Skip to main content
Version: 0.15

Audit trail events

All audit trail events in Common Fate are emitted to an Amazon EventBridge event bus. You can build your own integrations with Common Fate by subscribing to the event bus. Examples of integrations could include custom notification logic, or sending events to a centralised security logging tool.

Event types

The following table summarises the audit trail events emitted by Common Fate. Each event contains a data payload with specific details about what happened.

EventDescription
request.createdAn Access Request was created
request.approvedAn Access Request was approved
request.cancelledAn Access Request was cancelled
request.declinedAn Access Request was declined
grant.createdA workflow was created to grant access to a resource
grant.activatedAccess to a resource was activated
grant.expiredAccess to a resource was deactivated at the expiry time of a request
grant.revokedAccess to a resource was revoked before the expiry time
grant.failedCommon Fate had a problem activating or deactivating the access

Finding the event bus ARN

All events are emitted with a source of commonfate.io/granted. Common Fate uses a custom EventBridge bus, which is included as part of the CloudFormation deployment. To develop your own integrations against the events emitted by Common Fate, you'll need to find the ARN of the event bus. The ARN is listed in the EventBusArn output of the Common Fate CloudFormation stack. You can run gdeploy status to print it to your console, as shown below:

➜ gdeploy status
+--------------------------+-------------------------------------------------------------------+
| OUTPUT PARAMETER | VALUE |
+--------------------------+-------------------------------------------------------------------+
| UserPoolDomain | granted-login-cfdemo.auth.ap-southeast-2.amazoncognito.com |
| CloudFrontDomain | d3s0441cha6x1h.cloudfront.net |
| FrontendDomain | |
| APIURL | https://9e7t7dgus6.execute-api.ap-southeast-2.amazonaws.com/prod/ |
| DynamoDBTable | Granted |
| CognitoClientID | 3dhk5dn6oobh8r5ft6r7834ijg |
| UserPoolID | ap-southeast-2_7UAB8g9AZ |
| S3BucketName | granted-frontendwebappbucketdfdb6ba7-1svhcuc0zft5l |
| CloudFrontDistributionID | E1V3I3M613HH6O |
| EventBusArn | arn:aws:events:ap-southeast-2:616777145260:event-bus/Granted |
| EventBusSource | commonfate.io/granted |
| Region | ap-southeast-2 |
+--------------------------+-------------------------------------------------------------------+
[✔] Your Granted deployment is online

Sending events to your SIEM

A SIEM is a tool which aggregates and analyses security events. You can add a destination to the Common Fate event bus to send audit trail events to your SIEM.

Depending on the capabilities of your SIEM, we recommend following one of three approaches below.

If your SIEM supports Amazon CloudWatch log streams

By default, Common Fate logs all events to an Amazon CloudWatch log group.

If your SIEM can read Amazon CloudWatch log streams, you can connect it directly to the event log group. The ARN of this log group can be found by looking at the EventBusLogGroupName output from the Common Fate CloudFormation stack.

If your SIEM supports REST API events

If your SIEM supports event delivery using a REST API, follow this tutorial to receive events.

Custom integrations

If you need to build custom integration logic to send events to your SIEM, you can add an AWS Lambda destination to the event bus by following this guide.