HashiCorp Cloud Platform
HCP audit log streaming
Warning
HCP audit log streaming is currently in beta. This documentation supports testing and development scenarios. Do not use this feature in secure production environments.
This topic details HashiCorp Cloud Platform’s (HCP) unified audit log streaming capabilities and the process to enable audit log streaming for HCP platform and product events.
Introduction
Audit logs are a record of system events and corresponding identification data that are typically collected for security compliance measures or to aid in an incident response.
HashiCorp Cloud Platform (HCP) produces audit logs when an organization’s users interact with the overall HCP platform. Events for the individual HCP products also produce HCP audit logs.
HashiCorp Cloud Platform (HCP) produces two types of audit logs that you can access:
- Platform audit logs track an organization’s interactions with the overall HCP platform, including when users sign-in and create projects.
- Product audit logs track an organization’s interactions with the individual HCP products.
This beta introduces a new resource in HashiCorp’s official HCP Terraform provider, hcp_log_streaming_destination
. This resource enables you to stream an organization’s HCP audit logs to an external security information and event management (SIEM) provider, such as Splunk or AWS Cloudwatch, where you can review them.
Prior to this beta, platform audit logs were not directly accessible by HCP users. Product audit logs are available for each HCP product separately.
Requirements
The following software and provider versions are required to use this feature:
- Terraform v1.1.5 or later. For the best experience, we recommend using the latest release
- HashiCorp Cloud Platform (HCP) Provider version 0.83.0 or higher
You must also configure the HCP provider to authenticate using an organizational-level service principal and service principal key. Refer to the Authenticate with HCP guide in the Terraform registry for more information.
Workflow
The workflow to enable audit log streaming from HCP depends on your external SIEM provider:
- Create an AWS IAM role for HCP to stream to your Cloudwatch account.
- Add an inline policy to the role with the required permissions.
- Configure the
hcp_log_streaming_destination
resource in Terraform. - Update your infrastructure with Terraform.
To view the audit logs in AWS, go to the Cloudwatch service page. Click Log groups and then select /hashicorp/hcp/audit-logs/. Audit log entries appear in Cloudwatch after they occur on the HCP platform.
Start audit log streaming
Create an IAM role for the audit logs with Terraform
To enable audit log streaming to Cloudwatch, you must create an IAM role in your AWS account that allows HashiCorp to stream audit logs to your account’s Cloudwatch service. You can create a role and attach a policy manually in the AWS Console, or you can create the resources with Terraform.
To create the role and policy with Terraform, add the following resources to your configuration:
Note
The following example uses "hcp-log-stream" as the external ID. To keep your audit logs secure in production environments, we recommend using a custom string for the external ID instead of "hcp-log-stream".resource "aws_iam_role" "cloudwatch_hcp_audit_logs" {
name = "cloudwatch-hcp-audit-logs"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::711430482607:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "hcp-log-stream"
}
}
}
]
}
EOF
}
resource "aws_iam_role_policy" "hcp_log_streaming_policy" {
name = "hcp_log_streaming_policy"
role = aws_iam_role.cloudwatch_hcp_audit_logs.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "HCPLogStreaming",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "*"
}
]
}
EOF
}
Run the following command to target these resources and apply them to your infrastructure with Terraform:
$ terraform apply -target "aws_iam_role.cloudwatch_hcp_audit_logs" -target "aws_iam_role_policy.hcp_log_streaming_policy"
Configure the hcp_log_streaming_destination
resource
For your HCP organization, configure the hcp_log_streaming_destination
resource with the ARN of the role you created and your external ID. If the log group you specify does not exist, Terraform will create it when the first log streams to Cloudwatch.
The following example demonstrates how to configure this resource:
resource "hcp_log_streaming_destination" "aws_cloudwatch" {
name = "<cloudwatch-prod>"
cloudwatch = {
external_id = "hcp-log-stream"
region = "us-east-1"
role_arn = "arn:aws:iam::111111111:role/cloudwatch-hcp-audit-logs"
log_group_name = "/hashicorp/hcp/audit-logs/"
}
}
For more information about how to use role ARNs and log groups, refer to IAM identifiers and Working with log groups and streams in the AWS documentation.
