Setting up audit archiving in AWS using the CLI

After you set up a credential for audit event archiving, you need to configure CDP. This process is not necessary if you used the UI to create the audit archiving credential and configure the data storage location.

Archiving configuration includes the following fields.
Field name General description Details
storage location Where in cloud storage to save audit events S3 bucket name. Use only the bucket name and not the "s3://" prefix or any sub-folders.
credential Name of the credential to use when writing to cloud storage credential name as saved in the control plane
enabled A Boolean indicating whether archiving is enabled true
storage region Region where storage services should be accessed AWS region, e.g., us-west-2

Create the credential for audit event archiving before configuring archiving itself. The credential is not tied to an environment, and exists outside of any environment, like the control plane itself. The associated role / permissions require write access to the storage location, including the ability to create files and folders.

The storage region is the region where the audit service (the control plane) accesses the cloud provider's storage service. For best results, this should be the same as the region where the control plane is running. Ideally, the bucket should be created in the same region.

Required Role: PowerUser

  1. To call the API endpoint for configuring archiving, run the cdp audit configure-archiving command. To begin, include the optional --verify-only flag, which the service uses to first verify that the configuration works:
    cdp audit configure-archiving \
      --storage-location <$MYBUCKET> \
      --credential-name myauditcredential \
      --storage-region <$HOME_REGION>
      --enabled
      --verify-only

    For the credential-name parameter, use the CRN of the credential that you noted when you set up the credential for audit event archiving.

    If successful, the command will archive a test audit event to the container.

  2. Run cdp audit configure-archiving again, omitting the --verify-only option, to apply the configuration to the account of the caller.
    cdp audit configure-archiving \
      --storage-location <$MYBUCKET> \
      --credential-name myauditcredential \
      --storage-region <$HOME_REGION>
      --enabled
    
    The command returns the archiving configuration for the account of the caller.
    You can also include the following options:
    • To disable archiving while retaining the other configuration information, use the --no-enabled option instead of the --enabled option.
    • To retrieve the current archiving configuration, use a command like the following (there are no required options):
      cdp audit get-archiving-config