Auditing Control Plane activity

Auditing is used to collect or log evidence of activity in a system that auditors can use to both track and analyze to answer questions such as: Who made a change to the system? When did a change happen? What exactly changed? Why was a change authorized?

Control Plane auditing is based on the concept of an audit event. An audit event is a record of an audited action which is typically a change in the system that is important enough to keep a record of. However, even some read-only actions are audited, because it might be important to know who was able to see information in the system, and not just who could alter it.

Control Plane auditing is scoped to actions that occur within the CDP Control Plane. Audit events are not collected from workload clusters; in fact, many Control Plane audit events are collected without the need for any workload clusters to exist.

The auditing system initially stores generated audit events into a cloud provider managed database. After a specific amount of time, audit logs are exported to customer-managed storage, in their own cloud provider.