Auditing activity
Overview
Cloud.gov records every action taken on organizations and spaces as events, helping you meet Audit and Accountability (AU) requirements under NIST SP 800‑53 Rev 5 and support continuous monitoring per FedRAMP and OMB guidance. These logs capture over 75 event types, such as user role changes, route updates, and service operations, and include the timestamp, actor, and action details. You can view events via the Cloud.gov dashboard or export them through the cf CLI and Cloud Foundry Events API.
Prerequisites
Before you begin auditing events, ensure you have:
-
Roles
Org ManagerorOrg Auditorin your Cloud.gov organization.
-
Tools
- Cloud.gov Dashboard access
cfCLI (see Getting Started guide)jqfor JSON parsing
-
Permissions
- API access token via
cf loginwith sufficient scopes to call/v3/events
- API access token via
Process / Steps
1. View Events in the Dashboard
-
Sign in to the Cloud.gov Dashboard.
-
Select Cloud Foundry in the left nav.
-
Choose your Organization, then:
- Users tab to view current roles.
- Events tab to see recent audit events.
Tip: Dashboard events are scoped to the selected organization. Global events (e.g., logins) won’t appear here.
2. List Events via CLI
All examples use the Events API endpoint (/v3/events). Set your org GUID once:
export ORG_GUID=$(cf org YOUR-ORG --guid)
2.1. All Events (JSON)
cf curl "/v3/events?q=organization_guid:$ORG_GUID"
2.2. User Access Changes (JSON)
Filter for role changes:
export AUDIT_TYPES="audit.user.space_developer_add,audit.user.space_developer_remove,audit.user.space_auditor_add,audit.user.space_auditor_remove,audit.user.space_manager_add,audit.user.space_manager_remove"
cf curl "/v3/events?q=type+IN+$AUDIT_TYPES&q=organization_guid:$ORG_GUID"
2.3. User Access Changes (CSV)
Convert JSON to CSV for compliance teams:
cf curl "/v3/events?q=type+IN+$AUDIT_TYPES&q=organization_guid:$ORG_GUID" \
| jq -r '.resources[].entity | [.timestamp, .actor_username, .type, .metadata.request.name] | @csv' \
| sed 's/"//g'
This outputs rows like:
| Timestamp | User | Action Type | Target User |
|---|---|---|---|
| 2025-02-05T19:36:19Z | sandbox-bot | audit.user.space_manager_add | user.name@example.gov |
3. Common Event Filters
3.1. Route Changes (CSV)
export AUDIT_TYPES="audit.route.create,audit.route.delete-request,audit.route.update"
cf curl "/v3/events?q=type+IN+$AUDIT_TYPES&q=organization_guid:$ORG_GUID" \
| jq -r '.resources[].entity | [.timestamp, .actor_username, .type, .actee_name, .metadata.request.app] | @csv' \
| sed 's/"//g'
| Timestamp | User | Action Type | Route | App GUID |
|---|---|---|---|---|
| 2025-02-05T19:36:19Z | user.name@example.gov | audit.route.update | myapproute | 7950afc2-dd7b-4a70-80a0-8f7207fd1382 |
3.2. Service Instance Events (CSV)
export AUDIT_TYPES="audit.service_instance.create,audit.service_instance.bind_route,audit.service_instance.update,audit.service_instance.unbind_route,audit.service_instance.delete"
cf curl "/v3/events?q=type+IN+$AUDIT_TYPES&q=organization_guid:$ORG_GUID" \
| jq -r '.resources[].entity | [.timestamp, .actor_username, .type, .actee_name] | @csv' \
| sed 's/"//g'
| Timestamp | User | Action Type | Service Name |
|---|---|---|---|
| 2025-02-05T19:36:19Z | user.name@example.gov | audit.service_instance.create | my-service-name |
3.3. Service Bindings (CSV)
export AUDIT_TYPES="audit.service_binding.create,audit.service_binding.delete"
cf curl "/v3/events?q=type+IN+$AUDIT_TYPES&q=organization_guid:$ORG_GUID" \
| jq -r '.resources[].entity | [.timestamp, .actor_username, .type, .metadata.request.relationships.app.data.guid, .metadata.request.relationships.service_instance.data.guid] | @csv' \
| sed 's/"//g'
| Timestamp | User | Action Type | App GUID | Service GUID |
|---|---|---|---|---|
| 2025-02-05T19:36:19Z | sandbox-bot | audit.service_binding.create | d613b9a4-a536-47d2-8aa5-b7360c5e2f21 | 7950afc2-dd7b-4a70-80a0-8f7207fd1382 |
3.4. Full Service Events (JSON)
export AUDIT_TYPES="audit.service.create,audit.service.delete,audit.service.update,audit.service_binding.create,audit.service_binding.delete,audit.service_instance.create,audit.service_instance.delete,audit.service_instance.unbind_route,audit.service_instance.update"
cf curl "/v3/events?q=type+IN+$AUDIT_TYPES&q=organization_guid:$ORG_GUID"
FAQs
Q: How long are event logs retained? A: Cloud.gov retains relevant security event logs that meets OMB Memorandum M-21-31 requirements, 12 months for active and 18 additional months of long term storage.
Q: Can I view login events? A: Login (authentication) events are global and not scoped to an organization. Use your identity provider’s audit logs (e.g., Okta, PIV) for login details.
Q: How do these logs support continuous monitoring? A: By exporting events regularly, per FedRAMP, you can automate compliance checks, anomaly detection, and reporting to meet OMB Memorandum M-21-31 requirements.