Yandex Audit Trails overview

Yandex Audit Trails allows you to collect management event audit logs and data event audit logs for Yandex Cloud resources and upload them to a Object Storage bucket, Data Streams stream, or Cloud Logging log group:

• Uploading audit logs to a bucket.
• Uploading audit logs to Cloud Logging.
• Uploading audit logs to a data stream.

Collecting audit logs enables you to use analytical tools and promptly respond to Yandex Cloud events:

• Searching for events in audit logs.
• Exporting audit logs to SIEM systems.
• Alert settings in Yandex Monitoring.

The following management events are logged:

• Logins by federated users
• Creating or deleting service accounts
• Creating/deleting keys of service accounts
• Editing user roles and service accounts
• Creating/deleting resources
• Editing resource settings
• Stopping/restarting a resource
• Changing access policies
• Creating/editing security groups
• Actions with encryption keys and secrets

Current service limitsCurrent service limits

The audit log does not capture authentication errors. For example, if a user makes an API call without an IAM token, this information will not be included in the audit logs.

The log captures authorization errors. For example, if a user attempts to create a resource without sufficient privileges, the log will include an error message.

The service has quotas and limits.

If you upload audit logs to a log group or a data stream, make sure their size is both within the Audit Trails limits and the Yandex Cloud Logging and Yandex Data Streams limits. If the limits are exceeded, information in event audit logs that are large in size will be incomplete.

When uploading to Cloud Logging, you may get duplicate events in a log group. To find duplicates, refer to the unique record ID, json_payload.event_id.

We also recommend uploading audit logs to the Object Storage bucket.