Contact usConsole
© 2023 Nebius Israel Ltd
Audit Trails

Uploading folder audit logs to Object Storage

Follow these instructions to create a new trail that will upload audit logs of a single folder's resources to an Object Storage bucket.

Tip

For additional security of your audit logs, use bucket encryption.

Prepare the environment

To collect folder audit logs:

  1. Create a new bucket with restricted access to upload audit logs to.

  2. Create a service account.

  3. Assign roles to the service account:

    If you don't have the Nebius Israel command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    • Assign the audit-trails.viewer role for the folder whose resources audit logs will be collected from:

      yc resource-manager folder add-access-binding \
  --role audit-trails.viewer \
  --id <folder ID> \
  --service-account-id <service account ID>

      Where:

      • role: Role being assigned.
      • id: ID of the folder from which audit logs will be collected.
      • service-account-id: ID of your service account.

    • Assign the storage.uploader role for the folder to host the trail:

      yc resource-manager folder add-access-binding \
  --role storage.uploader \
  --id <folder ID> \
  --service-account-id <service account ID>

      Where:

      • role: Role being assigned.
      • id: ID of the folder to host the trail.
      • service-account-id: ID of your service account.

  4. On the Access bindings page, make sure you have the following roles:

    • iam.serviceAccounts.user for the service account.
    • audit-trails.editor for the folder to host the trail.
    • audit-trails.viewer for the folder from which audit logs will be collected.
    • storage.viewer for the bucket or the folder.

Encrypting a bucket

To store logs in encrypted form:

  1. Create an encryption key in Key Management Service.

  2. Enable bucket encryption using the previously created key.

  3. Assign the previously created service account the kms.keys.encrypterDecrypter role for the key:

    yc kms symmetric-key add-access-binding \
    --role kms.keys.encrypterDecrypter \
    --id <encryption_key_ID> \
    --service-account-id <service_account_ID>

    Where:

    • role: The role assigned.
    • id: The ID of the encryption key.
    • service-account-id: The ID of your service account.

Create a trail

To create the first trail in Audit Trails and start the audit log management process:

  1. In the management console, select the folder where you wish to host the trail.

  2. Select Audit Trails.

  3. Click Create trail and specify:

    • Name: Name of the trail being created.
    • Description: Description of the trail (optional).

  4. Under Filter, set up the audit log scope:

    • Resource: Select Folder.
    • Folder: An automatically populated field containing the name of the current folder.

  5. Under Destination, set up the destination object:

    • Destination: Object Storage.
    • Bucket: The name of the bucket where you want to upload audit logs.
    • Object prefix: An optional parameter used in the full name of the audit log file.

    Note

    Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

  6. Under Service account, select the service account that the trail will use to upload audit log files to the bucket.

  7. Click Create.

What's next

© 2023 Nebius Israel Ltd
In this article: