Setting up audit archiving in AWS

After you set up a credential for audit event archiving, you need to configure CDP.

Archiving configuration includes the following fields.
Field name General description AWS
storage location Where in cloud storage to save audit events S3 bucket name
credential Name of the credential to use when writing to cloud storage credential name as saved in the control plane
enabled A Boolean indicating whether archiving is enabled true
storage region Region where storage services should be accessed AWS region, e.g., us-west-2

Create the credential for audit event archiving before configuring archiving itself. The credential is not tied to an environment, and exists outside of any environment, like the control plane itself. The associated role / permissions require only write access to the storage location, including the ability to create files and folders.

The storage region is the region where the audit service (the control plane) accesses the cloud provider's storage service. For best results, this should be the same as the region where the control plane is running (for AWS-hosted audit archives, use the home region for the bucket."). It does not have to be the same as the storage location's region.

To call the API endpoint for configuring archiving, use a command line like the following, which includes examples of all of the required options.
cdp audit configure-archiving \
  --storage-location <$MYBUCKET> \
  --credential-name myauditcredential \
  --storage-region <$HOME_REGION>
The configuration is applied to the account of the caller.
You can include the following options:
  • To disable archiving while retaining the other configuration information, use the --no-enabled option instead of the --enabled option.
  • To only verify that the archiving configuration should work, but to not set it, use the --verify-only option. The audit service attempts to archive a test audit event to verify that the configuration will work.
  • To retrieve the current archiving configuration, use a command line like the following. (There are no required options.)
    cdp audit get-archiving-config
The archiving configuration for the account of the caller is returned.