From b6ff95260142145dfd1a1e99f84f9c1168e18a19 Mon Sep 17 00:00:00 2001 From: Sarah Jackson Date: Thu, 14 Mar 2024 16:37:20 +1300 Subject: [PATCH 1/4] COMP-264 WIP updating documentation for audit secret logging - Extending audit_log.md to include secret audit events for GraphQL, and information about these events --- pages/pipelines/audit_log.md | 144 +++++++++++++++++++++++++++++++++++ 1 file changed, 144 insertions(+) diff --git a/pages/pipelines/audit_log.md b/pages/pipelines/audit_log.md index 5405d2b135..278a5ec646 100644 --- a/pages/pipelines/audit_log.md +++ b/pages/pipelines/audit_log.md @@ -73,6 +73,11 @@ SCM_PIPELINE_SETTINGS_UPDATED SCM_SERVICE_CREATED SCM_SERVICE_DELETED SCM_SERVICE_UPDATED +SECRET_CREATED +SECRET_DELETED +SECRET_QUERIED +SECRET_READ +SECRET_UPDATED SSO_PROVIDER_CREATED SSO_PROVIDER_DELETED SSO_PROVIDER_DISABLED @@ -100,3 +105,142 @@ USER_UPDATED ``` You can also set up [Amazon EventBridge](/docs/integrations/amazon-eventbridge) to stream Audit Log events. + + +## Audit logs for secrets + +>📘 Audit logs for secrets do not contain the value or sensitive information about the secret. + + +Audit logs record information of transactions in which secrets are accessed or modified. The following events will be logged: +* `SECRET_CREATED` This triggers an audit log when a user of an organization initiates the creation of a secret. Secrets can only be created by a user. Below are the fields captured in the audit log for this event. + + ``` + { + "data"=> { + "auditEvent" => { + "__typename" => "AuditEvent", + "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjBkLTIwZGUtNDZhZS1iNTMxLTU5NjRkYWJjY2M2Zg==", + "uuid" => "018e3f0d-20de-46ae-b531-5964dabccc6f", + "type" => "SECRET_CREATED", + "subject" => { + "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMGQtMjBkZS00NmFlLWI1MzEtNTk2NGRhYmNjYzZm", + "type" => "SECRET", + "uuid" => "3d01f85a-0436-49cd-a082-6f8e20dd677e", + "node" => { + "__typename" => "Secret", + "uuid" => "3d01f85a-0436-49cd-a082-6f8e20dd677e", + "organization" => { + "name" => "Sunny Spot" + } + } + } + } + } + } + ``` + +* `SECRET_DELETED` This triggers an audit log when a secret is deleted by a user of an organization. This applies exclusively to the destruction of a secret; events related to the revocation or expiration of a secret will not trigger audit logs. Below are the fields captured in the audit log for this event. +``` +{ + "data" => { + "auditEvent" => { + "__typename" => "AuditEvent", + "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjE1LTk0OTEtNGJjMS1iOTY4LWNkYTdkMzk2ZDU0MA==", + "uuid" => "018e3f15-9491-4bc1-b968-cda7d396d540", + "type" => "SECRET_DELETED", + "subject" => { + "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMTUtOTQ5MS00YmMxLWI5NjgtY2RhN2QzOTZkNTQw", + "type" => "SECRET", + "uuid" => "d83e4f1f-cc26-43d7-8d2c-d303243d87ee", + "node" => { + "__typename" => "Secret", + "uuid" => "d83e4f1f-cc26-43d7-8d2c-d303243d87ee", + "organization" => { + "name" => "Sunny Spot" + } + } + } + } + } +} +``` + +* `SECRET_READ` This triggers an audit event when an actor accesses or reads the value of a secret. Secrets can be read by an agent running a compute job, or read by a user belonging to an organization. Below are the fields captured in the audit log for this event. + +``` +{ + "data" => { + "auditEvent" => { + "__typename" => "AuditEvent", + "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjE5LTlkODgtNDBmZS1iOGIzLTkxMTk5OWNlMmRmMg==", + "uuid" => "018e3f19-9d88-40fe-b8b3-911999ce2df2", + "type" => "SECRET_READ", + "subject" => { + "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMTktOWQ4OC00MGZlLWI4YjMtOTExOTk5Y2UyZGYy", + "type" => "SECRET", + "uuid" => "644771e7-10cf-4784-af97-9fdf70402a1c", + "node" => { + "__typename" => "Secret", + "uuid" => "644771e7-10cf-4784-af97-9fdf70402a1c", + "organization" => { + "name" => "Sunny Spot" + } + } + } + } + } +} +``` + +* `SECRET_QUERIED` This triggers an audit event when a user belonging to an organization or system identity (such as an agent) when a query is performed to find a secret (or secrets). This event will be triggered even if a search for a secret yields no results or if the secret does not exist. Below are the fields captured in the audit log for this event. +``` +{ + "data" => { + "auditEvent" => { + "__typename" => "AuditEvent", + "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjRlLTdiNGUtNDQ1ZS04MDI3LWQyZGU4ZjY3MDI0Yg==", + "uuid" => "018e3f4e-7b4e-445e-8027-d2de8f67024b", + "type" => "SECRET_QUERIED", + "subject" => { + "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmNGUtN2I0ZS00NDVlLTgwMjctZDJkZThmNjcwMjRi", + "type" => "SECRET", + "uuid" => "d906f471-92a9-4725-aad5-d7388280e654", + "node" => { + "__typename" => "Secret", + "uuid" => "d906f471-92a9-4725-aad5-d7388280e654", + "organization" => { + "name" => "Sunny Spot" + } + } + } + } + } +} +``` + +* `SECRET_UPDATED` This triggers an audit event whenever a user within an organization updates the value or properties of a secret. Given that secrets can exist in multiple versions, the audit logs maintain records of these version identifiers and their corresponding updates. Below are the fields captured in the audit log for this event. +``` +{ + "data" => { + "auditEvent" => { + "__typename" => "AuditEvent", + "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjUxLWViNTMtNGVlZC1hZmRjLWE2ZTdhZjcyMDFkOQ==", + "uuid" => "018e3f51-eb53-4eed-afdc-a6e7af7201d9", + "type" => "SECRET_UPDATED", + "subject" => { + "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmNTEtZWI1My00ZWVkLWFmZGMtYTZlN2FmNzIwMWQ5", + "type" => "SECRET", + "uuid" => "87a44525-2a66-441a-89f6-8b559364aed9", + "node" => { + "__typename" => "Secret", + "uuid" => "87a44525-2a66-441a-89f6-8b559364aed9", + "organization" => { + "name" => "Sunny Spot" + } + } + } + } + } +} +``` From 69cf5ed054ebe543d8b5392774ec3802f251c97b Mon Sep 17 00:00:00 2001 From: Sarah Jackson Date: Fri, 15 Mar 2024 15:55:13 +1300 Subject: [PATCH 2/4] formatting fixes --- pages/pipelines/audit_log.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pages/pipelines/audit_log.md b/pages/pipelines/audit_log.md index 278a5ec646..91ff2d2bae 100644 --- a/pages/pipelines/audit_log.md +++ b/pages/pipelines/audit_log.md @@ -113,6 +113,7 @@ You can also set up [Amazon EventBridge](/docs/integrations/amazon-eventbridge) Audit logs record information of transactions in which secrets are accessed or modified. The following events will be logged: + * `SECRET_CREATED` This triggers an audit log when a user of an organization initiates the creation of a secret. Secrets can only be created by a user. Below are the fields captured in the audit log for this event. ``` @@ -141,6 +142,7 @@ Audit logs record information of transactions in which secrets are accessed or m ``` * `SECRET_DELETED` This triggers an audit log when a secret is deleted by a user of an organization. This applies exclusively to the destruction of a secret; events related to the revocation or expiration of a secret will not trigger audit logs. Below are the fields captured in the audit log for this event. + ``` { "data" => { @@ -194,6 +196,7 @@ Audit logs record information of transactions in which secrets are accessed or m ``` * `SECRET_QUERIED` This triggers an audit event when a user belonging to an organization or system identity (such as an agent) when a query is performed to find a secret (or secrets). This event will be triggered even if a search for a secret yields no results or if the secret does not exist. Below are the fields captured in the audit log for this event. + ``` { "data" => { @@ -220,6 +223,7 @@ Audit logs record information of transactions in which secrets are accessed or m ``` * `SECRET_UPDATED` This triggers an audit event whenever a user within an organization updates the value or properties of a secret. Given that secrets can exist in multiple versions, the audit logs maintain records of these version identifiers and their corresponding updates. Below are the fields captured in the audit log for this event. + ``` { "data" => { From f76a59766b00bf20bb793aa0ae3f8a256f5af23e Mon Sep 17 00:00:00 2001 From: Sarah Jackson Date: Fri, 15 Mar 2024 15:56:41 +1300 Subject: [PATCH 3/4] small edit --- pages/pipelines/audit_log.