HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Configure HCP Vault Dedicated audit log streaming to Amazon CloudWatch

Availability

HCP Vault Dedicated audit logs streaming is available for all production grade clusters. The feature is not available for Development tier clusters.

Prerequisites

To configure audit logs streaming to Amazon CloudWatch, you will need to have:

Configure AWS

To configure HCP Vault Dedicated audit log streaming to Amazon CloudWatch, you must provide an access and secret key for an IAM user assigned permission to CloudWatch.

Create IAM policy

  1. Log in to the AWS Management Console and navigate to the IAM Dashboard.

  2. Click Policies, then click Create policy.

  3. Click the JSON tab and paste the IAM policy into the Policy editor textbox overwriting any sample text.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "HCPLogStreaming",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "logs:TagLogGroup"
            ],
            "Resource": "*"
        }
    ]
}

  4. Click Next.

  5. Enter hcp-vault-log-streaming in the Policy name textbox and click Create policy.

Create IAM user

  1. From the IAM Dashboard, click Users.

  2. Click Add users.

  3. Enter hcp-vault-log-streaming in the User name textbox and click Next.

  4. Click the Attach policies directly radio button.

  5. Search for the hcp-vault-log-streaming policy, click the checkbox, and click Next.

    Note

    This document has you attach the policy directly to the IAM user for ease of following the documentation.

    The recommended practice is to create an IAM group, attach the policy to the group, and add the user to the group.

  6. Click Create user.

  7. Click the hcp-vault-log-streaming user in the Users list.

  8. Click the Security credentials tab and click Create access key.

  9. Select Application running outside AWS and click Next.

  10. Click Create access key.

  11. Securely store the Access key and Secret access key values - you will need this to configure audit log streaming in the HCP Portal.

Enable audit logs streaming

  1. Log in to the HCP Portal and navigate to the Vault clusters page.

  2. Click the Vault cluster you wish to enable streaming for and click Audit Logs.

  3. Click Enable log Streaming.

  4. From the Enable audit logs streaming view, select Amazon CloudWatch as the provider and click Next.

  5. Under Add provider details, enter the Access key ID and Secret access key created in the Create IAM user section, then select the Region that matches your existing CloudWatch environment.

  6. Click Save.

    Note

    At this time, HCP Vault Dedicated only supports audit logs streaming to one log endpoint at a time.

Refer to the CloudWatch documentation for details on log exploration.

Example Terraform configuration (optional)

Refer to the Terraform Registry hcp_vault_cluster documentation for more information.

resource "hcp_vault_cluster" "example" {
  cluster_id = "vault-cluster"
  hvn_id     = hcp_hvn.example.hvn_id
  tier       = "standard_large"
  audit_log_config {
    cloudwatch_access_key_id = "actual-access-key-id"
    cloudwatch_secret_access_key = "actual-secret-access-key"
    cloudwatch_region = "countrycode-region-#"
  }
}

Edit the audit log streaming configuration (optional)

To edit a audit log streaming integration, perform the following steps.

  1. From the Audit Logs page, click on the Manage drop-down, then Edit configuration.

  2. Edit the configuration, then click Save.

Disable audit log streaming (optional)

To disable a audit log streaming integration, from the Audit Logs page, click on the Manage drop-down, then Disable streaming.

Edit this page on GitHub