Confluent Cloud Audit Log Concepts

The primary value of audit logs is that they provide data you can use to assess security risks in your Confluent Cloud clusters. They contain all of the information necessary to follow a user’s interaction with your Confluent Cloud clusters, and provide a way to:

  • Track user and application access
  • Identify abnormal behavior and anomalies
  • Proactively monitor and resolve security risks

Confluent Cloud audit logs provide a way to capture, protect, and preserve Kafka authentication actions, authorization actions, and organization operations into topics in Standard and Dedicated clusters. Specifically, audit logs record the runtime decisions of the permission checks that occur as users and service accounts connect to clusters and attempt to take actions that are protected by ACLs or RBAC. Audit logs also track organization operations to create, delete, and modify Confluent Cloud resources, such as API keys, Kafka clusters, user accounts, service accounts, single sign-on (SSO) connections, and connectors.

Each auditable event record includes information about who tried to do what, when they tried, and whether or not the system gave permission to proceed. Auditable event messages are emitted at the time of event occurrence; however, short delays or gaps during operational maintenance are possible, although rare.

Within Confluent Cloud, all audit log messages from your clusters are retained for seven days on an independent cluster. Users cannot modify, delete, nor produce messages directly to the audit log topic, and to consume the messages, users must have an API key specific to the audit log cluster.

Tip

Your Confluent Cloud audit log data can be exported and used to create custom dashboards for security monitoring. For an example, see the Confluent blog post How to Visualize Confluent Cloud Audit Log Data.

Auditable events

Confluent Cloud audit logs include three types of events that can be audited:

  • Authentication events: io.confluent.kafka.server/authentication
    • Event log events occur when a client connects to a Kafka cluster
      • Method example: kafka.Authentication
  • Authorization events: io.confluent.kafka.server/authorization
    • When a Kafka cluster verifies authorization.
      • Method example: kafka.IncrementalAlterConfigs
    • When cloud control plane (MDS) validates whether a specified user is allowed to perform an action based on their role (RBAC checks).
      • Method example: mds.Authorize
  • Organization events: io.confluent.cloud/request
    • Sent when a Confluent Cloud service performs an operation or action.
      • Method example: CreateKafkaCluster

Note

Users may attempt to authorize a task solely to find out if they can perform the task, but not follow through with it. In these instances, the authorization is still captured in the audit log.

confluent-audit-log-events topic

All Confluent Cloud audit log messages are captured in the audit log topic, confluent-audit-log-events.

The following example shows an authentication event that was sent when service account 306343 used the API key MAIDSRFG53RXYTKR to connect to the Kafka cluster lkc-6k8r8q:

{
    "id": "29ca0e51-fdcd-44bd-a393-43193432b614",
    "source": "crn://confluent.cloud/kafka=lkc-6k8r8q",
    "specversion": "1.0",
    "type": "io.confluent.kafka.server/authentication",
    "datacontenttype": "application/json",
    "subject": "crn://confluent.cloud/kafka=lkc-6k8r8q",
    "time": "2020-12-28T22:41:43.395Z",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
        "methodName": "kafka.Authentication",
        "resourceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
        "authenticationInfo": {
            "principal": "User:306343",
            "metadata": {
                "mechanism": "SASL_SSL/PLAIN",
                "identifier": "MAIDSRFG53RXYTKR"
            }
        },
        "result": {
            "status": "SUCCESS",
            "message": ""
        }
    }
}

See also: Audit Log Event Schema.