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pages/pipelines/audit_log.md b/pages/pipelines/audit_log.md index 91ff2d2bae..de2f3f286f 100644 --- a/pages/pipelines/audit_log.md +++ b/pages/pipelines/audit_log.md @@ -114,7 +114,7 @@ You can also set up [Amazon EventBridge](/docs/integrations/amazon-eventbridge) Audit logs record information of transactions in which secrets are accessed or modified. The following events will be logged: -* `SECRET_CREATED` This triggers an audit log when a user of an organization initiates the creation of a secret. Secrets can only be created by a user. Below are the fields captured in the audit log for this event. +* `SECRET_CREATED` triggers an audit log when a user of an organization initiates the creation of a secret. Secrets can only be created by a user. Below are the fields captured in the audit log for this event. ``` { @@ -141,7 +141,7 @@ Audit logs record information of transactions in which secrets are accessed or m } ``` -* `SECRET_DELETED` This triggers an audit log when a secret is deleted by a user of an organization. This applies exclusively to the destruction of a secret; events related to the revocation or expiration of a secret will not trigger audit logs. Below are the fields captured in the audit log for this event. +* `SECRET_DELETED` triggers an audit log when a secret is deleted by a user of an organization. This applies exclusively to the destruction of a secret; events related to the revocation or expiration of a secret will not trigger audit logs. Below are the fields captured in the audit log for this event. ``` { @@ -168,7 +168,7 @@ Audit logs record information of transactions in which secrets are accessed or m } ``` -* `SECRET_READ` This triggers an audit event when an actor accesses or reads the value of a secret. Secrets can be read by an agent running a compute job, or read by a user belonging to an organization. Below are the fields captured in the audit log for this event. +* `SECRET_READ` triggers an audit event when an actor accesses or reads the value of a secret. Secrets can be read by an agent running a compute job, or read by a user belonging to an organization. Below are the fields captured in the audit log for this event. ``` { @@ -195,7 +195,7 @@ Audit logs record information of transactions in which secrets are accessed or m } ``` -* `SECRET_QUERIED` This triggers an audit event when a user belonging to an organization or system identity (such as an agent) when a query is performed to find a secret (or secrets). This event will be triggered even if a search for a secret yields no results or if the secret does not exist. Below are the fields captured in the audit log for this event. +* `SECRET_QUERIED` triggers an audit event when a user belonging to an organization or system identity (such as an agent) when a query is performed to find a secret (or secrets). This event will be triggered even if a search for a secret yields no results or if the secret does not exist. Below are the fields captured in the audit log for this event. ``` { @@ -222,7 +222,7 @@ Audit logs record information of transactions in which secrets are accessed or m } ``` -* `SECRET_UPDATED` This triggers an audit event whenever a user within an organization updates the value or properties of a secret. Given that secrets can exist in multiple versions, the audit logs maintain records of these version identifiers and their corresponding updates. Below are the fields captured in the audit log for this event. +* `SECRET_UPDATED` triggers an audit event whenever a user within an organization updates the value or properties of a secret. Given that secrets can exist in multiple versions, the audit logs maintain records of these version identifiers and their corresponding updates. Below are the fields captured in the audit log for this event. ``` { From 7673d78deaaac9b7a40d22a2fade4e4be9112751 Mon Sep 17 00:00:00 2001 From: Sarah Jackson Date: Mon, 18 Mar 2024 15:29:55 +1300 Subject: [PATCH 4/4] Removing docs to be done at later date --- pages/pipelines/audit_log.md | 143 ----------------------------------- 1 file changed, 143 deletions(-) diff --git a/pages/pipelines/audit_log.md b/pages/pipelines/audit_log.md index de2f3f286f..b2ea6ab06f 100644 --- a/pages/pipelines/audit_log.md +++ b/pages/pipelines/audit_log.md @@ -105,146 +105,3 @@ USER_UPDATED ``` You can also set up [Amazon EventBridge](/docs/integrations/amazon-eventbridge) to stream Audit Log events. - - -## Audit logs for secrets - ->📘 Audit logs for secrets do not contain the value or sensitive information about the secret. - - -Audit logs record information of transactions in which secrets are accessed or modified. The following events will be logged: - -* `SECRET_CREATED` triggers an audit log when a user of an organization initiates the creation of a secret. Secrets can only be created by a user. Below are the fields