Security & Compliance: Scenario-Based Questions
91. How do you design a secure and scalable audit logging system?
Audit logs provide a tamper-resistant trail of user actions and system events. They're essential for compliance (SOC 2, HIPAA, PCI), incident forensics, and trust β and must be designed with integrity and scale in mind.
π What to Log
- User logins, privilege changes, data access
- Admin operations (e.g., deletes, permission grants)
- System events like restarts or policy changes
π Security Considerations
- Make logs append-only β no edits or deletions
- Use encryption at rest and in transit
- Apply digital signatures or hashing for tamper detection
- Restrict write access β no direct developer access
π οΈ Architecture Options
- Log collector agents (e.g., FluentBit, Filebeat)
- Write to Kafka, then to S3/Data Lake for durability
- Use cloud-native options (CloudTrail, Audit Logs, etc.)
π Querying & Retention
- Ship logs to queryable systems (e.g., OpenSearch, BigQuery)
- Index common fields (actor, timestamp, action)
- Apply tiered retention (e.g., hot for 7 days, cold for 1 year+)
β Best Practices
- Ensure clock sync (NTP) for accurate timestamps
- Tag logs with trace IDs for correlation
- Alert on high-risk actions (e.g., mass deletions)
- Review logs regularly during security audits
π« Common Pitfalls
- Logging sensitive data (e.g., passwords, tokens)
- Missing logs for βsilentβ privilege escalations
- Logs stored without redundancy or immutability
π Final Insight
Audit logs are not just a checkbox β theyβre a security feature. A well-designed system captures what matters, preserves it safely, and surfaces insights when you need them most.