindicates the deletion of a stack
    Stack Exportedindicates the exporting of a stack
    Stack Importedindicates the importing of a stack
    Stack Renamedindicates the renaming of a stack
    Stack Transferred to Organizationindicates the transfer of a stack from one organization to another
    Stack Update Canceledindicates the canceling of a stack update
    Stack Update Completedindicates the completion of a stack update
    Stack Update Startedindicates the starting of a stack update
    Team Createdindicates the creation of a team in an organization
    Team Deletedindicates the deletion of a team from organization
    Team Updatedindicates the updating of a team in an organization
    User Added New Identity to Their Accountindicates a user has associated a new identity with their Pulumi account
    User Loginindicates a user has successfully logged into the Pulumi Cloud
    User Login Failedindicates a user tried and failed to log into the Pulumi Cloud
    SAML Configuration Updatedindicates the organization’s SAML configuration has been updated
    Environment Createdindicates the creation of an environment
    Environment Updatedindicates the updating of an environment
    Environment Deletedindicates the deletion of an environment
    Environment Openindicates the opening of an environment
    Environment Readindicates the reading of an open environment
    Environment Read Openindicates the opening and reading of an environment
    Environment Unauthorized Openindicates the attempt to open an environment the user does not have permission to
    Stack Provider Openindicates the opening of a stack provider within an environment
      Introducing Pulumi Copilot - Intelligent Cloud Management