captured in the audit log for this event. - - ``` - { - "data"=> { - "auditEvent" => { - "__typename" => "AuditEvent", - "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjBkLTIwZGUtNDZhZS1iNTMxLTU5NjRkYWJjY2M2Zg==", - "uuid" => "018e3f0d-20de-46ae-b531-5964dabccc6f", - "type" => "SECRET_CREATED", - "subject" => { - "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMGQtMjBkZS00NmFlLWI1MzEtNTk2NGRhYmNjYzZm", - "type" => "SECRET", - "uuid" => "3d01f85a-0436-49cd-a082-6f8e20dd677e", - "node" => { - "__typename" => "Secret", - "uuid" => "3d01f85a-0436-49cd-a082-6f8e20dd677e", - "organization" => { - "name" => "Sunny Spot" - } - } - } - } - } - } - ``` - -* `SECRET_DELETED` triggers an audit log when a secret is deleted by a user of an organization. This applies exclusively to the destruction of a secret; events related to the revocation or expiration of a secret will not trigger audit logs. Below are the fields captured in the audit log for this event. - -``` -{ - "data" => { - "auditEvent" => { - "__typename" => "AuditEvent", - "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjE1LTk0OTEtNGJjMS1iOTY4LWNkYTdkMzk2ZDU0MA==", - "uuid" => "018e3f15-9491-4bc1-b968-cda7d396d540", - "type" => "SECRET_DELETED", - "subject" => { - "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMTUtOTQ5MS00YmMxLWI5NjgtY2RhN2QzOTZkNTQw", - "type" => "SECRET", - "uuid" => "d83e4f1f-cc26-43d7-8d2c-d303243d87ee", - "node" => { - "__typename" => "Secret", - "uuid" => "d83e4f1f-cc26-43d7-8d2c-d303243d87ee", - "organization" => { - "name" => "Sunny Spot" - } - } - } - } - } -} -``` - -* `SECRET_READ` triggers an audit event when an actor accesses or reads the value of a secret. Secrets can be read by an agent running a compute job, or read by a user belonging to an organization. Below are the fields captured in the audit log for this event. - -``` -{ - "data" => { - "auditEvent" => { - "__typename" => "AuditEvent", - "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjE5LTlkODgtNDBmZS1iOGIzLTkxMTk5OWNlMmRmMg==", - "uuid" => "018e3f19-9d88-40fe-b8b3-911999ce2df2", - "type" => "SECRET_READ", - "subject" => { - "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMTktOWQ4OC00MGZlLWI4YjMtOTExOTk5Y2UyZGYy", - "type" => "SECRET", - "uuid" => "644771e7-10cf-4784-af97-9fdf70402a1c", - "node" => { - "__typename" => "Secret", - "uuid" => "644771e7-10cf-4784-af97-9fdf70402a1c", - "organization" => { - "name" => "Sunny Spot" - } - } - } - } - } -} -``` - -* `SECRET_QUERIED` triggers an audit event when a user belonging to an organization or system identity (such as an agent) when a query is performed to find a secret (or secrets). This event will be triggered even if a search for a secret yields no results or if the secret does not exist. Below are the fields captured in the audit log for this event. - -``` -{ - "data" => { - "auditEvent" => { - "__typename" => "AuditEvent", - "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjRlLTdiNGUtNDQ1ZS04MDI3LWQyZGU4ZjY3MDI0Yg==", - "uuid" => "018e3f4e-7b4e-445e-8027-d2de8f67024b", - "type" => "SECRET_QUERIED", - "subject" => { - "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmNGUtN2I0ZS00NDVlLTgwMjctZDJkZThmNjcwMjRi", - "type" => "SECRET", - "uuid" => "d906f471-92a9-4725-aad5-d7388280e654", - "node" => { - "__typename" => "Secret", - "uuid" => "d906f471-92a9-4725-aad5-d7388280e654", - "organization" => { - "name" => "Sunny Spot" - } - } - } - } - } -} -``` - -* `SECRET_UPDATED` triggers an audit event whenever a user within an organization updates the value or properties of a secret. Given that secrets can exist in multiple versions, the audit logs maintain records of these version identifiers and their corresponding updates. Below are the fields captured in the audit log for this event. - -``` -{ - "data" => { - "auditEvent" => { - "__typename" => "AuditEvent", - "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjUxLWViNTMtNGVlZC1hZmRjLWE2ZTdhZjcyMDFkOQ==", - "uuid" => "018e3f51-eb53-4eed-afdc-a6e7af7201d9", - "type" => "SECRET_UPDATED", - "subject" => { - "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmNTEtZWI1My00ZWVkLWFmZGMtYTZlN2FmNzIwMWQ5", - "type" => "SECRET", - "uuid" => "87a44525-2a66-441a-89f6-8b559364aed9", - "node" => { - "__typename" => "Secret", - "uuid" => "87a44525-2a66-441a-89f6-8b559364aed9", - "organization" => { - "name" => "Sunny Spot" - } - } - } - } - } -} -```