Audit Log
The Arthur platform has the ability to produce an audit log of all calls to sensitive endpoints that include models, organizations, RBAC, and uploading / modifying data.
Event Format
Each event in the audit log has the following fields:
| Field | Type | Notes |
|---|---|---|
| event_category | string | A description of the overarching category for this event. See the table below for a breakdown of the various categories. |
| event_type | string | An explanation of what kind of event occurred within the event_category. See the table below for a breakdown of the various types. |
| event_id | string | A unique ID for this event, currently in UUID format but this may change in the future. |
| timestamp | [string, int] | A timestamp in either Unix Epoch millisecond integer format or RFC 3339 string format, depending on the point of integration. |
| organization_id | [string, null] | A string UUID of the organization if there is one associated with the event. |
| model_id | [string, null] | A string UUID of the model if there is one associated with the event. |
| user_id | [string, null] | A string ID of the user if there is one associated with the event. |
| user_type | [string, null] | A string description of the kind of user if there is one associated with the event. This can be one of: service-account, arthur-managed, or idp-managed. |
| http_path | [string, null] | A string HTTP path of the request that triggered the event if one exists. |
| http_method | [string, null] | A string HTTP method of the request that triggered the event if one exists. |
| http_status_code | [int, null] | An integer HTTP status code of the request that triggered the event if one exists. |
Logged Endpoints
When enabled, Audit Logging will track all requests made to the following endpoints and set the Event Category and Event Type respectively in the audit log events.
| Endpoint | Method | Event Category | Event Type |
|---|---|---|---|
| /organizations | POST | events.arthur.ai/organization | created |
| /organizations/{organization_id} | DELETE | events.arthur.ai/organization | deleted |
| /models | POST | events.arthur.ai/model | created |
| /models/{model_id} | PUT | events.arthur.ai/model | updated |
| /models/{model_id} | DELETE | events.arthur.ai/model | deleted |
| /alerts/{alert_id}/notifications | POST | events.arthur.ai/alert | created |
| /models/{model_id}/inferences | POST | events.arthur.ai/ingestion | inference_data_received |
| /models/{model_id}/inferences | PATCH | events.arthur.ai/ingestion | ground_truth_data_received |
| /models/{model_id}/inferences/file | POST | events.arthur.ai/ingestion | inference_data_received |
| /models/{model_id}/reference_data | POST | events.arthur.ai/ingestion | reference_data_received |
| /models/{model_id}/batches/{batch_id} | PATCH | events.arthur.ai/ingestion | inference_data_batch_completed |
| /models/{model_id}/reference_data | PATCH | events.arthur.ai/ingestion | reference_data_upload_completed |
| /models/{model_id}/metrics | POST | events.arthur.ai/metrics | created |
| /models/{model_id}/metrics/{metric_id} | PUT | events.arthur.ai/metrics | updated |
| /models/{model_id}/metrics/{metric_id} | DELETE | events.arthur.ai/metrics | deleted |
| /authorization/custom_roles | POST | events.arthur.ai/rbac | updated |
| /authorization/custom_roles | DELETE | events.arthur.ai/rbac | updated |
A more thorough description of these endpoints is available at our API Documentation.
Integration with EventBridge
The on-prem installation provides support for shipping the Audit Log to AWS EventBridge. To configure this, you will need the following:
- Bus Name: Required. The name of the EventBridge bus. This should not be the full ARN of the bus.
- Region: Required. This is the AWS region where your EventBridge bus is located.
- Source: Optional. This value will be added to the EventBridge events "source" for all events. This defaults to "arthur-audit-log".
- Detail Type: Optional. This value will be added to the EventBridge events "detail-type" for all events. This defaults to "events.arthur.ai."
An example of the events that are written to EventBridge looks like the following (this was captured via an EventBridge to CloudWatch Log Group rule and target):
{
"version": "0",
"id": "b87f2a3a-6be1-e1d9-bc94-720d60e0a9d8",
"detail-type": "events.arthur.ai",
"source": "arthur-audit-log",
"account": "1234567890",
"time": "2022-07-21T22:07:00Z",
"region": "us-east-2",
"resources": [],
"detail": {
"event_type": "created",
"event_category": "events.arthur.ai/model",
"event_id": "da2ec82d-f581-4e72-bb66-fc82504f2a7e",
"timestamp": "2022-07-21T22:06:59.683+0000",
"organization_id": "d579359a-7259-4397-a08b-3e36c212350f",
"model_id": "a950c9ad-6a1e-4042-8e47-461d13072da5",
"user_id": "df3fe374-26d7-4bd8-bf62-e04a6e078e2b",
"user_type": "arthur-managed",
"http_path": "/api/v3/models",
"http_method": "POST",
"http_status_code": 200
}
}
Configuration
The EventBridge integration can be enabled on the Admin Console Config Page by:
- Checking "Show Other Advanced Options" under the Other Advanced Options section
- After that is checked, a new section will appear called "Audit Logging"
- Check "Enable Audit Log"
- Next, a choice of persistence methods appears. Choose "AWS EventBridge"
- Fill out the "Bus Name," "Region," "Event Source," and "Detail Type" fields that appear.
- Click "Save config" and deploy the updated version
Required IAM Permissions
To send events to AWS EventBridge, the Arthur IAM credentials or role will require the events:PutEvents permission. Here is an example policy that grants that permission on an EventBridge bus called arthur-events in the us-east-2 region, in the 0123456789 AWS account.
{
"Statement": [
{
"Action": "events:PutEvents",
"Effect": "Allow",
"Resource": "arn:aws:events:us-east-2:0123456789:event-bus/arthur-events",
"Sid": ""
}
],
"Version": "2012-10-17"
}
Updated 5 months ago