Best Practices for Confluent Cloud Audit Logs

Review the following security best practices for Confluent Cloud audit logs to ensure you are reducing security risks.

Grant permissions based on the principle of least privileges

To consume audit log messages, users must have an API key specific to the audit log cluster.

Apply the principle of least privileges, granting access to audit log data only as needed for intended purposes.

Rotate audit log API keys periodically

To reduce the risk of API keys being used by malicious agents, you should rotate the active audit log API key regularly. For details, see Best Practices for Using API Keys in Confluent Cloud.

Retain data for auditing and compliance

By default, Confluent Cloud audit log records are retained in Confluent Cloud for seven days on an independent Kafka cluster. These audit log records cannot be modified or deleted and you cannot produce directly to the audit log topic.

For analysis purposes and to meet requirements for administrative, legal, audit, compliance, or other operational purposes, you might need to retain audit log data for longer than seven days.

Replicate or export audit log data

By default, Confluent Cloud audit logs are retained for seven days on an independent Kafka cluster. These audit log records cannot be modified, deleted, or produced directly to the audit log topic.

You can replicate or archive Confluent Cloud audit log records to another Kafka cluster or to an external system. For details, see Retain Audit Log Records.

Consider storage and billing implications

When retaining audit logs, consider storage and billing implications when you retain records beyond the seven days of audit log records stored in the Kafka audit log cluster.