Auditing Control Plane activity

Auditing is used to collect or log evidence of activity in a system that auditors can use to both track and analyze to answer questions such as: Who made a change to the system? When did a change happen? What exactly changed? Why was a change authorized?

Control Plane auditing is based on the concept of an audit event. An audit event is a record of an audited action which is typically a change in the system that is important enough to keep a record of. However, even some read-only actions are audited, because it might be important to know who was able to see information in the system, and not just who could alter it.

Control Plane auditing is scoped to actions that occur within the CDP Control Plane. Audit events are not collected from workload clusters; in fact, many Control Plane audit events are collected without the need for any workload clusters to exist.

The auditing system initially stores generated audit events into a cloud provider managed database. After a specific amount of time, audit logs are exported to customer-managed storage, in their own cloud provider.

The audit records are kept in the system for a maximum of six months. After the six-month period, the records are removed from the internal storage of CDP regardless of the archive status. In case archiving is enabled and the access to the destination is lost, the archiving process will be retried for any records that are not archived until the access is restored or the six-month limit is reached. The auto-archiving process can be enabled or disabled as necessary. Once the archiving is enabled after disabling, all of the records that have not been archived will be archived regardless of age. The pull-based audit archiving can be used in case the automatic archiving is disabled.