Yandex Audit Trails overview

Yandex Audit Trails allows you to collect management event audit logs and data event audit logs for Yandex Cloud resources and upload them to a Object Storage bucket, Data Streams stream, or Cloud Logging log group:

• Uploading audit logs to a bucket.
• Uploading audit logs to Cloud Logging.
• Uploading audit logs to a data stream.

Collecting audit logs enables you to use analytical tools and promptly respond to Yandex Cloud events:

• Searching audit logs in a bucket.
• Searching audit logs in a log group.
• Exporting audit logs to SIEM systems.
• Alert settings in Yandex Monitoring.

The following management events are logged:

• Logins by federated users
• Creating/deleting service accounts
• Creating/deleting keys of service accounts
• Editing user roles and service accounts
• Creating/deleting resources
• Editing resource settings
• Stopping/restarting a resource
• Changing access policies
• Creating/editing security groups
• Actions with encryption keys and secrets

Current service limitsCurrent service limits

The audit log does not capture authentication errors. For example, if a user makes an API call without an IAM token, this information will not be included in the audit logs.

The log captures authorization errors. For example, if a user attempts to create a resource without sufficient privileges, the log will include an error message.

The service has quotas and limits.

If you upload audit logs to a log group or a data stream, make sure their size is both within the Audit Trails limits and the Yandex Cloud Logging and Yandex Data Streams limits. If the limits are exceeded, information in event audit logs that are large in size will be incomplete.

When uploading to Cloud Logging, you may get duplicate events in a log group. To find out whether an event in a log group is a duplicate, use the unique ID of the json_payload.event_id record.

We also recommend uploading audit logs to the Object Storage bucket.