Confluent Cloud Audit Log Concepts¶
The primary value of audit logs is that they provide data you can use to assess security risks in your Confluent Cloud clusters. They contain all of the information necessary to follow a user’s interaction with your Confluent Cloud clusters, and provide a way to:
- Track user and application access
- Identify abnormal behavior and anomalies
- Proactively monitor and resolve security risks
Confluent Cloud audit logs provide a way to capture, protect, and preserve Kafka authentication actions, authorization actions, and organization operations into topics in Standard, Enterprise, and Dedicated clusters. Specifically, audit logs record the runtime decisions of the permission checks that occur as users and service accounts connect to clusters and attempt to take actions that are protected by ACLs or RBAC. Audit logs also track organization operations to create, delete, and modify Confluent Cloud resources, such as API keys, Kafka clusters, user accounts, service accounts, single sign-on (SSO) connections, and connectors.
Each auditable event record includes information about who tried to do what, when they tried, and whether or not the system gave permission to proceed. Auditable event messages are emitted at the time of event occurrence; however, short delays or gaps during operational maintenance are possible, although rare.
Within Confluent Cloud, all audit log messages from your clusters are retained for seven days on an independent cluster. Users cannot modify, delete, nor produce messages directly to the audit log topic, and to consume the messages, users must have an API key specific to the audit log cluster.
Auditable events¶
Confluent Cloud audit logs capture event records from auditable event methods for the following event categories. For details on the auditable event methods, click the event category name.
Kafka cluster event categories¶
| Event category | Event type | Resource type |
|---|---|---|
| Kafka cluster authentication | io.confluent.kafka.server/authentication |
n/a |
| Kafka cluster authorization | io.confluent.kafka.server/authorization |
Topic, Cluster, Group |
| RBAC | io.confluent.kafka.server/authorization |
Environment, CloudApiKey, SecurityMetadata, Billing |
Organization authorization event categories¶
Event type: io.confluent.cloud/authorization
| Event category | Resource type |
|---|---|
| IP filter | ORGANIZATION |
Organization event categories¶
Event type: io.confluent.cloud/request
| Event category | Resource type |
|---|---|
| API key | API_KEY |
| MarketPlace Entitlement | MARKETPLACE_ENTITLEMENT |
| Billing | ORGANIZATION |
| Sign-in attempt | ORGANIZATION |
| Service account | ORGANIZATION |
| User account | USER |
| User Invitation | USER_INVITATION |
| Role-based access control (RBAC) | CLOUD_CLUSTER |
| Single Sign-on (SSO) connection | SSO_CONNECTION |
| Identity provider (OAuth/OIDC) | IDENTITY_PROVIDER |
| Identity pool (OAuth/OIDC) | IDENTITY_POOL |
| Environment | ENVIRONMENT |
| Schema Registry cluster | SCHEMA_REGISTRY |
| Kafka cluster | KAFKA_CLUSTER |
| ksqlDB cluster | KSQL_CLUSTER |
| Connector | CONNECTOR |
| Network | NETWORK |
| Peering connection | PEERING |
| Private link access | PRIVATE_LINK_ACCESS |
| Transit gateway attachment | ENVIRONMENT |
| Pipeline (for Stream Designer) | PIPELINE |
Note
Users may attempt to authorize a task solely to find out if they can perform the task, and not follow through with it. In these instances, the authorization is still captured in the audit log.
confluent-audit-log-events topic¶
All Confluent Cloud audit log messages are captured in the audit log topic,
confluent-audit-log-events.
The following example shows an authentication event that was sent when service
account 306343 used the API key MAIDSRFG53RXYTKR to connect to the
Kafka cluster lkc-6k8r8q:
{
"id": "29ca0e51-fdcd-44bd-a393-43193432b614",
"source": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authentication",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"time": "2020-12-28T22:41:43.395Z",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"methodName": "kafka.Authentication",
"resourceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"authenticationInfo": {
"principal": "User:306343",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "SUCCESS",
"message": ""
}
}
}
See also: Audit Log Event Schema.