Audit Logs to AWS S3 Buckets

Data collected around Audit Events can be streamed from Airkit to AWS S3 buckets, allowing you to investigate the data in external analytics platforms.

Streaming Audit Logs to S3

Here, we walk through how to set up your S3 bucket to receive System Audit Logs logs from Airkit.

  1. Create your S3 Bucket in AWS. When creating the bucket, select ACLs disabled.

  1. After creating your S3 Bucket, provide Airkit permission to your S3 bucket via the following AWS IAM policy.

{{BUCKET-NAME}}: name of the S3 bucket you created

{{aws_region}}: name of the region your organization is provisioned

  • US - us-west-2
  • AP - ap-southeast-2
  • EU - eu-central-1

{{organization_id}}: The ID of your organization. To get your org id, see Getting Application Metadata

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "AirkitWritePermission",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:sts::113997530994:assumed-role/airkit-{{aws_region}}-reporting-export-role/{{organization_id}}"
         },
         "Action": [
            "s3:PutObject"
         ],
         "Resource": [
            "arn:aws:s3:::{{BUCKET-NAME}}/*"
         ]
      }
   ]
}
  1. In Airkit Console,visit Settings > Logs and App Notifiers. The UI will look as follows:
14801480

Under System Audit Logs > S3 bucket, click edit to set an new S3 bucket, and then insert the S3 bucket name you created previously into the pop-up window that appears:

649649

Click Verify. Airkit will write a test file named airkit-verify-test-{{timestamp}}

  1. Once configured, every five minutes, Airkit will send relevant Events in a new file to the S3 bucket.

Schema and Examples

The structure of the exported data depends on the type of Event being sent. There is a lot of variation to the data structure depending on the Event type, as the relevant information depends on the Event details.

There are a couple standard fields that are exported with every Audit Log Event:

  • organizationId
  • eventTime
  • eventId
  • type
  • kind - for Audit Log Events, this will always be "Audit"

It is the type field that usually determines what other fields that will be part of the export. For instance, consider the following export where type = app_created:

{
    "organizationId": "482f2a38-8e9d-4329-b2a0-e97d5bc05d36",
    "type": "app_created",
    "eventTime": "2022-11-14T14:50:02.662",
    "appId": "efb19715-9a42-4a04-81c8-a026fa882f94",
    "eventId": "1RRvwLDVfvR7wathILYtnE34XFDm",
    "elevatedOperation": false,
    "kind": "Audit"
}

In addition to the standard fields, this export also contains the fields appId and elevatedOperation, which contain important information pertaining to app creation.

In contrast, consider the following export where type = user_login:

{
    "organizationId": "482f2a38-8e9d-4329-b2a0-e97d5bc05d36",
    "type": "user_login",
    "eventTime": "2022-11-14T21:29:06.062",
    "userId": "32c81dee-db98-4143-8996-888b0b0fc501",
    "eventId": "1RS7LYxhirW8RMtAG5FDB30Psviz",
    "loginType": "org-picker",
    "elevatedOperation": false,
    "kind": "Audit"
}

In addition to the standard fields, this export contains the fields userId, loginType, and elevatedOperation, two of which are relevant to a builder logging into the platform but NOT a builder creating a new app.

Event Types

type has the following possible values:

Event Types
api_key_not_in_group
app_created
app_deployed
app_undeployed
backup_datastore
clone_datastore
created_invite
data_export
data_migration
deleted_adapter
deleted_api_key
deleted_datastore
deleted_domain_certificate
deleted_embed
deleted_encryption_key
deleted_notifier
deleted_resource
deleted_user
deployment_changed
invalid_api_key
invalid_login
invite_sent
modified_adapter
modified_api_key
modified_datastore
modified_domain_certificate
modified_embed
modified_encryption_key
modified_notifier
modified_user_role
new_adapter
new_api_key
new_datastore
new_domain_certificate
new_embed
new_encryption_key
new_notifier
new_resource
new_saml
org_created
password_change
portal_page_view
request_state
saml_assertion_received
searched_all_user
successfully_authenticated
updated_organization_displayname_whitelabelid_type
updated_organization_license_key
user_created
user_locked
user_login
user_logout
user_role_added
user_role_removed
user_root_scope_assigned
user_super_admin_assigned
user_support_admin_assigned
user_support_scope_assigned
viewed_all_organizations
viewed_all_users_in_organization
viewed_filtered_organizations
viewed_licenses_by_org_id
viewed_organization_by_id