Audit Log#

The Arthur platform has the ability to produce an audit log of all calls to sensitive endpoints that include models, organizations, RBAC, and uploading / modifying data.

Event Format#

Each event in the audit log has the following fields:

Field

Type

Notes

event_category

string

A description of the overarching category for this event. See the table below for a breakdown of the various categories.

event_type

string

An explanation of what kind of event occurred within the event_category. See the table below for a breakdown of the various types.

event_id

string

A unique ID for this event, currently in UUID format but this may change in the future.

timestamp

[string, int]

A timestamp in either Unix Epoch millisecond integer format or RFC 3339 string format, depending on the point of integration.

organization_id

[string, null]

A string UUID of the organization if there is one associated with the event.

model_id

[string, null]

A string UUID of the model if there is one associated with the event.

user_id

[string, null]

A string ID of the user if there is one associated with the event.

user_type

[string, null]

A string description of the kind of user if there is one associated with the event. This can be one of: service-account, arthur-managed, or idp-managed.

http_path

[string, null]

A string HTTP path of the request that triggered the event if one exists.

http_method

[string, null]

A string HTTP method of the request that triggered the event if one exists.

http_status_code

[int, null]

An integer HTTP status code of the request that triggered the event if one exists.

Logged Endpoints#

When enabled, Audit Logging will track all requests made to the following endpoints and set the Event Category and Event Type respectively in the audit log events.

Endpoint

Method

Event Category

Event Type

/organizations

POST

events.arthur.ai/organization

created

/organizations/{organization_id}

DELETE

events.arthur.ai/organization

deleted

/models

POST

events.arthur.ai/model

created

/models/{model_id}

PUT

events.arthur.ai/model

updated

/models/{model_id}

DELETE

events.arthur.ai/model

deleted

/alerts/{alert_id}/notifications

POST

events.arthur.ai/alert

created

/models/{model_id}/inferences

POST

events.arthur.ai/ingestion

inference_data_received

/models/{model_id}/inferences

PATCH

events.arthur.ai/ingestion

ground_truth_data_received

/models/{model_id}/inferences/file

POST

events.arthur.ai/ingestion

inference_data_received

/models/{model_id}/reference_data

POST

events.arthur.ai/ingestion

reference_data_received

/models/{model_id}/batches/{batch_id}

PATCH

events.arthur.ai/ingestion

inference_data_batch_completed

/models/{model_id}/reference_data

PATCH

events.arthur.ai/ingestion

reference_data_upload_completed

/authorization/custom_roles

POST

events.arthur.ai/rbac

updated

/authorization/custom_roles

DELETE

events.arthur.ai/rbac

updated

A more thorough description of these endpoints is available at our API documentation.

Integration with EventBridge#

The on-prem installation provides support for shipping the Audit Log to AWS EventBridge. In order to configure this, you will need the following:

  • Bus Name: Required. The name of the EventBridge bus. This should not be the full ARN of the bus.

  • Region: Required. This is the AWS region where your EventBridge bus is located.

  • Source: Optional. This value will be added to the EventBridge events “source” for all events. This defaults to “arthur-audit-log”.

  • Detail Type: Optional. This value will be added to the EventBridge events “detail-type” for all events. This defaults to “events.arthur.ai”.

An example of the events that are written to EventBridge look like the following (this was captured via an EventBridge to CloudWatch Log Group rule and target):

{
    "version": "0",
    "id": "b87f2a3a-6be1-e1d9-bc94-720d60e0a9d8",
    "detail-type": "events.arthur.ai",
    "source": "arthur-audit-log",
    "account": "1234567890",
    "time": "2022-07-21T22:07:00Z",
    "region": "us-east-2",
    "resources": [],
    "detail": {
        "event_type": "created",
        "event_category": "events.arthur.ai/model",
        "event_id": "da2ec82d-f581-4e72-bb66-fc82504f2a7e",
        "timestamp": "2022-07-21T22:06:59.683+0000",
        "organization_id": "d579359a-7259-4397-a08b-3e36c212350f",
        "model_id": "a950c9ad-6a1e-4042-8e47-461d13072da5",
        "user_id": "df3fe374-26d7-4bd8-bf62-e04a6e078e2b",
        "user_type": "arthur-managed",
        "http_path": "/api/v3/models",
        "http_method": "POST",
        "http_status_code": 200
    }
}

Configuration#

The EventBridge integration can be enabled on the Admin Console Config Page by:

  1. Checking “Show Other Advanced Options” under the Other Advanced Options section

  2. After that is checked, a new section will appear called “Audit Logging”

  3. Check “Enable Audit Log”

  4. Next a choice of persistence methods appears. Choose “AWS EventBridge”

  5. Fill out the “Bus Name”, “Region”, “Event Source”, and “Detail Type” fields that appear.

  6. Click “Save config” and deploy the updated version

Required IAM Permissions#

In order to send events to AWS EventBridge, the Arthur IAM credentials or role will require the events:PutEvents permission. Here is an example policy that grants that permission on a EventBridge bus called arthur-events in the us-east-2 region, in the 0123456789 AWS account.

{
    "Statement": [
        {
            "Action": "events:PutEvents",
            "Effect": "Allow",
            "Resource": "arn:aws:events:us-east-2:0123456789:event-bus/arthur-events",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}