Update your infrastructure with Terraform
After you configure the resource, run terraform apply
to update your deployment. To target the resource you just created, run the following command:
$ terraform apply -target "aws_iam_role.cloudwatch_hcp_audit_logs" -target "aws_iam_role_policy.hcp_log_streaming_policy" -target "hcp_log_streaming_destination.aws_cloudwatch"
To view the audit logs, go to the Cloudwatch AWS service page. Click Log groups. Click /hashicorp/hcp/audit-logs/, and then click the log stream. Logs appear after you generate them.
Log events
After you update your HCP infrastructure with Terraform, the following events that generate audit logs in HCP stream to your external SIEM provider:
- HCP Boundary administration events
- Create cluster
- Update cluster
- Delete cluster
- Platform identity events:
- Sign up for new users
- Sign in for existing users
- MFA authentication success
- Successful login
- Password reset for accounts
- Revoke HCP Portal active sessions by user principal
- Remove user from HCP Organization
- User joins HCP Organization
- Sign in failure to HCP
- Bad password
- Bad MFA
- MFA enabled
- MFA disabled
- HCP Project deletion
Constraints and limitations
Be aware of the following technical constraints and limitations in the beta release for HCP audit log streaming:
- HCP audit log streaming supports platform and HCP Boundary events. Additional product support is not available in this release.
- You must authenticate to HCP with an organization-level service principal. Authentication with a project-level service principal results in an error.
- HCP does not process the audit log queue synchronously. It attempts to send logs for seven days, and performs an exponential backoff over that period by increasing the amount of time between attempts.
- When provided with a credential such as a token or API key that is not valid or does not have the correct permissions, HCP does not store logs that it is unable to stream. Logs begin to stream after valid authentication credentials are applied using the Terraform provider.
Payload examples
Refer to the following sections for examples of the audit logs generated by product and platform events.
HCP Boundary event payload example
When a user attempts to sign in to the Boundary Admin UI through HCP, it generates an audit log that contains the following information.
{
"cluster_id": "boundary-cluster-test",
"data": {
"auth": {
"auth_token_id": "",
"email": "[REDACTED]",
"grants_info": {},
"name": "[REDACTED]",
"user_info": {
"id": "u_recovery"
}
},
"id": "e_LM2Og3ZWhe",
"request": {
"details": {
"recursive": true,
"scope_id": "global"
}
},
"request_info": {
"client_ip": "10.10.0.222",
"id": "gtraceid_6daQ2ZnwHEZwYNtAqmfW",
"method": "GET",
"path": "/v1/sessions?recursive=true&scope_id=global"
},
"response": {
"details": {},
"status_code": 200
},
"timestamp": "2024-01-18T19:48:28.819219731Z",
"type": "APIRequest",
"version": "v0.1"
},
"datacontentype": "application/cloudevents",
"hcp_product": "boundary",
"id": "7YdpvNxqFn",
"organization_id": "067acbc1-ed49-4dc2-9fcb-6b4aff713469",
"project_id": "98a0dcc3-5473-4e4d-a28e-6c343c498530",
