Configuring audit of Yandex Cloud events

Configuring event export involves the following steps:

  1. Preparing the environment for working with Yandex Cloud.
  2. Creating a bucket for audit logs.
  3. Creating an encryption key in the Key Management Service.
  4. Enabling bucket encryption.
  5. Creating service accounts.
  6. Creating a static key.
  7. Assigning roles to service accounts.
  8. Creating an audit trail.

Preparing the environment for working with Yandex Cloud.

To manage the configuration, you need Yandex Cloud CLI; install and initialize it.

Note: by default, audit is performed in the Yandex Cloud folder specified in the CLI profile. You can specify a different folder using the --folder-name or --folder-id parameter.

To configure the audit, you need an active billing account because a fee is charged for using the Yandex Cloud infrastructure.

To configure Yandex Cloud audit, you need an active billing account:

  1. Go to the management console, then log in to Yandex Cloud or register.
  2. On the Yandex Cloud Billing page, make sure that you have a billing account connected and that it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can create or select a Yandex Cloud folder in which your infrastructure will work, on the cloud page.

Creating a bucket for audit logs

To create a bucket:

  1. In the management console, go to the folder in which you want to create the bucket, for example, example-folder.
  2. Select the Object Storage service.
  3. Click Create bucket.
  4. On the bucket creation page:
    1. Enter the bucket name in accordance with the naming rules, for example kumabucket.
    2. If necessary, limit the maximum size of the bucket. Size 0 means no limit and is equivalent to the enabled No limit option.
    3. Select the type of access: Restricted.
    4. Select the default storage class.
    5. Click Create bucket.

The bucket is created.

Creating an encryption key in the Key Management Service

To create an encryption key:

  1. In the management console, go to the example-folder folder.
  2. Select the Key Management Service.
  3. Click the Create key button and specify the following settings:
    • Name (for example, kuma-kms).
    • Encryption algorithm, AES-256.
    • Keep default values for the rest of the settings.
  4. Click Create.

The encryption key is created.

Enabling bucket encryption

To enable bucket encryption:

  1. In the management console, go to the bucket you created earlier.
  2. In the left pane, select Encryption.
  3. In the KMS key field, select the kuma-kms key.
  4. Click Save.

Bucket encryption is enabled.

Creating service accounts

To create service accounts (a separate account for the trail and a separate account for the bucket):

  1. Create the sa-kuma service account:
    1. In the management console, go to the example-folder folder.
    2. In the upper part of the screen, go to the Service accounts tab.
    3. Click Create service account and enter the name of the service account, for example, sa-kuma, making sure the name complies with the naming rules:
      • length: 3 to 63 characters
      • may contain lower-case letters of the Latin alphabet, numerals, and hyphens
      • the first character must be a letter, the last character may not be a hyphen.
    4. Click Create.
  2. Create the sa-kuma-bucket service account:
    1. In the management console, go to the example-folder folder.
    2. In the upper part of the screen, go to the Service accounts tab.
    3. Click Create service account and enter the name of the service account, for example, sa-kuma-bucket, making sure the name complies with the naming rules:
      • length: 3 to 63 characters
      • may contain lower-case letters of the Latin alphabet, numerals, and hyphens
      • the first character must be a letter, the last character may not be a hyphen.
    4. Click Create.

The service accounts are created.

Creating a static key

You will need the key ID and the private key when mounting the bucket. You can create a key using the management console or the CLI.

To create a key using the management console:

  1. In the management console, go to the example-folder folder.
  2. In the upper part of the screen, go to the Service accounts tab.
  3. Select the sa-kuma-bucket service account and click the row with its name.
  4. In the upper panel, click Create new key.
  5. Select Create static access key.
  6. Enter a description for the key and click Create.
  7. Save the ID and the secret key.

The static access key is created. The key value will become unavailable when you close the dialog.

To create a key using the CLI:

  1. Create an access key for the sa-kuma-bucket service account:

    yc iam access-key create --service-account-name sa-kuma-bucket

    Result:

    access_key:

    id: aje*******k2u

    service_account_id: aje*******usm

    created_at: "2022-09-22T14:37:51Z"

    key_id: 0n8*******0YQ

    secret: JyT*******zMP1

  2. Save the key_id and the key from the 'secret' value. You will not be able to get the key value again.

The access key is created.

Assigning roles to service accounts

To assign the audit-trails.viewer, storage.uploader, and kms.keys.encrypterDecrypter roles to the sa-kuma service account:

  1. In the CLI, assign the audit-trails.viewer role to the folder:

    yc resource-manager folder add-access-binding \

    --role audit-trails.viewer \

    --id <folder_id> \

    --service-account-id <service_account_id>

    Where:

    • --role is the assigned role.
    • --id is the ID of the 'example-folder' folder.
    • --service-account-id is the ID of the sa-kuma service account.
  2. Assign the storage.uploader role to the folder with the bucket:

    yc resource-manager folder add-access-binding \

    --role storage.uploader \

    --id <folder_id> \

    --service-account-id <service_account_id>

    Where:

    • --role is the assigned role.
    • --id is the ID of the 'example-folder' folder.
    • --service-account-id is the ID of the sa-kuma service account.
  3. Assign the kms.keys.encrypterDecrypter role to the kuma-kms encryption key:

    yc kms symmetric-key add-access-binding \

    --role kms.keys.encrypterDecrypter \

    --id <key_id> \

    --service-account-id <service_account_id>

    Where:

    • --role is the assigned role.
    • --id is the ID of the kuma-kms KMS key.
    • --service-account-id is the ID of the sa-kuma service account.

To assign the storage.viewer and kms.keys.encrypterDecrypter roles to the sa-kuma-bucket service account:

  1. In the CLI, assign the storage.viewer role to the folder:

    yc resource-manager folder add-access-binding \

    --id <folder_id> \

    --role storage.viewer \

    --service-account-id <service_account_id>

    Where:

    • --id is the ID of the 'example-folder' folder.
    • --role is the assigned role.
    • --service-account-id is the ID of the sa-kuma-bucket service account.
  2. Assign the kms.keys.encrypterDecrypter role to the kuma-kms encryption key:

    yc kms symmetric-key add-access-binding \

    --role kms.keys.encrypterDecrypter \

    --id <key_id> \

    --service-account-id <service_account_id>

    Where:

    • --role is the assigned role.
    • --id is the ID of the kuma-kms KMS key.
    • --service-account-id is the ID of the sa-kuma-bucket service account.

Creating an audit trail

To create an audit trail:

  1. In the management console, go to the example-folder folder.
  2. Select the Audit Trails service.
  3. Click Create trail and specify a name for the trail you are creating, for example, kuma-trail.
  4. In the Destination section, specify the parameters of the destination object:
    • Destination: Object Storage.
    • Bucket: The name of the bucket, for example kumabucket.
    • Object prefix: Optional parameter used in the full name of the audit log file.

      Use a prefix if you store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other objects in the bucket because this may cause logs and third-party objects to overwrite each other.

    • Encryption key: specify the kuma-kms encryption key that the bucket is encrypted with.
  5. In the Service account section, select sa-kuma.
  6. In the Collecting management events section, specify the settings for collecting management events audit logs:
    • Collecting events: Select Enabled.
    • Resource: Select Folder.
    • Folder: Does not require filling, contains the name of the current folder.
  7. In the Collecting data events, in the Collecting events field, select Disabled.
  8. Click Create.

Page top