Configuring responses in Yandex Cloud Logging and Yandex Cloud Functions
You can configure Cloud Functions to automatically respond to audit log events, e.g., to send messages through notification channels you prefer or automatically modify Yandex Cloud resource settings.
How it works
In general, you will need the following components to configure responses via Cloud Functions:
- Trail that uploads audit logs to a log group.
- Log group that acts as an interface between the trail and a Cloud Functions trigger.
- Yandex Cloud Logging trigger that invokes a function when adding a record to a log group.
- Cloud Functions function that implements the response logic.
- Optional auxiliary component, such as a Telegram bot or mail server.
Implementation example
Yc-security-solutions-library contains a solution example that uses Cloud Functions to notify of specific events via a Telegram bot and modify Yandex Cloud resources in line with changes using API methods.
You can get notifications of the following events:
- Security groups: Allowing incoming traffic to all private addresses (
0.0.0.0/0). - Object Storage: Enabling public access to buckets.
- Yandex Lockbox: Assigning permissions to a secret.
The following actions may be performed on Yandex Cloud resources:
- Security groups: Deleting the rule.
- Yandex Lockbox: Removing assigned permissions to the secret.
Note
Yandex Cloud Security Solution Library is a public repo on GitHub with a set of examples and recommendations on how to build a secure infrastructure in Yandex Cloud.
This solution contains the source codes of a Python function and a Terraform script that configures all the required Yandex Cloud components.
What's next
- Learn more about the audit log format.
- Learn about existing solutions to export audit logs to SIEM.