Audit log streaming

HCP Boundary supports near real-time streaming of audit events to existing customer managed accounts of supported providers. Audit events capture all create, list, update, and delete operations performed by an authenticated Boundary client (Desktop, CLI, or the browser-based admin UI) on any of the following Boundary resources:

Sessions
Scopes
Workers
Credential stores, credential libraries, credentials
Auth methods, roles, managed groups, groups, users, accounts, grants
Host catalogs, host sets, host, targets

The captured data includes the user ID of the user performing the operation, the timestamp, and the full request and response payloads.

Audit logs allow administrators to track user activity and enable security teams to ensure compliance in accordance with regulatory requirements.

The documentation outlines the steps required to enable and configure audit log streaming to the supported providers AWS CloudWatch and Datadog. You can stream logs to one account at a time.

Configure streaming with AWS CloudWatch

To configure audit log streaming with AWS CloudWatch, you must create an IAM role that HCP Boundary can use to send logs to AWS CloudWatch. Below are the steps to create the IAM role with necessary configuration.

Create IAM policy

Launch AWS Management Console and navigate to IAM > Policies, and click Create policy.

Choose JSON and enter the following policy in the policy editor.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "HCPLogStreaming",
      "Effect": "Allow",
      "Action": [
        "logs:PutLogEvents",
        "logs:DescribeLogStreams",
        "logs:DescribeLogGroups",
        "logs:CreateLogStream",
        "logs:CreateLogGroup",
        "logs:TagLogGroup"
      ],
      "Resource": "*"
    }
  ]
}

Click Next.
Enter a name for the new policy, for example, hcp-log-streaming.
Click Create policy to create the IAM policy.

Configure the IAM role

Before you create a new IAM role, get the HashiCorp generated external ID from the HCP Portal.

Launch the HCP Portal.
Navigate to Boundary, and select your cluster.
Select Audit logs.
Click Enable log streaming.
Select AWS CloudWatch.
Copy the External ID value. You will need this value during the IAM role creation.

Next, create the IAM role using AWS Management Console or HashiCorp Terraform.

Launch AWS Management Console and navigate to IAM > Roles, and click Create role.
For Trusted entity type, select AWS account.
For An AWS account, select Another AWS account.
Enter 711430482607 in the Account ID field.
Under Options, select Require external ID.
Enter the External ID value you copied from the HCP portal.
Click Next.
Select the policy you created earlier, and click Next to attach the policy to the role.
Click Create role to complete.

Use the following Terraform configuration to create the IAM role necessary to enable audit log streaming.

data "aws_iam_policy_document" "allow_hcp_to_stream_logs" {
 statement {
   effect = "Allow"
   actions = [
     "logs:PutLogEvents",       # To write logs to cloudwatch
     "logs:DescribeLogStreams", # To get the latest sequence token of a log stream
     "logs:DescribeLogGroups",  # To check if a log group already exists
     "logs:CreateLogGroup",     # To create a new log group
     "logs:CreateLogStream"     # To create a new log stream
   ]
   resources = [
     "*"
   ]
 }
}

data "aws_iam_policy_document" "trust_policy" {
 statement {
   sid     = "HCPLogStreaming"
   effect  = "Allow"
   actions = ["sts:AssumeRole"]
   principals {
     identifiers = ["711430482607"]
     type        = "AWS"
   }
   condition {
     test     = "StringEquals"
     variable = "sts:ExternalId"
     values = [
       "<ExternalID-generated-by-Hashicorp>"
     ]
   }
 }
}

resource "aws_iam_role" "role" {
 name               = "hcp-log-streaming"
 description        = "iam role that allows hcp to send logs to cloudwatch logs"
 assume_role_policy = data.aws_iam_policy_document.trust_policy.json
 inline_policy {
   name   = "inline-policy"
   policy = data.aws_iam_policy_document.allow_hcp_to_stream_logs.json
 }
}

Once you have created the IAM role, you can configure the audit log streaming in HCP Boundary.

Launch the HCP Portal.
From the HCP Boundary Overview page, select the Audit logs view.
Click Enable log streaming.
Select AWS CloudWatch.
Under the CloudWatch configuration section, enter your Destination name, and Role ARN.
Select the Region that matches where you want your data stored.
Click Save.

Logs should arrive within your AWS CloudWatch environment in a few minutes after Boundary usage.

HashiCorp dynamically creates the log group and log streams for you. You can find the log group in your AWS CloudWatch with the prefix /hashicorp after setting up your configuration. The log group lets you filter the HashiCorp generated logs separately from other logs you may have in CloudWatch.

Refer to the AWS documentation for details on log exploration.

Configure streaming with Datadog

To configure audit log streaming with Datadog, you will need the following:

The region your Datadog account is in
Your Datadog API key

Complete the following steps:

Launch the HCP Portal.
Navigate to Boundary, and select your cluster.
Select Audit logs.
Click Enable log streaming.
Select Datadog.
Under the Datadog configuration, enter your Destination name and API Key.
Select the Datadog site region that matches your existing Datadog environment.
Click Save

Logs should arrive within your Datadog environment in a few minutes after using Boundary. Refer to the Datadog documentation for details on log exploration.

Test your streaming configuration

During the streaming configuration setup, you can test that the streaming configuration is working within HCP. Testing the configuration can be helpful when you want to verify you entered the correct credentials and other parameters on the configuration page. To test the configuration, enter the parameters for the logging provider you want to test, then click Test connection.

Test Connection button

HCP sends a test message to the logging provider and shares the status of success or failure on the Enable log streaming page.

You can also test the configuration when you update a streaming configuration that you have already configured.

Update your streaming configuration

You can update the configuration of the existing audit log streaming. For example, you may need to rotate a secret used for your logging provider, or you may need to switch from one logging provider to another.

Launch the HCP Portal.
Navigate to Boundary, and select your cluster.
Select Audit logs.
Select Edit streaming configuration under the Manage menu.
You can:
- Select a new provider
- Enter new parameters for the provider
- Test the connection by selecting Test connection
Click Save.

Retention

HCP Boundary stores the audit logs for a minimum of one year within the platform. HCP began archiving audit logs in October of 2022. The logs are available after the deletion of the cluster that created them. Please submit a request to the HashiCorp Help Center if you need access to logs from deleted clusters or have further questions.