COMP-264 WIP updating documentation for audit secret logging

- Extending audit_log.md to include secret audit events for GraphQL, and information about these events
buildkite · Mar 15, 2024 · b6ff952 · b6ff952
1 parent 4e3edf4
commit b6ff952
Showing 1 changed file with 144 additions and 0 deletions.
diff --git a/pages/pipelines/audit_log.md b/pages/pipelines/audit_log.md
@@ -73,6 +73,11 @@ SCM_PIPELINE_SETTINGS_UPDATED
 SCM_SERVICE_CREATED
 SCM_SERVICE_DELETED
 SCM_SERVICE_UPDATED
+SECRET_CREATED
+SECRET_DELETED
+SECRET_QUERIED
+SECRET_READ
+SECRET_UPDATED
 SSO_PROVIDER_CREATED
 SSO_PROVIDER_DELETED
 SSO_PROVIDER_DISABLED
@@ -100,3 +105,142 @@ USER_UPDATED
 ```
 
 You can also set up [Amazon EventBridge](/docs/integrations/amazon-eventbridge) to stream Audit Log events.
+
+
+## Audit logs for secrets
+
+>📘 Audit logs for secrets do not contain the value or sensitive information about the secret.
+
+
+Audit logs record information of transactions in which secrets are accessed or modified. The following events will be logged:
+* `SECRET_CREATED` This triggers an audit log when a user of an organization initiates the creation of a secret. Secrets can only be created by a user. Below are the fields captured in the audit log for this event.
+
+  ```
+  {
+    "data"=> {
+      "auditEvent" => {
+        "__typename" => "AuditEvent",
+        "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjBkLTIwZGUtNDZhZS1iNTMxLTU5NjRkYWJjY2M2Zg==",
+        "uuid" => "018e3f0d-20de-46ae-b531-5964dabccc6f",
+        "type" => "SECRET_CREATED",
+        "subject" => {
+          "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMGQtMjBkZS00NmFlLWI1MzEtNTk2NGRhYmNjYzZm",
+          "type" => "SECRET",
+          "uuid" => "3d01f85a-0436-49cd-a082-6f8e20dd677e",
+          "node" => {
+            "__typename" => "Secret",
+            "uuid" => "3d01f85a-0436-49cd-a082-6f8e20dd677e",
+            "organization" => {
+              "name" => "Sunny Spot"
+            }
+          }
+        }
+      }
+    }
+  }
+  ```
+
+* `SECRET_DELETED` This triggers an audit log when a secret is deleted by a user of an organization. This applies exclusively to the destruction of a secret; events related to the revocation or expiration of a secret will not trigger audit logs. Below are the fields captured in the audit log for this event.
+```
+{
+  "data" => {
+    "auditEvent" => {
+      "__typename" => "AuditEvent",
+      "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjE1LTk0OTEtNGJjMS1iOTY4LWNkYTdkMzk2ZDU0MA==",
+      "uuid" => "018e3f15-9491-4bc1-b968-cda7d396d540",
+      "type" => "SECRET_DELETED",
+      "subject" => {
+        "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMTUtOTQ5MS00YmMxLWI5NjgtY2RhN2QzOTZkNTQw",
+        "type" => "SECRET",
+        "uuid" => "d83e4f1f-cc26-43d7-8d2c-d303243d87ee",
+        "node" => {
+          "__typename" => "Secret",
+          "uuid" => "d83e4f1f-cc26-43d7-8d2c-d303243d87ee",
+          "organization" => {
+            "name" => "Sunny Spot"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+* `SECRET_READ` This triggers an audit event when an actor accesses or reads the value of a secret. Secrets can be read by an agent running a compute job, or read by a user belonging to an organization. Below are the fields captured in the audit log for this event.
+
+```
+{
+  "data" => {
+    "auditEvent" => {
+      "__typename" => "AuditEvent",
+      "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjE5LTlkODgtNDBmZS1iOGIzLTkxMTk5OWNlMmRmMg==",
+      "uuid" => "018e3f19-9d88-40fe-b8b3-911999ce2df2",
+      "type" => "SECRET_READ",
+      "subject" => {
+        "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmMTktOWQ4OC00MGZlLWI4YjMtOTExOTk5Y2UyZGYy",
+        "type" => "SECRET",
+        "uuid" => "644771e7-10cf-4784-af97-9fdf70402a1c",
+        "node" => {
+          "__typename" => "Secret",
+          "uuid" => "644771e7-10cf-4784-af97-9fdf70402a1c",
+          "organization" => {
+            "name" => "Sunny Spot"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+* `SECRET_QUERIED` This triggers an audit event when a user belonging to an organization or system identity (such as an agent) when a query is performed to find a secret (or secrets). This event will be triggered even if a search for a secret yields no results or if the secret does not exist. Below are the fields captured in the audit log for this event.
+```
+{
+  "data" => {
+    "auditEvent" => {
+      "__typename" => "AuditEvent",
+      "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjRlLTdiNGUtNDQ1ZS04MDI3LWQyZGU4ZjY3MDI0Yg==",
+      "uuid" => "018e3f4e-7b4e-445e-8027-d2de8f67024b",
+      "type" => "SECRET_QUERIED",
+      "subject" => {
+        "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmNGUtN2I0ZS00NDVlLTgwMjctZDJkZThmNjcwMjRi",
+        "type" => "SECRET",
+        "uuid" => "d906f471-92a9-4725-aad5-d7388280e654",
+        "node" => {
+          "__typename" => "Secret",
+          "uuid" => "d906f471-92a9-4725-aad5-d7388280e654",
+          "organization" => {
+            "name" => "Sunny Spot"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+* `SECRET_UPDATED` This triggers an audit event whenever a user within an organization updates the value or properties of a secret. Given that secrets can exist in multiple versions, the audit logs maintain records of these version identifiers and their corresponding updates. Below are the fields captured in the audit log for this event.
+```
+{
+  "data" => {
+    "auditEvent" => {
+      "__typename" => "AuditEvent",
+      "id" => "QXVkaXRFdmVudC0tLTAxOGUzZjUxLWViNTMtNGVlZC1hZmRjLWE2ZTdhZjcyMDFkOQ==",
+      "uuid" => "018e3f51-eb53-4eed-afdc-a6e7af7201d9",
+      "type" => "SECRET_UPDATED",
+      "subject" => {
+        "id" => "QXVkaXRTdWJqZWN0LS0tMDE4ZTNmNTEtZWI1My00ZWVkLWFmZGMtYTZlN2FmNzIwMWQ5",
+        "type" => "SECRET",
+        "uuid" => "87a44525-2a66-441a-89f6-8b559364aed9",
+        "node" => {
+          "__typename" => "Secret",
+          "uuid" => "87a44525-2a66-441a-89f6-8b559364aed9",
+          "organization" => {
+            "name" => "Sunny Spot"
+          }
+        }
+      }
+    }
+  }
+}
+```