"serialized": "eyJpZCI6IjdZZHB2TnhxRm4iLCJzb3VyY2UiOiJodHRwczovL2hhc2hpY29ycC5jb20vYm91bmRhcnkvMGM3Nzg2MzEzYjE5L2NvbnRyb2xsZXIiLCJzcGVjdmVyc2lvbiI6IjEuMCIsInR5cGUiOiJhdWRpdCIsImRhdGEiOnsiaWQiOiJlX0xNMk9nM1pXaGUiLCJ2ZXJzaW9uIjoidjAuMSIsInR5cGUiOiJBUElSZXF1ZXN0IiwidGltZXN0YW1wIjoiMjAyNC0wMS0xOFQxOTo0ODoyOC44MTkyMTk3MzFaIiwicmVxdWVzdF9pbmZvIjp7ImlkIjoiZ3RyYWNlaWRfNmRhUTJabndIRVp3WU50QXFtZlciLCJtZXRob2QiOiJHRVQiLCJwYXRoIjoiL3YxL3Nlc3Npb25zP3JlY3Vyc2l2ZT10cnVlXHUwMDI2c2NvcGVfaWQ9Z2xvYmFsIiwiY2xpZW50X2lwIjoiMTAuMTAuMC4yMjIifSwiYXV0aCI6eyJhdXRoX3Rva2VuX2lkIjoiIiwidXNlcl9pbmZvIjp7ImlkIjoidV9yZWNvdmVyeSJ9LCJncmFudHNfaW5mbyI6e30sImVtYWlsIjoiW1JFREFDVEVEXSIsIm5hbWUiOiJbUkVEQUNURURdIn0sInJlcXVlc3QiOnsiZGV0YWlscyI6eyJzY29wZV9pZCI6Imdsb2JhbCIsInJlY3Vyc2l2ZSI6dHJ1ZX19LCJyZXNwb25zZSI6eyJzdGF0dXNfY29kZSI6MjAwLCJkZXRhaWxzIjp7fX19LCJkYXRhY29udGVudHlwZSI6ImFwcGxpY2F0aW9uL2Nsb3VkZXZlbnRzIiwidGltZSI6IjIwMjQtMDEtMThUMTk6NDg6MjguODE5MjM1NDY0WiJ9Cg",
"serialized_hmac": "hmac-sha256:u2pUHrsbNO2X6cs6PRwhdzgyyF0xUW8FIv8PbNG1E-c",
"source": "https://hashicorp.com/boundary/0c7786313b19/controller",
"specversion": "1.0",
"time": "2024-01-18T19:48:28.819235464Z",
"type": "audit"
}
Platform user authentication payload example
When a user signs into HCP, it generates an audit log that contains the following information.
{
"request_info": {
"http_verb": "GET",
"http_path": "/consent/complete"
},
"principal": {
"user": {
"email": "jane.doe@company.com",
"full_name": "jane.doe@company.com"
}
},
"authentication_info": {
"principal": {
"id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
"type": "PRINCIPAL_TYPE_USER",
"user": {
"id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
"email": "jane.doe@company.com",
"full_name": "jane.doe@company.com",
"subject": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
}
}
},
"metadata": {
"email": "jane.doe@company.com",
"event_type": "hcp_id_auth_success",
"ip": "69.323.323.201",
"message": "Authenticated successfully",
"timestamp": "2024-01-18 19:50:55 +0000 UTC",
"user_id": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
},
"operation_info": {},
"description": "Authenticated successfully",
"action": "CREATE",
"status_code": "OK"
}
Platform project deletion payload example
When a user deletes a project from HCP, it generates an audit log that contains the following information.
{
"request_info": {
"http_verb": "DELETE",
"http_path": "/resource-manager/2019-12-10/projects/c666065a-b21e-489c-8045-a79d3802fb64",
"http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"http_client_ip": "69.323.323.201"
},
"principal": {
"user": {
"email": "jane.doe@company.com",
"full_name": "jane.doe@company.com"
}
},
"authentication_info": {
"principal": {
"id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
"type": "PRINCIPAL_TYPE_USER",
"user": {
"id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
"email": "jane.doe@company.com",
"full_name": "jane.doe@company.com",
"identity_type": "EMAIL_PASSWORD",
"subject": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
},
"group_ids": [
"iam.group:w7NkwCwBmdWH88f8mQqR"
]
}
},
"authorization_info": [
{
"permissions": [
"resource-manager.projects.update"
],
"organization_id": "067acbc1-ed49-4dc2-9fcb-6b4aff713469",
"project_id": "c666065a-b21e-489c-8045-a79d3802fb64"
}
],
"operation_info": {
"operation_id": "937d1354-6fc2-4cbf-8f94-03a1b82bcd8d"
},
"description": "Deleted project",
"action": "DELETE",
"status_code": "OK"
}