Setting up audit archiving in AWS

After you set up a credential for audit event archiving, you need to configure CDP.

Archiving configuration includes the following fields.
Field name General description AWS
storage location Where in cloud storage to save audit events S3 bucket name
credential Name of the credential to use when writing to cloud storage credential name as saved in the control plane
enabled A Boolean indicating whether archiving is enabled true
storage region Region where storage services should be accessed AWS region, e.g., us-west-2

Create the credential for audit event archiving before configuring archiving itself. The credential is not tied to an environment, and exists outside of any environment, like the control plane itself. The associated role / permissions require only write access to the storage location, including the ability to create files and folders.

The storage region is the region where the audit service (the control plane) accesses the cloud provider's storage service. For best results, this should be the same as the region where the control plane is running (for AWS-hosted audit archives, use the home region for the bucket). It does not have to be the same as the storage location's region.

  1. To call the API endpoint for configuring archiving, run the cdp audit configure-archiving command. To begin, include the optional --verify-only flag, which the service uses to first verify that the configuration works:
    cdp audit configure-archiving \
      --storage-location <$MYBUCKET> \
      --credential-name myauditcredential \
      --storage-region <$HOME_REGION>
      --enabled
      --verify-only

    For the credential-name parameter, use the CRN of the credential that you noted when you set up the credential for audit event archiving.

  2. Run cdp audit configure-archiving again, omitting the --verify-only option, to apply the configuration to the account of the caller.
    cdp audit configure-archiving \
      --storage-location <$MYBUCKET> \
      --credential-name myauditcredential \
      --storage-region <$HOME_REGION>
      --enabled
    
    The command returns the archiving configuration for the account of the caller.
    You can also include the following options:
    • To disable archiving while retaining the other configuration information, use the --no-enabled option instead of the --enabled option.
    • To retrieve the current archiving configuration, use a command like the following (there are no required options):
      cdp audit get-archiving-config